Vendors A-H

New York Education Law §2-d gives parents the right to access certain information about agreements the NYC DOE has entered into with outside entities (such as vendors) who are permitted to receive or to access identifiable student information from the DOE. These entities are required to answer a number of questions about their privacy and data security practices. Responses from such outside entities to these questions are found below. Please note that this page will be updated on a periodic basis with responses from additional outside entities.

PLEASE NOTE: The entities listed below do not comprise a list of “approved DOE vendors” and therefore should not be thought of as such. Some entities listed below may have agreements that have expired or were terminated, but whose information has not yet been moved or removed. Other entities, whose names do not appear below, may have agreements with the DOE, or agreements that are in progress, but their responses are still being processed and have not yet been posted. Additionally, there are some entities that do not collect personally identifiable information. Their information may not appear below. 

Listed in Alphabetical Order:

21st CentEd

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/1/2022 - 2/1/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. 21stCentEd’s online educational services collects contextual or transactional data as part of its operations, often referred to as “metadata.” Metadata refer to information that provides meaning and context to other data being collected; for example, information about how long a particular student took to perform an online task has more meaning if the user knows the date and time when the student completed the activity, how many attempts the student made, and how long the student’s mouse hovered over an item (potentially indicating indecision). This metadata is not linked to FERPA-protected information.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The 21stCentEd Data Security Plan (DSP) details procedures implemented at the administrative level to protect private information such as training personnel on information handling best practices. The DSP also outlines the physical protections implemented for protecting private information such as ensuring paper records and servers are secured and access-controlled. Lastly, the DSP includes 21stCentEd’s technology-based instruments and procedures used to protect private information such as requiring Common Access Cards for System Access and encrypting computers and emails.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Abbott House

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Community Schools Resource program of Abbott House provides both PS294 and PS311 with Mental Health services, community engagement initiatives, and family support. We provide in-school individual and group counseling to students with mental health challenges. We not only help students in school but help families bridge the educational gap with attendance initiatives, connecting them to resources in our community, applying for public assistance and advocating for the needs of their family. We use PII to contact families to receive our services and connect them to the school community. Additionally, PII is used to inform our decision making when targeting vulnerable populations that may need our assistance such as students with low attendance rates or students in temporary housing.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., ASARA Fulton Street Software.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Entity has a data privacy and security policy in place that implements principles, processes and solutions that facilitate secure business operations related to data privacy and security. The policy is reviewed frequently to manage the new challenges and requirements of the funding sources. This policy identifies the categories of attack surfaces (cyber-attack vulnerabilities), path by which cyber-attacks are enacted and the processes or technologies used to prevent these attacks and protect Abbott House information assets. The following areas are managed by advance technologies, constant monitoring and various physical/technical and administrative controls to ensure protection against data breaches and cyber attacks.

  • Network Security/High Availability
  • Web Content Filtering/IPS
  • Anti-Virus/Anti-Malware
  • Anti-Spam/Phishing
  • Access Control
  • Data Encryption
  • Email Security/Encryption
  • Patch Management
  • Data Backups/Testing
  • Mobile Device Management
  • Secure Wi-Fi
  • Print/Fax Security
  • System Disposal
  • 3rd Party Security Audits
  • BC/DR Plan
  • Cyber Security Awareness Training
  • Cyber Liability Insurance

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Academics in Motion

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We will compare student data before our programing and during our program to see the students improvements pertaining to academic progress and attendance results, only. We will provide Academic Support, SEL and Life Skills workshops, wellness activities and college and career resources.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. AIM PII data is reported to and stored in AIM database which uses usernames and passwords to prevent unauthorized access and to restrict user access within the application. Each unique user account is assigned access to programs and permission sets to restrict access to data and features in the system. Data is stored using redundant Amazon Web Services hardware technologies and SSG fault tolerant software and journaling file systems. All data is automatically encrypted while in transit and in storage. User-based permissions and audit trails further enable secure access to data within the system. To prevent breaches the AIM database conducts continuous vulnerability scanning, integrated security code scanning, and penetration testing. In the event systems are affected by a breach, it is their policy to notify without undue delay, and in no case greater than 48 hours, from the confirmation of a data breach.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Acadience Learning Inc. (ALI)

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: Nondisclosure agreement was signed on 6/25/2021

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The purpose for which ALI will receive/access PII is to provide online assessment and data management services for Acadience assessments and for psychometric and research services which may be called upon by NYC DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Acadience Learning Online (ALO) system follows industry-standard best practices to ensure that all system data, including data containing PII, is secure and protected at all times. Technical security protections include, but are not limited to: encryption of data in transit and at rest, use of US based servers, proactive monitoring of network access, and regular security testing and review of results. ALI takes a proactive stance on mitigating data privacy and security risks by utilizing strong security procedures and protocols.

Additionally, ALI upholds rigorous internal policies to ensure that employees with access to data containing PII follow strict procedures related to the handling and management of sensitive information. Employees with access to sensitive information must first complete required training before gaining ALO system access, and system access is limited to employees who need access to the information to complete job duties.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Accelerate Learning (for STEMscopes, Math Nation)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII is utilized solely for application operations and curriculum interaction by students and teachers.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. Amazon Web Services.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Accelerate Learning (ALI) implements cybersecurity practices and requirements based upon CIS’s well-established Controls and Benchmarks that are compliant with the federal standards in the Federal Information Security Management Act (FISMA) in NIST Special Publication 800-53 Revision 5, published September 2020. We implement authentication, authorization and accounting (AAA) based on these controls following a least privileged model. Additionally, ALI utilizes leading industry tools to monitor, restrict, and secure information resources and sensitive data. The fundamentals of our security operations include:

  • Passwords and Employee Access. Accelerate Learning Inc secures all usernames, passwords, and any other means of gaining access to the Services or to Student Data, at a level suggested by the applicable standards, as set forth in Article 4.3 of NIST 800-63-3. ALI only provides access to Student Data to employees or contractors that are performing the Services. Employees with access to Student Data shall have signed confidentiality agreements regarding said Student Data. All employees with access to Student Records shall be subject to criminal background checks in compliance with state and local ordinances.
  • Destruction of Data. Accelerate Learning Inc destroys or deletes all Student Data obtained under the Service Agreement when it is no longer needed for the purpose for which it was obtained.
  • Security Protocols. Accelerate Learning Inc utilizes security protocols that meet industry standards in the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so.
  • Employee Training. Accelerate Learning Inc conducts periodic security training to those of its employees who operate or have access to the system.
  • Security Technology. When the service is accessed using a supported web browser, Accelerate Learning Inc employs industry standard measures to protect data from unauthorized access. The security measures include firewalls, deep packet inspection, application stream analysis, restrictive load balancing, network segmentation, network ACLs, data transit encryption utilizing TLS 1.2 with 2048-bit certificates, data at rest encryption utilizing 256-bit AES encryption, log aggregation and analysis, vulnerability management and remediation process, application authentication, server authentication and administrative authentication following least privileged access.
  • Periodic Risk Assessment. Accelerate Learning Inc conducts regular digital and physical risk assessments and remediates any identified security and privacy vulnerabilities in a timely manner.

We adhere to the following standards, laws, and certifications:

  • NIST Cybersecurity Framework v.1.1
  • NIST SP 800-53 Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), SP 800-171
  • ISO 27000 Series
  • Center for Internet Security (CIS) Critical Security Controls (top 20)
  • Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
  • Children's Online Privacy Protection Act (COPPA)
  • Protection of Pupil Rights Amendment (PPRA) 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Achieve3000, Inc.

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Achieve 3000, Inc. offers multiple products that will collect Personally Identifiable Information (PII) including: Actively Learn, Actively Learn Unlimited, Achieve3000 Literacy, Achieve3000 Literacy with Boost, SmartyAnts, Achieve3000 Math, eScience3000, and NWEA MAP Informed Learning Path.

Achieve3000, Inc. will use personally identifiable information (“PII”) to provide the educational product or service subscribed to by a DOE institution or to process transactions such as information requests or purchases in order to meet our contractual obligations to the DOE institution that has subscribed to our products and services . We will also process DOE PII to meet our legitimate interests, for example to personalize your experience and to deliver relevant content to DOE; to maintain and improve our services to the DOE; to generate and analyze statistics about DOE use of the services; and to detect, prevent, or (if permitted by law) to respond to fraud, intellectual property infringement, violations of law, violations of our rights or our terms of use for Achieve3000, Inc. online products and services, or other misuse of the services. Except as described in this notice, we limit the use, collection, and disclosure of DOE PII to deliver the service or information requested by DOE.

  • Actively Learn- Actively Learn gives teachers access to thousands of texts and videos for ELA, social studies, and science with scaffolds and data to inform instruction
  • Actively Learn Unlimited - Actively Learn Unlimited gives teachers access to thousands of texts and videos for ELA, social studies, and science with scaffolds and data to inform instruction, plus an additional 6,500 copyright books from publishers including Penguin Random House, HarperCollins, Simon and Schuster, and HMH.
  • Achieve3000 Literacy - Achieve3000 Literacy is a digital learning solution that accelerates literacy growth for all students through differentiated content and instruction. A wide body of research, including a gold standard study with a rating of Strong from Evidence for ESSA, has shown Achieve3000 Literacy can double and even triple expected learning gains
  • Achieve3000 Literacy with Boost- For targeted and intensive intervention, Achieve3000 Literacy with Boost for Intervention accelerates the literacy gains of students who need additional supports and services. Achieve3000 Literacy’s suite of classroom-tested scaffolds for students and supports for teachers, combined with Achieve3000’s patented methodology and world-class technology, deliver a successful RtI implementation with results that you and your students can see after a few as four lessons. Plus, with Achieve3000 Literacy’s focus on nonfiction science and social studies content, as well as academic vocabulary, intervention students do not miss out on essential grade-level, standards-aligned instruction while engaged in Tier II, Tier III, or Special Education instruction during targeted instruction in the general classroom or intensive intervention in a specialized classroom.
  • SmartyAnts - Smarty Ants is an effective, research-driven solution that differentiates instruction in foundational reading skills and accelerates student achievement – all in an engaging, interactive, online learning environment. The program continuously evaluates each student’s exact skill level, learning temperament, and learning pace. Based on this information, the adaptive content system automatically delivers the right level of skill instruction and practice to keep learners in the zone of proximal development. No two students will approach the content or process in the same manner, but they all will reach the same critical milestones for primary-grade literacy success and emerge as confident, capable readers ready for the challenges of second grade and beyond.
  • Achieve3000 Math - Achieve3000 Math offers a powerful experience to support math fluency and skills mastery across grades, standards, and topics. The solution includes individualized practice and intervention for math standards mastery for elementary, middle, and high school learners.
  • eScience3000 - Core science program for grades 6-8
  • NWEA MAP Informed Learning Path - Achieve3000 offers access to the Northwest Evaluation Association (NWEA™) -MAP Informed Learning Paths. MAP Informed Learning Paths use MAP assessment data and Achieve3000 data so that Achieve3000 user can create a personalized and differentiated learning path for each student. Teachers can easily see each student’s results by RIT ranges and assign lessons to address skill strengths and weaknesses. Instructional recommendations for each skill and concept further help teachers to differentiate instruction.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Achieve3000, Inc. utilizes the most up-to-date security systems and 24/7 monitoring. Achieve3000, Inc. also has very strict internal processes to safeguard customers’ data, and all applications are built in compliance with federal regulations including FERPA. System penetration testing, vulnerability management and intrusion prevention is managed in conjunction with our third-party infrastructure provider. The application logs security-relevant events, including information around the user, the date/time of the event, type of event, success or failure of the event, and the seriousness of the event violation. User authentication communication and storage is protected by 256-bit advanced encryption standard security. Achieve3000, Inc. employs Role-Based Access Control (RBAC) and Principle of Least Privilege (PoLP) when provisioning access to its infrastructure and technology. All access follows approval flows, logged, and audited. The Achieve3000, Inc. Cybersecurity and Privacy Teams maintain a 24x7 security incident process and a confidential Incident Response Plan, along with standard operating procedures for handling security incidents and notifications. The infrastructure which hosts Achieve3000, Inc.’s digital products reside in AWS, which is physically located in Amazon’s datacenters, which are all SOC 2 compliant.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

The Achievement Network

The exclusive purposes for which Protected Information will be usedThe information collected is first used to enable access to ANet’s online platform, myANet, which provides resources and reports for District and Schools leaders. These data also allow ANet coaches and school leaders to understand student performance on interim assessments administered. These learnings then enable ANet to provide the appropriate guidance and best practices to boost student learning. Additionally, we also occasionally use anonymized, aggregated student response data to inform our own internal analyses of the efficacy of our services and tools.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: ANet and our partners are considered to be a “School Official” under FERPA. Access to data reports that include more granular student data can only be accessed through our secure data reporting platform. Any individual or non-aggregated student data is available only to that student's school leaders and teachers, not to other educators in the network.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: ANet typically retains all data collected. In the event that a partnership with ANet is concluded, user access to the myANet platform will be terminated on a mutually agreed upon date. This ensures that the data collected for that partner is no longer available to other schools within the district that utilize the platform. [NYC DOE comment: The current agreement became effective starting on December 20, 2019 and terminates when all NYC DOE schools and/or offices cease using The Achievement Network’s products/services. The terms of the agreement remain effective through the period during which The Achievement Network possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Our data and servers are part of AWS and are housed in US-based AWS data centers. https://aws.amazon.com/compliance/data-center/controls/. At our offices we do not have any servers.

How the data will be encrypted (described in such a manner as to protect data security): Applications communicate with RDS databases within a secure Virtual Private Cloud (VPC) via Transport Layer

  • Security version (TLS) 1.0 and 1.2.
  • AWS RDS encryption at rest with KMS uses FIPS 140-2 validated hardware security modules (HSMs) to generate
  • AES-GCM 256-bit keys.

Actively Learn Inc

The exclusive purposes for which Protected Information will be used: Actively Learn uses Protected Information solely to provide the Actively Learn educational service to NYC students, teachers, and schools.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We will carefully review sub-processor privacy agreements and terms of service to ensure that they abide by the data protection and security requirements required by our NDA with the NYC DOE.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon written request from NYC DOE, we can delete or de-identify NYC data in our platform. 

[NYC DOE comment: The current agreement became effective starting on March 20, 2020 and terminates when all NYC DOE schools and/or offices cease using Actively Learn Inc’s products/services. The terms of the agreement remain effective through the period during which Actively Learn Inc possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All Protected Information is stored in the US (AWS us-east-1 and us-west-2 datacenters). Data is encrypted both at rest and in transit. Actively Learn employees with access to Protected Information access it via a browser over SSL (support staff) or directly over a password-protected private-key SSH tunneled. Connection to our platform database (engineering staff).

How the data will be encrypted (described in such a manner as to protect data security): Platform data is encrypted at rest using AES-256-GCM encryption provided by AWS’s Aurora managed clustered database service and AWS’s Key Management Services (KMS), Platform data is encrypted in transit between the database and our platform via SSL. 

Adobe

The exclusive purposes for which Protected Information will be used: The NYCBOE uses Adobe products and services for its students in the K-12 school environment. Protected information (as defined in the Additional Terms) will be provided to Adobe and used by Adobe for the purposes of providing such student services to the NYCBOE and its students under the agreement between Adobe an NYCBOE. [NYC comment: Adobe refers to the New York City Department of Education as NYCBOE throughout the agreement.]

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In the event that Adobe engages subcontractors or other authorized representatives to perform one or more of its obligations under the agreement, it will require those to whom it discloses protected information to be subject to contractual data protection terms at least as restrictive as those set forth in the agreement, and those subcontractors or other authorized representatives shall have a legitimate need to access protected information in connection with their responsibilities in providing services to Adobe.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The initial term of the agreement with the NYCBOE will be thirty-six (36) months from the effective date. Upon expiration of the additional terms without renewal, or upon termination of the additional terms prior to expiration or termination of a student account, Adobe will adhere to the student data retention and deletion protocols agreed to with the NYCBOE and set forth in Seton 5.4 of the Additional Terms of the Agreement. [NYCDOE comment: the Agreement was signed and put into effect on February 28, 2022.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to Section 6.3 of the Additional Terms, Adobe will work with the NYCBOE to process requests for copies of, and challenges to the accuracy of, protected information in the custody or control of Adobe. Such requests should be directed to the NYCBOE at studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Any protected information Adobe receives will be stored on systems in a secure data center facility. Adobe processes and stores information in the U.S. and other regions, which made include Europe and Japan. Adobe Cloud Services meet the specific requirements of data protection, including, but not limited to, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability) and ISO 27001 compliant and others as indicated at http://www.adobe.com/go/cloudcompliance. Additional information on Adobe’s various security controls and processes for its products and services are located in Exhibit C (Technical Organizational Measures) to the Additional Terms of the Agreement.

How the data will be encrypted (described in such a manner as to protect data security): Adobe uses technologies, safeguards and practices, including, but not limited to, encryption, firewalls, password protection, and/or equivalent that are consistent with its industry standards. Adobe Cloud Services meet the specific requirements of data protection, including, but not limited to, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability) and ISO 27001 compliant and others as indicated at http://www.adobe.com/go/cloudcompliance. Additional information on Adobe’s various security controls and processes for its products and services are located in Exhibit C (Technical Organizational Measures) to the Additional Terms of the Agreement.

Advanced Assessment Systems (also called LinkIt!)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. “Typically, agreements are 1 year in duration, beginning on July 1 and ending on June 30 the of the following year.”

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LinkIt! will receive PII data related to student assessment records, including student names, IDs, and demographic information. Additional student records, such as attendance, behavior and programmatic associations may also be sent to LinkIt! All such data shall be used and maintained as a service to school and district stakeholders authorized to access the same and exclusively for the purposes of analyzing the data for instructional improvement, professional development and resource allocation purposes, as well as other such purposes as the district may deem necessary and appropriate.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “LinkIt! leverages industry-leading provider AWS (Amazon Web Services) for data hosting and posts regular and frequent security updates. Access to data is limited to those individuals that require such access in the reasonable performance of their job function and all staff receive annual training in the area of privacy and security.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The safeguards in place to protect PII data are too numerous to fully detail here, but data and files are stored securely on the industry-leading Amazon (AWS) hosting platform. Data is also encrypted on our platform, both in transit and at rest. The LinkIt! data and security model follows best practices and consists principally of the following:

  • Physical Security: Web servers, data servers and network data storage are on servers maintained by AWS. We perform full daily backups and hourly incremental backups which are stored offsite in the event of a disaster. The data center is located in a secure area with restricted onsite access.
  • Data Security: LinkIt! utilizes industry-leading Microsoft SQL database that enables encryption in transit and at rest. Electronic access to database servers is restricted through dedicated web servers on a local network. This provides an effective barrier against attempts to directly compromise database integrity.
  • Web Security: Our web layer consists of a passcode encrypted web service with enforced business logic. The business logic restricts user activity based upon permission level such that data access is limited to role within the LEA organization.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Age of Learning (for My Math Academy and My Reading Academy)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We collect and use PII for the purpose of providing our services My Math Academy and My Reading Academy, both of which are adaptive digital learning programs for students. We do not use PII for any other purpose. Student information is provided in order to track the students progress within the products and to provide reporting to the teacher, school, and district.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The vendor has policies and procedures in place to ensure safeguarding practices are in place. This includes the protection of data from corruption, theft, or unauthorized access.

  • Data Access – Age of Learning practices the principle of least privilege. Access is provided based on role and granted when necessary to fulfill the requirements set out by the contract.
  • Account Protection - Single Sign-On (SSO) and a strong password is required.
  • Encryption – All data is encrypted in transit and at rest.
  • Monitoring – Age of Learning products are continuously monitored for vulnerabilities by employees and through state-of-the-art third-party monitoring tools.
  • File Transfer Protocol – All file transfers are secure over SSL/TLS cryptographic protocol.
  • Web Application Firewall (WAF) – Inspects and filters traffic between Age of Learning products and the internet.
  • Software Security – Product development is based on OWASP, SANS, NIST, CSF, CIS, SCF frameworks.
  • Audits – Annual SOC 2 audit and third-party penetration testing are performed for additional security awareness.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Agile Mind

Type of Entity: Commercial Enterprise

Contract / Agreement Term: [NYCDOE Comment: NDA was signed on 7/12/2021]

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Agile Mind provides comprehensive math and science programs for middle and high schools. To that end we store a student’s name, school, grade level and DOE assigned login ID– all nonsensitive PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data (not just PII) is stored in a highly secure fashion. Data is protected using encryption while in motion and at rest by serving all data via HTTPS and storing it in a secure manner. For storage specifically, all data is stored by MySQL Data at Rest Encryption. The security of this data is ensured by limited employee electronic access to production databases, and databases are housed in a secure data center with physical security and a named access list for visitors.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Alegra Learning (for Joy School English)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2023 - 7/31/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Alegra Learning, Inc. is the creator of Joy School English. Joy School English is a software program for elementary aged students (PreK-5) that focuses on oral language production, early literacy and social and emotional learning (SEL). Joy School English is accessible on iPads, tablets, mobile devices, Chromebooks and computers. Upon starting the program, students follow an individualized scope and sequence that takes them through the research-based curriculum. The curriculum is aligned to the NY State PreK and Kindergarten learning standards. Joy School English uses voice recognition technology where kids use their own voice to explore and advance to encourage speaking and oral language production. Joy School English also provides resources for teachers including data and progress monitoring, an interactive teacher menu to use in small/whole group instruction and teacher lesson plans. Joy School English is accessible from home so students can continue their learning pathway from home and the program serves as a great resource for parents. Student PII is used to create a unique student account for each student so that they can receive individualized instruction.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is hosted via Amazon Web Services (AWS), which is a robust and secure service to host data (https://aws.amazon.com/compliance/data-privacy/). In addition to all of Amazon’s protocols, all data in our portal is password protected and only accessible with those authorized to do so. We use Role-Based Access Control (RBAC): RBAC assigns specific access permissions based on the roles or responsibilities of users within an organization. Users are granted access only to the resources and data necessary to perform their job functions.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

All In Learning, Inc  

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2020 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Product: ALL In Learning is a cloud-based formative assessment platform providing in-the-moment and summative assessment data collection utilizing a variety of collection modes (clickers, student devices, bubble sheet scanning, and even teacher-graded rubrics). Our reporting supports improving the teaching and learning process in the classroom as well as provides student performance insight at every level (classroom, campus, and district).

Purpose for using PII: ALL In Learning will utilize some PII for Teachers and Students for the purpose of rostering for administering and reporting on formative assessments.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. The vendor specifies that “We store our data in AWS/Aurora databases. The data is encrypted in transit and at rest. These databases are not shared resources with their other clients, nor is the data shared with AWS. It is not a cloud database.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ALL In Learning application data is stored in an Amazon Web Services virtualized environment. Data is always transmitted encrypted and stored encrypted. We have data access restriction policies in place within the ALL In Learning development and support organizations.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Amplify Education, Inc. 

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Amplify Education Inc. (“Amplify”) provides core curriculum and supplemental programs and services in ELA, math, and science, and formative assessment products in early reading and math. Each product is briefly described below.

Amplify uses student data collected from, or on behalf of, an education agency to support the learning experience, to provide Amplify products to the education agency and to ensure secure and effective operation of our products, including: to provide and improve our educational products and to support education agency’s and authorized users’ activities; for purposes requested or authorized by the education agency or as otherwise permitted by applicable laws; for adaptive or personalized learning purposes, provided that student data is not disclosed; for customer support purposes, to respond to the inquiries and fulfill the requests of education agencies and their authorized users; to enforce product access and security controls; and to conduct system audits and improve protections against the misuse of our products, or to detect and prevent fraud and other harmful activities.

List of Amplify Products:

Core Curriculum

  • Amplify Caminos - Amplify Caminos is a Spanish language arts program that inspires K–5 students to become confident readers, writers, and thinkers. Amplify Caminos was developed by a bilingual team from across the Latin American and Hispanic diaspora in a concerted effort to create culturally relevant connections for students with diverse backgrounds so their classroom experience strikes a balance between the security of the familiar and the excitement of the unknown. Amplify Caminos is designed to support any biliteracy model, including English as a Second Language (ESL), transitional bilingual programs, dual language strands, and Spanish immersion programs. When used in tandem with Amplify CKLA, Amplify Caminos provides a fully equitable, one-to-one English and Spanish solution.
  • Amplify CKLA - Amplify Core Knowledge Language Arts (CKLA) is a comprehensive English Language Arts curriculum that builds foundational language and literacy skills. Amplify CKLA Grades K-2 develops these skills in a two-part program consisting of a Knowledge Strand and a Skills Strand. Amplify CKLA Grades 3-5 offers an integrated strand of instruction that covers both knowledge and skills content.
  • Amplify ELA - Amplify ELA is an innovative, classroom-tested curriculum for grades 6–8. Our blended program provides a carefully sequenced system of standards-based content, tools, and support for core ELA instruction. The heart of every lesson is the text. We enable teachers to teach skills through texts and develop their students’ muscles for building meaning through reading. With Amplify ELA, students learn to attack any complex text and make observations, grapple with interesting ideas, and find relevance for themselves in their own lives.
  • Desmos Classroom (also known as Desmos Curriculum) - Desmos Classroom is a digital and print curriculum for grades 6–8 and Algebra 1. The lessons are standards-aligned center student ideas and pose problems that invite a variety of approaches. The problem-based program promotes mathematical curiosity and student engagement and is built on the coherence and rigor of the Illustrative Mathematics IM K–12 Math curriculum.
  • Amplify Math - Amplify Math for grades 6–8 and Algebra 1 is a 100% blended core program based on Illustrative Mathematics IM K–12 Math. The program was developed prior to Amplify acquiring the Desmos Curriculum and is currently being reworked.
  • Amplify Desmos Math - Amplify and Desmos Classroom’s new unified curriculum for grades K–A2 brings the best of the Desmos Classroom lessons together with the program supports that districts need. Standards aligned lessons are delivered through an easy to use platform that allows teachers to see student thinking in real-time. Adopting schools gain access to assessments, Tier 2 intervention supports, reporting, and more. Units can begin to be piloted starting back to school 2023. Grades K–A1 can be piloted started back to school 2023.
  • Amplify Science - With Amplify Science K-8, users get detailed lesson plans, embedded formative and summative assessments, hands-on activities and materials, scientific texts, robust simulations, engaging media, physical and digital models, opportunities for scientific argumentation and other forms of classroom discussion, and a variety of effective teacher supports and professional development options.

Supplemental

  • Amplify CKLA Skills - Amplify CKLA Skills is a research-based supplemental skills program built on experts’ latest findings on how children learn to read. Built on a systematic scope and sequence, Amplify CKLA Skills offers the explicit skills instruction needed in today’s classrooms. Amplify CKLA Skills can be used to supplement core ELA programs to provide focused lessons to make literacy skills a priority in the classroom. Amplify CKLA Skills is the first foundational skills program to earn an all-green rating from EdReports.
  • Amplify Reading and Amplify Close Reading - Amplify Reading (grades K-5) and Amplify Close Reading (grades 6-8) are digital supplemental literacy programs that provide independent, personalized instruction and practice. Both use a developmentally appropriate narrative structure to guide students through targeted reading skills practice. Both use a scope and sequence that introduces increasingly complex, sophisticated approaches and topics in reading.
  • Skills Boost - Skills Boost works alongside any core program to provide 30 minutes of highly targeted supplemental foundational literacy skills instruction every day. The software license bundles a suite of solutions and includes: quick formative assessment; targeted, teacher-led instruction and intervention; and independent personalized, adaptive practice for students.

Assessments

  • mCLASS with DIBELS 8th Edition - mCLASSⓇ delivers K-6 formative and diagnostic assessment and serves as dyslexia screening. DIBELSⓇ 8th Edition, the latest version, has been specifically validated as a universal screener for reading and for dyslexia and covers the “5 big ideas” of reading, quickly identifies students who are at risk, and specifies areas for remediation and acceleration.
  • mCLASS Intervention - mCLASS Intervention provides the analytical tools and resources educators need to make targeted, staff-led intervention a daily reality throughout the school year. mCLASS Intervention follows a research-based skills progression and uses smart technology to: Analyze assessment results to place each student on the progression, Form small groups of students with similar skill profiles, determine the optimal instructional focus for each group, and build detailed lessons aligned to that focus, Update students’ skill profiles, groups, and lessons every 10 days as progress-monitoring results improve.
  • mCLASS Lectura - mCLASS Lectura is a high-quality, authentic Spanish assessment that accounts for the major differences between English and Spanish, not simply a direct translation or transadaptation between the two languages. Aligned to the Science of Reading, mCLASS Lectura allows teachers to connect with their students through observational assessment and in the language most comfortable to them. By providing teachers with insights into the skill areas in which their students are proficient, in their native language, the program helps Spanish-speakers build on their strengths and make connections to their second language. mCLASS Lectura delivers complete parity when combined with mCLASS with DIBELS 8th Edition, including parallel reporting across English and Spanish assessments and unique dual-language reporting. Educators also receive guidance on the cross-linguistic transfer of critical skills in both languages.
  • mCLASS Math - mCLASS Math is a math assessment program that uncovers students’ mathematical reasoning and measures fundamental skills to build student success. Universal screening and progress monitoring with diagnostic interviews provide a rich view of at-risk students and gauge the effectiveness of math instruction.
  • mCLASS with Amplify Reading - mCLASS: Amplify Reading Edition is an adaptive assessment (K-6) and instructional solution (K-8) that creates a research-based personalized learning experience for students. By seamlessly integrating universal screening and personalized learning, teachers can identify where students need more practice in early reading skills, and students can use a program designed to grow their skills and build their confidence as readers.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services, Inc. (AWS); MongoDB, Inc. (MongoDB)

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. [DOE comment: In its agreement, Amplify outlines in detail how it meets the COSO principles. Please contact studentprivacy@schools.nyc.gov if you would like a copy of this information.]

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Aperture Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Aperture will use PII to administer student social and emotional assessments to be completed by students, teachers and (optionally) parents. PII will also be used in reporting (e.g., to disaggregate data by subgroup).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Aperture Education considers security of PII to be of utmost importance. As such, we follow a rigorous security policy which includes, but is not limited to, third party penetration and security testing, annual security training of all of our employees, completion of background checks on our employees, encryption of confidential information in transit and at rest, and limiting user access to confidential information based on role. Please see our security policy for more information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Applied Curiosity Research, LLC

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: 2/1/2022 – 1/31/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are conducting a mixed-methods, implementation evaluation of a pilot program with students from two NYC schools. The pilot program occurs for five weeks over the summer and consists of a blend of classroom instruction from DOE teachers and community-based organizations as well as work-based learning. The focus of the pilot program is promoting computer science skills and knowledge while exposing students to careers in related fields. Research participants include participating students, teachers, and select agency stakeholders. The goals of the evaluation are to collect evidence of student outcomes, understand barriers and affordances to program implementation, assess the extent to which activities are completed as intended, identify best practices, and inform effective scaling of the program.

Methods include student pre/post surveys administered in class, student focus groups, teacher in-depth interviews, and in-depth interviews with key stakeholders.

The only PII we will collect is student and teacher names during the consent process. Consent is critical to ensure participants understand their rights as a research participant, including that the research is voluntary and how their information will be handled. Consent is also a mandatory requirement for NYC DOE IRB.

Type of PII that the Entity will receive/access: Student PII. We may collect student, parent, or teacher names on consent forms. We may also collect student names for the purpose of focus group attendance lists. We will not, however collect student names that are attached to any academic or demographic data.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. The Entity selected “Other: We will remove all PII from any documents or digital files (consent form, survey responses, audio files, notes, transcripts) and replace this with an ID number assigned by the study team. The document linking IDs to PII will be stored in a password protected folder on an encrypted external drive, in a locked cabinet, accessible only by the principal investigator.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We will remove all PII from any documents or digital files (consent form, survey responses, audio files, notes, transcripts) and replace this with an ID number assigned by the study team. The document linking IDs to PII will be stored in a password protected folder on an encrypted external drive, in a locked cabinet, accessible only by the principal investigator.

Any PII will be kept secure and only used for study purposes, except as otherwise required by law. The study team will not disclose participant’s names or any personally identifiable information in any report or presentation.

De-identified consent forms, audio files, notes, survey data, and transcripts will be stored on a password-protected, encrypted cloud storage system accessible only by the project team.

After three years, we will delete and overwrite copies of all data and also wipe all blank space on the external hard drive to ensure there are no elements of the files retained on the drive.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Apptegy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The PII we receive or access in connection with our services is either provided by a school (referred to as a “Client”) in order to create or manage users under a Client’s account or is provided by such users in the course of using our services. Thrillshare is a content management system that enables Clients to: update or share information via their website or social media; communicate with parents, students, or other stakeholders through a messaging feature that can send voice calls, text messages, push notifications, or emails (referred to as “Alerts”); or communicate directly with stakeholders via an online chat feature (referred to as “Rooms”). PII shared for these purposes may include: personal information shared by a Client in order to create accounts for administrators, teachers or other personnel; contact information shared for the purpose of sending Alerts; or any PII that a user may include in any messages sent via the Alerts or Rooms features. Apptegy only uses such information for the purpose of providing the services. For more information regarding the purposes for which Apptegy receives or accesses PII, please see the Apptegy Privacy Policy (“Privacy Policy”) (available at: https://www.apptegy.com/privacy-policy/).

Type of PII that the Entity will receive/access: Student PII. “How Clients use Apptegy’s services may change over time. In such case, the PII that Apptegy will receive/access in order to perform its services may change or be supplemented. This is at our Clients’ discretion. If a parent of a student or other individual wishes to review a list of PII accessed pursuant to the services, the parent or individual should contact the applicable Client to confirm. For a more generalized description of potential PII received/accessed, please also see our answer to Question 4 above and our Privacy Policy.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and

written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. As indicated, Apptegy uses Amazon Web Services (“AWS”) to host and operate our services, and to host and process Clients’ data. AWS supports more security standards and compliance certifications than any other hosting provider, including ISO, SOC2, NIST, GDPR, PCI-DSS, and others. Comprehensive information about AWS security practices and certifications is available at https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/. In addition to other means of ensuring privacy and security (including encryption, vulnerability monitoring and remediation, and Role-Based Access Control (RBAC) principles), Apptegy monitors and manages system access by AWS security groups and internal access controls. We review our AWS security group rules at least annually and update them as appropriate. Apptegy uses single sign-on (SSO) and HTTPS protocol where available and technologically feasible. Apptegy uses a virtual private network (VPN) for remote access to AWS and the parts of our services that contain Client data where available and technologically feasible. Apptegy has implemented multi-factor authentication for our production environment. Clients can choose to require multi-factor

authentication for end users. For more information on how we mitigate data privacy and security risks, please see our Privacy Policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Arete Education

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Grant Participation requires PII in the form of program enrollment, attendance tracking and record maintenance for possible review and report generation. Arete acquires paper enrollment forms and attendance records in the classrooms and maintains private records in our locked main worksite office only accessible to designated Arete staff (i.e., Community School Director, Arete Data Specialist). All files are uploaded to our private Arete organization cloud account and maintained for the life of the outstanding contract. When said time has expired and records are no longer needed, all records are shredded and/ or deleted from our cloud servers supervised by our Director of Operations.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Cityspan Technologies Inc.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Cityspan’s Security Policy contains a Risk Assessment Policy that identifies data privacy and security risks and mitigating controls. The Risk Assessment Policy was developed subject to COV2 audit requirements and approved by an external auditor in June 2020.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Asase Yaa Cultural Arts Foundation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/2/2023 – 1/3/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Asase Yaa Cultural Arts Foundation will use Personally Identifiable Information (PII) for evaluations and for program development for student workshops so it can be appropriate for grade and age levels. Workshops are offered in all of the disciplines offered to students including Drumming (Djembe, Conga, Drum Line); Dance (African, Ballet, Jazz, Hip Hop, Modern); Theater (Original Productions); and Visual Arts. Workshops can be scheduled when it best fits parents which includes am sessions and pm sessions. Sessions typically are 45 minutes to 90 minutes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third parties.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We would only keep the information in a password protected drive that is accessible to program directors only and which will be discarded at the end of each school year. Additionally, all devices used to access the PII have virus scanners, as well as firewalls to ensure that the information is not compromised.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ASPIRA of New York

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ASPIRA will manage and operate community schools contracts with the goal of fostering ongoing collaboration and common vision with the partner schools to provide students and their families with coordinated programming that targets their individual academic, social, emotional, and developmental needs. PII will be utilized to register program participants, communicate their academic and social progress with parents and allow for student choice when program planning through the utilization of participant satisfaction surveys.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ASPIRA will limit access to a minimal number of authorized personnel who have a legitimate need for such data access. Confidentiality agreements will be required for any personnel with access. ASPIRA will encrypt data in transit and storage, set access controls, and implement regular and encrypted backups. Data is entered into a password protected cloud based database. Policies for reporting security incidents to parents/guardians are in place. All security incidents will be communicated to parents/guardians and students.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Assessment Technologies Institute (also called National Healthcare Association)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor’s Services include the provision of learning content hosted on Processor’s platform and Certification examinations. End users create an account (or the school does so on behalf of each end user) that includes contact information and all data related to the interaction of the end user with the content is recorded by the platform and can be accessed by instructors and end users. Such data is PII. Additionally, certifications data (such as exam date, responses to exam questions, exam scores, pass/fail) is also PII in that it is linked a specific individual.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is encrypted at rest and in transit. Processor utilizes many controls and protections that includes but is not limited to: Network and Border Security, Endpoint Security, Email Security, Threat and Vulnerability Management, Access Management. ll critical and high risk vendors, is any, are reviewed annually as part of Processors Vendor Management Program. In addition, Processor completes an annual SOC 2 Type 2 assessment, which can be provided upon execution of a nondisclosure agreement.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Attainment Company

The exclusive purposes for which Protected Information will be used: Products provided include AAC applications & devices for student communication needs; student & teacher instructional applications/software for special education.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Attainment provides industry standard data protection and security; annually authorized staff are trained on the appropriate requirements of FERPA, COPPA & SOPPA. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Protected information is returned to the district & after 30 days purged from Attainment systems. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All data is stored in the US with AWS certified protected industry standard practices.

How the data will be encrypted (described in such a manner as to protect data security): The transmission is controlled using TLS (Transport Layer Security) encryption for the browser to database connection. The data is encrypted between the client computer and Attainment’s servers. The Hub uses HTTPS (Hypertext Transfer Protocol Secure) over a secure SSL.

Avaya

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Avaya is providing contact center services to multiple business units at DOE. Some of these business units require Avaya to store call and screen recordings for playback for up to 90 days. Avaya has not confirmed the exact PII that could be received but these recordings may contain certain PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Avaya protects and safeguards PII data by enacting the following measures and procedures:

Access control to premises. Avaya will prevent physical access to Personal Data processing equipment by unauthorized persons as follows:

  • Avaya will implement and maintain physical security measures in order to prevent unauthorized access. This is accomplished by the following measures:
    • an electronic access control system with a 90-day log retention;
    • a 24/7 video recording of physical facility with 30-day log retention; and
    • intrusion detection / burglar alarms, or engaging on premise security officers.
  • Avaya will restrict the access to various zones at its premises based on roles, and periodically revalidate the access by owners.
  • Avaya will have personnel and visitor security measures in place to prevent unauthorized access, which is accomplished by the following measures:
    • Personnel must display IDs;
    • Visitors must sign in;
    • Visitors will be reasonably escorted by staff; and
    • Visitors must wear a badge which easily identifies them as visitor.

Access control to use of system. In order to prevent logical access to its Personal Data processing equipment by unauthorized persons, Avaya will implement and maintain the following measures:

  • Avaya will only grant individuals access to the Personal Data processing equipment with
    • a unique user ID for access with formal authorization process, and
    • a unique password with the following features:
      • a complex password, consisting of eight characters and three of four character sets;
      • a maximum password lifetime of ninety days; and
      • an account lockout on failed logins.
  • Avaya will grant the individuals access based on their job function with the following criteria:
    • role-based access;
    • least-privileged access; and
    • access only on a need-to-know basis.
  • The screen of endpoints will be automatically locked after 20 minutes idle time.
  • Avaya will log access to the data processing equipment.
  • Avaya will use a multi-factor authentication of Avaya’s virtual private network (VPN) for remote access.
  • Avaya will implement and maintain a central user administration.
  • Avaya will encrypt endpoints provided by itself.

Access control to Personal Data. Avaya will prevent logical access to Personal Data by unauthorized persons by implementing and maintaining suitable measures to prevent unauthorized reading, copying, alteration or removal of the media containing Personal Data, unauthorized input into memory, reading, alteration or deletion of the stored Personal Data. This will be accomplished by the following measures:

  • Avaya will only grant individuals access to the Personal Data with:
    • a unique user ID for access with formal authorization process, and
    • a unique password with the following features:
      • a complex password, consisting of eight characters and three of four character sets;
      • a maximum password lifetime of ninety days; and
      • an account lockout on failed logins.
  • Avaya will grant individuals access to the Personal Data based on their job function with the following criteria:
    • role-based access;
    • least-privileged access; and
    • access only on a need-to-know basis.
  • The screen of endpoints will be automatically locked after 20 minutes idle time.
  • Avaya will log access to the data processing equipment.
  • Avaya will maintain access control lists (ACL).
  • Avaya will conduct data backups and retrievals, using a secure storage of backup media and testing backups.
  • Avaya will implement and maintain a formal access control change management program.
  • Avaya will implement and maintain internal policies and standards comprising security policies and standards, both at a corporate and business unit level.
  • Avaya will conduct periodic mandatory trainings with respect to protection of personal data, and will monitor and enforce the training participation.
  • Avaya will implement and maintain anti-virus programs, which are centrally monitored and updated, and conduct regular anti-virus scans.
  • Avaya will conduct a secure deletion and /or disposal of data.

Transmission control. Avaya will prevent any unauthorized access to Personal Data via implementation of secure communication channels and logging as follows:

  • Avaya will use a VPN with a multi-factor authentication for remote access.
  • Avaya will use firewalls with the following features and processes:
    • stateful inspection;
    • default denial access rules are implemented unless access rules are explicitly approved;
    • role-based and least-privileged access on a “need to know” basis;
    • logging and alerting of access; and
    • annual review of firewall rules.
  • Avaya will use encrypted email if the same has been enabled by Customer, using transport layer security (TLS) as the methodology.
  • Avaya will implement and maintain security policies and standards both at a corporate and business unit level.

Input Control. Avaya will ensure the possibility to check and establish whether and by whom Personal Data have been put into, modified or removed from the Personal Data processing equipment as follows:

  • Individuals accessing personal data will require a unique user ID and authorization for access.
  • Avaya will implement and maintain security policies and standards both at a corporate and business unit level.
  • The Personal Data processing equipment will have logging functionalities.
  • Avaya will only grant individuals access to Personal Data based on their job function, with the following categories:
    • role-based access;
    • least-privileged access; and
    • access on a “need-to-know” basis.

Organization control

  • Avaya will ensure that in case of commissioned data processing, the Personal Data are processed strictly in accordance with the instructions of Customer.
  • Customer will provide clear instructions to Avaya regarding the scope of the processing of personal data, and Avaya will adhere to these instructions.

Availability control. Avaya will prevent any accidental destruction or the loss of Personal Data by appropriate measures as follows:

  • Avaya will implement and maintain uninterruptable power supply, fire and smoke alarms, fire suppression systems, generators, cooling systems and raised flooring.
  • Avaya will implement and maintain a disaster recovery plan, and annually review and test it.
  • Avaya will implement and maintain a backup strategy and backup procedures.
  • Avaya will implement and maintain anti-virus programs and firewall systems.

Control of separation of data. Avaya will implement and maintain appropriate measures to allow the separate processing of data which have been collected for different purposes as follows:

  • Avaya will separate different customers’ Personal Data by storing Personal Data in logically separated databases.
  • Avaya will separate between productive and test data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Ballet Tech Foundation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/1/2022 – 8/31/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The service provide is Dance Training at Ballet Tech. PII is required in order to take attendance and for grading.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Protected Information is stored in the US. Ballet Tech uses has various administrative, operational and technical safeguards in place in place to protect any Protected Information that it will receive under the contract – including training staff members as to best practices for data security and student privacy, the use of Google Drive and Gmail with their built-in data privacy protections, using an on-site physical server for day to day file storage, requiring strong passwords (and 2FA when available), and shredding any paper documents containing Protected Information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Beable Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Beable provides literacy and test prep software to the NYC DOE. PII is collected for purposes of providing students with access to the system, and teachers with ability to monitor their progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services (AWS). Amazon Web Services (AWS) utilized are AWS RDS, AWS S3 and AWS Elasticache.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Beable employs a variety of administrative, technical and physical safeguards designed to protect PII in its custody from loss, misuse, unauthorized access, disclosure, alteration, or destruction. Our measures consider the sensitivity of the information we collect, use, and store and the current state of technology. Our security measures include data encryption, firewalls, data use, and access limitations for our personnel. Should we become aware of an authorized disclosure of your information and/or any data breach of our systems and information, we will notify NYCDOE promptly in compliance with N.Y. Education Law 2-d Requirements.

Beable has implemented a mandatory training program for its employees and contractors and clearly defined guidelines to which they are held accountable for collecting, storing, accessing, securely transmitting, interacting with, and destroying PII. Employees and Contractors are required to sign Confidentiality Agreements.

Beable’s application is hosted in AWS in our secured private network and leverages many of AWS’s broad range of cloud services.

Teachers have visibility into student-specific information via the application dashboards, reports or other features and can respond to parents who request access to their child’s records. Beable will support the teachers or other NYCDOE staff in responding to parent requests for data as necessary.

Administrative, technical and physical safeguards have been implemented to protect the security, confidentiality, and integrity of PII in its custody as summarized below:

  • Administrative – Beable maintains user registration information within our AWS secure private network and limits accessibility to such information to only those few employees that have special access rights to production systems. Security training is conducted annually.
  • Technical – Application is developed following Secure Coding Standards established for the team. Access decisions are based on the principle of least privilege meaning a user only has access and privileges which are essential to perform their intended function. Password requirements are strong and utilize multi-factor authentication. Data is encrypted in-transit and at rest and transmitted by Secure Socket Layer (SSL) technology. Workstations are hardened, patched and hard drives are encrypted. In addition to leveraging High Availability, redundancy and resiliency of AWS services, backups of all relevant systems are performed and the restore process is periodically tested. Records of change are maintained via audit logs. Penetration testing and security audits are run frequently and are a necessary part of Beable’s security posture.
  • Physical – Beable’s solutions are hosted in the Cloud at AWS. All customer PII is stored within our AWS secured private network.

Beable is committed to comply with all state, federal, and local data security and privacy laws, and NYCDOE Information Security Requirements for vendors.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Beam Center

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/15/2022 – 7/14/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Beam Center school partnerships combine both professional learning opportunities for teachers with a wide range of direct services for students. Professional learning and DSS are woven together in a way that reaches students immediately and builds long-lasting skills for teachers.

  • IN-SCHOOL PROJECTS
  • Fundamentals Projects are projects designed by Beam Center staff with the purpose of introducing students and teachers to basic skills in one or more making disciplines such as woodworking, programming, electronics, and digital fabrication skills.
  • In-Class Collaborative Projects are co-designed by teachers from our 29 partner schools and Beam Center Project Designers for implementation in classrooms.
    • PROFESSIONAL DEVELOPMENT
      • Custom Project Development is a professional learning opportunity for teachers and administrators from Beam Center’s 29 partner schools. In this program, Beam Center Project Designers introduce educators to our practice of hands-on project design as well as various technical making disciplines. With guidance from our staff, teachers collaborate to design a custom project for their classroom that is aligned to the learning goals, standards, and/or curriculum that educators are working with in their classrooms. Educators produce project plans, materials lists, and day-by-day schedules for the collaborative projects that they design. Participants in this program spend 12-18 hours total on this process; these hours are eligible for CTLE requirements.
    • Beam Center receives Student PII (names only) for the purposes of invoicing schools. We receive Teacher PII (names only) for the purposes of PD attendance sheet and for certifying CTLE credit.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Beam Center currently stores all student digital information (name, phone number, email address) on Google Suite documents that are accessible by only a restricted number of personnel directly responsible for managing the program covered by this contract, trained on DOE’s and Beam Center’s privacy and security policies and protected by secure passwords that are updated every 90 days. Beam Center does not collect student Social Security Numbers or OSIS numbers. If a school inadvertently shares OSIS numbers with Beam Center the documents are shredded or hard-deleted from digital storage. At this time, Beam Center uses no proprietary or in-house developed software applications or databases to manage participant data and if ever should do so, it will be developed to meet industry standards and best practices for security and privacy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

 

Bedford, Freeman & Worth Publishing Group (for LaunchPad, Sapling & SaplingPlus)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. With a history of publishing groundbreaking educational content that spans over 70 years, Macmillan Learning is dedicated to combining world-class content and evolving technology to drive student success. Macmillan collaborates with some of the world’s most accomplished researchers, teachers, developers, and administrators to solve pedagogical challenges. Macmillan Learning's deeply knowledgeable and committed specialists live and breathe each course and discipline, determined to clear any learning obstacles. Historically, this has been accomplished via our Textbooks. While we are still known for our textbooks, we have worked over the past two decades to merge our textbooks with technology to create unique learning tools to better serve instructors and students.

Our LaunchPad Application is a resource to help students achieve better results by providing a place where they can read, study, practice, complete homework, and more. An interactive ebook brings together the resource’s students need to prepare for their class, working with the textbook their instructor selected. For most LaunchPad titles, students can download the ebook to read offline, or to have read aloud to them. LearningCurve adaptive quizzing offers individualized question sets and feedback for each student based on his/her/their correct and incorrect responses. All the questions are tied back to the e-book to encourage students to use the resources at hand. In addition, LaunchPad offers a wealth of quizzing options, including pre-.built quizzes which are readily available and editable. Instructors can also build their own quizzes from test banks, end of chapter questions, questions they write themselves, and more.

Created and supported by educators, our Sapling and SaplingPlus Applications are available for a wide range of courses in Biology, Chemistry, Physics, Astronomy, Physical Sciences, Statistics and Economics. With content written by leading subject-matter experts, Sapling and SaplingPlus homework provides real-time feedback based on specific misconceptions of the problems at hand. Regardless of a student's initial response, Sapling and SaplingPlus ensures everyone arrives at the correct answer for the right reasons Assignments, due dates, and question weights are all customizable to educators' preferences, and the Sapling and SaplingPlus platform supplies metrics related to attempts taken, time spent on each question, and more - offering immediate insight into class and individual student performance. Sapling and SaplingPlus provides students with real-time targeted feedback based on their specific misconceptions or understanding of the course material. Multiple question types - such as clickable area, ranking, sorting, labeling, multiple choice, multiple-select, graphing, and numeric entry - enhance student engagement and critical thinking skills.

BFW is committed to protecting the privacy and security of all School Data that we process as a “data processor” or “service provider” to your school in order to provide the services to you and your school, pursuant to applicable laws. The data we collect includes Student Name, Student Email Address, Teachers Name, Student Scheduled Courses, Student ID Number, Student Username, Student Password, Student responses to surveys/questionnaires, Student generated content, Student course grades and performance scores. If you use our products and platforms in your courses at your school, we only use your personal information in the School Data as needed to:

  • Provide you with the products, content or services selected by you, your instructors or your school and for related activities, such as customer service and “helpdesk” functions,
  • Assure academic integrity, such as in connection with investigations and anti-plagiarism program,
  • Send end-of-course surveys, and
  • Manage our everyday business needs, such as website administration, business continuity and disaster recovery, security and fraud prevention, corporate governance, reporting and legal compliance.

We will only use School Data for other purposes with the consent of your school and (if applicable) with your consent.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS Web Services.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. BFW will:

  • Store PII on servers in a secured facility in the US operated by Amazon Web Services (AWS).
  • Use infrastructure built on industry-tested technology and security practices.
  • Take measures aligned with industry best practices and NIST Cybersecurity Framework Version 1.1. These measures include, but are not limited to disk encryption, file encryption, firewalls and password protection.
  • Stored all data in a password protected database with strong password requirements.
  • Run periodic penetration tests, then logs and resolves discovered issues
  • Limit access to PII and application data to people who require access in the performance of their role in providing the service.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Behavior Analysts

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2022 – 7/31/ 2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Receiving access to PII as part of a commercial relationship wherein Vendor’s product provides the ABLLS-R Assessment for use by the NYC DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Entity utilizes administrative, technical, and physical safeguards that are aligned with industry best practices to ensure the integrity and security of PII. Administrative safeguards include written policies and procedures, and training programs that ensure employees and contractors are properly prepared and understand their obligations in handling PII, as well as employee background screenings. Additionally, Entity leverages Amazon Web Services (AWS) Cloud Infrastructure to ensure the physical security of PII, while implementing technical safeguards, including full encryption of PII in rest and in transit, in this secure environment. Collectively, these policies and procedures allow Entity to mitigate data privacy and security risks.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Benchmark Education Company

The exclusive purposes for which Protected Information will be used: Benchmark Education Company collects personally identifiable information about you when you specifically and knowingly provide such information. For example, when you register, we collect such information as your name, email address, professional title, and school information. We use this information to customize the Site for your locale and to provide more relevant services. We may use the information that you provide when you register for Benchmark Universe to create your account. This allows your employees and students to log in, create a classroom within the product, and assign lessons to students.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Benchmark Education employees that are responsible for the onboarding and record-maintenance on behalf of school clients undergo through privacy and security training (FERPA, COPA), and sign a binding non-disclosure agreement.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: We do not retain your personal information for longer than is necessary to provide you with the features and services you have requested. When you request an account be deleted, we remove the data from our servers. At expiration or termination of an agreement, we remove data within 6 months from the termination date. At any time, you may request that we permanently delete personal information immediately by emailing us at techsupport@benchmarkeducation.com.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All student data collected for Benchmark Universe is stored and backed up in Amazon Web Services (AWS). All AWS servers are located inside the United States. Benchmark Education follows industry best practices for network and physical security. All data is encrypted in transit and at rest. 

How the data will be encrypted (described in such a manner as to protect data security): Pupil records are transferred to Benchmark Education via an OAUTH 2.0 over SSL security encryption. Pupil records are stored (data at rest) in a secure AWS environment and are encrypted. Benchmark Education utilizes standard SSL encryption and authentication mechanisms with sha256RSA Signature algorithms, sha256 Signature has algorithms, RSA (2048 Bits) Public Key.

  • Server authentication (1.3.6.1.5.5.7.3.1)
  • Client authentication (1.3.6.1..5.7.3.2)

Big Ideas Learning

The exclusive purposes for which Protected Information will be used: We store and process your personal information to authenticate your user's license and to grant you access to the applicable materials. We also use information we collect to analyze trends, to administer the site, and to track users' movements around the site. We also use this information to improve the site and to make it more useful to visitors.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We contractually bind any subcontractors with access to Protected Data to the same rules we must follow.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: We will delete the Protected Information within 90 days of agreement expiration.

 [NYC DOE comment: The current agreement became effective starting on November 25, 2020 and terminates when all NYC DOE schools and/or offices cease using Big Ideas Learning, LLC’s products/services. The terms of the agreement remain effective through the period during which Big Ideas Learning, LLC possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Physical safeguards are conducted by Big Ideas Learning's contracted server hosting company, Rackspace. PDF certificates for data center infrastructure [redacted] are available upon request. Technical safeguards include (1) encrypting district data in transit and at rest using SSL (Secure Sockets Layer), (2) PII database encryption, and (3) deploying Sophos anti-virus protection and Fail 2 Ban intrusion detection. Data is stored in the United States. 

How the data will be encrypted (described in such a manner as to protect data security): User data tables are encrypted at rest and in transit.

Bloomz

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Bloomz is the unified parent-teacher communication app that increases parental engagement by connecting everyone with one easy-to-use tool. Bloomz handles ALL district, school, teacher, parent, student communication. Bloomz supports and translates into 109 different languages. Bloomz is a time saver for admins, a valuable tool for teachers, increases engagement and work ethic among students, and helps parents of all backgrounds engage in their children's education. Bloomz uses the core PII information in the following ways:

  • PII is used to map relationships of and allow for communication between parents, students and staff for a specific class i.e. math for educational purposes for progress reports, homework or additional support required from a teacher/counselor. PII may also be used for attendance and grade support.
  • Client data is handled with utmost care at Bloomz. Data is secured through role-based access. Data encryption is in place for data at rest and in motion. All the backups are encrypted by mongo and data in motion is secured through TLS based encryption. Within the application data security is ensured through role-based access restrictions and all the user passwords are stored encrypted. Customer data is never stored locally, and production access is restricted to staff with explicit approvals.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud and AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Bloomz employs a combination of administrative, technical, and physical safeguards to protect Personally Identifiable Information (PII) and mitigate data privacy and security risks. While I'll provide a general overview without compromising security, specific details are intentionally excluded to maintain the integrity of Bloomz' security practices and protocols.

Administrative Safeguards:

  • Bloomz has established strict access controls and role-based permissions to ensure that only authorized personnel have access to PII.
  • FERPA and COPPA compliance.
  • Regular training and awareness programs are conducted to educate employees about data privacy and security best practices.

Technical Safeguards:

  • Bloomz utilizes encryption protocols (TLS/SSL) to secure data during transmission, preventing unauthorized interception.
  • PII is stored in encrypted format to prevent unauthorized access even if data storage is compromised.
  • Firewalls, intrusion detection systems, and advanced threat detection mechanisms are implemented to safeguard against cyber threats.

Physical Safeguards:

  • Cloud-Based Security:
    • Data is entered into a password-protected cloud-based database that adheres to current industry standards for data security and privacy.
  • Access Control:
    • Access to Protected Information is restricted to a minimal number of authorized personnel who have a legitimate need for such access.
    • Multi-tiered authorization is implemented for accessing cloud-based service logs, ensuring that only authorized personnel can view sensitive logs.
  • Confidentiality Agreements:
    • All personnel with access to Protected Information are required to sign confidentiality agreements to ensure they understand their responsibilities for maintaining data confidentiality.
  • Personnel Training:
    • Employees receive training on data security, privacy policies, and best practices to ensure they handle Protected Information appropriately.
  • Regular Audits and Monitoring:
    • Regular audits are conducted to monitor data access and usage to detect any unauthorized or suspicious activities.
    • Logs of system access and changes are regularly reviewed for anomalies.
    • Test environments used for development and testing purposes do not contain actual Protected Information, and they operate with separate security keys to prevent accidental exposure of sensitive data.
  • Cloud-Based Security:
    • Data is entered into a password-protected cloud-based database that adheres to current industry standards for data security and privacy.

Data Privacy and Security Risk Mitigation:

  • Bloomz conducts regular risk assessments and vulnerability assessments to identify potential weaknesses in its systems.
  • Ongoing monitoring and analysis of network traffic and system logs enable rapid detection of any unusual or suspicious activities.
  • Incident response plans are in place to ensure swift and effective actions in the event of a security incident or breach.

While the above description outlines Bloomz' general approach to safeguarding PII and mitigating data privacy and security risks, specific details and methodologies are withheld to ensure that disclosure doesn't compromise the effectiveness of these security measures. Bloomz remains committed to maintaining a robust security posture while respecting the confidentiality of its security practices and protocols.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Blue Engine

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Blue Engine utilizes monthly data cycles to ensure the co-teaching model is being effectively implemented. We work with the district or school-based instructional coaches to embed effective co-teaching practices, approaches, and mindsets within coaches and teams of teachers. The student data collected (listed below) is used to measure student progress and allows Blue Engine staff to effectively support teachers in using data and facilitate data reviews with school administrators:

  • Rosters for each classroom receiving services which list student names and ID
  • Student standardized assessment scores/results
  • Student demographics including grade level, gender, race/ethnicity, ELLs, and SPED status
  • Student experience surveys

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. QuestionPro for secure uploads and Google Suite Spreadsheet for analysis.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Blue Engine uses Google’s G Suite for email and data storage. All student data will be maintained on the encrypted Google server in the US. Staff are only able to access the server using their organization accounts. All staff devices are password protected and only to be accessed by them. Two-factor authentication is required for all staff accounts. Student Data may only be shared with individuals within the Blue Engine account.

Blue Engine will respond to data privacy and security incidents in accordance with the following steps:

  • Employees must report suspected incidents that threaten the confidentiality, integrity or availability of Blue Engine’s data systems or data to the Vice President of Impact, Learning & Design and their immediate supervisor or manager.
  • If a critical incident is verified, the Vice President will convene a meeting with Senior Management.
  • Where there has been a breach of Personally Identifiable Information (PII), the CEO will be notified and will coordinate the process of compliance with notification requirements.

For purposes of this policy, a breach means the unauthorized acquisition, access, use, or disclosure of student, teacher or principal PII as defined by Education law §2-d, or any Blue Engine sensitive or confidential data or a data system that stores that data, by or to a person not. authorized to acquire, access, use, or receive the data. Blue Engine will comply with legal requirements that pertain to the notification of individuals affected by a breach or unauthorized disclosure of personally identifiable information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

bNapkin (also called School4One)

The exclusive purposes for which Protected Information will be used: The student data or teacher or principal data (collectively, “the Data”) received by The Vendor will be used exclusively with the purpose of distributing content to students, gathering evaluation data from students, distributing teacher feedback to students, providing data visualization to administrators in The School District.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Vendor will ensure that all subcontractors and other authorized persons or entities to whom student data or teacher or principal data will be disclosed will abide by all applicable data protection and security requirements, including those mandated by New York State and federal laws and regulations, by not providing them with private data provided by The School District.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon termination of the Original Agreement, The Vendor will extract all data associated with the School District and deliver an archive including the database table content, table description, and associated files. This archive will be delivered by means preferred by The School District. All database records and files associated with the School District will be deleted from the production master database and all its replicas.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. A parent, student, teacher or principal can challenge the accuracy of the Data received by The Vendor by contacting support@school4one.com. An audit of the challenge will be executed, and a report, accompanied with the raw data, will be produced within 14 days from the request.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Refer above to Attachment B.

[The following is an excerpt from the vendor’s Data Privacy and Security Plan: “The School4One platform is hosted by one or more leading public cloud providers which operate data centers that are state of the art, utilizing innovative architectural and engineering approaches. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. Office Security Access to School4One’s offices in New York is controlled 24 hours a day by electronic key access. Building access is monitored 24 hours a day with staffed security during normal office operating hours. Remote Work Security Access to School4One’s servers and hosting services is controlled by a two-factor authentication, and only accessible using a secure VPN.”]

How the data will be encrypted (described in such a manner as to protect data security): Refer above to Attachment B.

[The following is an excerpt from the vendor’s Data Privacy and Security Plan: “AES-256 encryption is used for data at rest and stored in the DB.”] 

Boom Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Boom Cards are used as digital learning resources. Schools use Boom Cards to support learning and intervention. Educators who elect to collect Student Data will collect student performance data (correct/incorrect answers and time to answer) which is associated with a username, which may be pseudonymous. The purpose of the data collection is to evaluate student progress towards mastery.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., MongoDB on AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity of a data breach, Boom Learning has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by exposure of the User Data to unauthorized persons. Safeguards include:

  • Privacy and Security by Design
  • Data Minimization
  • Data Deletion Practices
  • Adoption of the NIST Cybersecurity Framework
  • Need-to-know access
  • Annual or more frequent training for employees and vendors

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

BrainPOP LLC

The exclusive purposes for which Protected Information will be used: BrainPOP is an online educational solution that makes rigorous learning experiences accessible and engaging for all students. PII will only be used to provide the BrainPOP Products – BrainPOP, BrainPOP Jr, BrainPOP Francais, BrainPOP Espanol and/or BrainPOP ELL. PII may be provided to third parties service providers that are necessary to provide the services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Third parties are contractually bound to practice adequate security measures and to use NYC DOE PII solely as it pertains to the provision of their services. Third parties do not have an independent right to share the data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Prior to expiration of a subscription, NYC DOE can delete the PII at any time. If PII is not deleted, we will retain the information for up to ninety days after expiration of the contract. The [agreement with] NYC DOE starts 4/22/2021.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing requests for copies of PISI and challenges to the accuracy of student data in the custody of the Recipient. Such requests or challenges should be directed to studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PII will be stored in the US. We maintain best industry standard security practices. Our servers are located in a secured, locked and monitored environment to prevent unauthorized entry or theft, and are protected by a firewall. The server is backed up daily to a secure, US based off-site data center. We apply SSL or HTTPS encrypting technology to establish and ensure that all data passed between the server and browser remains encrypted. Only limited personally have access to the database and personnel only access it when necessary to provide the services. Personnel with access pass criminal background checks at least once per year. We follow standardized and documented procedures for coding, configuration management, patch installation, and change management for all applicable servers and we audit our practices at least once a year. 

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest (AES 256) and in transit (SSL).

Braintrust Tutors

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide live, synchronous, high dosage academic tutoring services for students in Grades K-12, either one-on-one or in small groups of 2-4 students, both in person and online, primarily focused on accelerating foundational reading and math skills. We collect limited student PII in connection with the delivery of our services, including student name, email, and grade.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Pencil Spaces.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Braintrust Tutors limits the collection of personally identifiable information ("Student PII") to ensure the privacy and protection of each student we serve. Braintrust Tutors stores Student PII in databases and on servers powered by Amazon Web Services ("AWS"), one of the leading and most secure cloud computing environments, behind multiple layers of electronic safeguards. Braintrust Tutors protects Student PII in the course of business through various means, including by implementing secure user authentication protocols, secure and limited access control measures, data encryption on public networks, and more. Braintrust Tutors restricts access to NYCDOE Student PII other than to NYCDOE, and Braintrust Tutors employs various encryption techniques for NYCDOE Student PII provided to NYCDOE (e.g., password protection, exclusion of student last names, etc.).

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Branching Minds

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. 

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Branching Minds Platform (the “Platform”) is a web application for use by teachers and administrators. The Platform supports all aspects of a district’s Multi Tiered System of Supports intervention work and system. The Platform helps teachers follow the best practices of problem-solving work efficiently, effectively, and collaboratively from the start, saving time and effort while improving outcomes for all students.

PII collected on the Platform is used solely:

  • To provide contracted educational services. For example, the Platform collects information about a student’s English language proficiency in order to determine the best learning interventions to recommend for that student.
  • To conduct statistical research. Any data used for this purpose is de-identified (made anonymous by removing all personally identifiable information). This research helps us evaluate the effectiveness of the Platform and improve our product.
  • For compliance and protection reasons. We may need to use data to comply with applicable laws, our internal policies.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All information collected on the platform, including Student Personally Identifiable Information, is safeguarded through administrative, operational and technical safeguards around the AICPA Trust Service Principle Security as part of the System and Organization Controls (SOC) 2 Report, under the direction of a dedicate Director of Security Operations. Safeguards include:

  • Software Security: We implement privacy and security practices which are compliant with FERPA and COPPA. Our Districts and their users, however, must use secure practices to help achieve comprehensive protection of student personal information as well.
  • Data encryption: We encrypt personal information in transit and at rest.
  • File transfer protocol: We use File Transfer Protocol (FTP) over secure (SSL/TLS) cryptographic protocol to transfer personal information.
  • Firewalls: We utilize stateful firewalls, network access control lists, subnetting and virtual private cloud networks to segment and protect our information resources.
  • Proactive Defense: We utilize antivirus software, intelligent threat detection, and enhanced detection and response software to protect our systems. Policies prevent users from disabling antivirus and enhanced detection & response software on company computers.
  • Data storage provider: We store all our data and host the Platform at off-site facilities which are managed by Amazon Web Services (AWS) at their United States data centers. AWS secures our data using a variety of measures, including: (a) housing the data centers in nondescript facilities; (b) strictly controlling physical access both at the perimeter and at building ingress points by professional security staff utilizing video surveillance; intrusion detection systems, and other electronic means; (c) requiring authorized staff to pass two-factor authentication a minimum of two times to access data center floors; (d) requiring all visitors and contractors to present identification, sign in, and be continually escorted by authorized staff; (e) limiting access and information to employees and contractors who have a legitimate business need for such privileges; (f) revoking access privilege when an employee no longer has a business need for these privileges; (g) logging and routinely auditing all physical access to data centers by AWS employees; (h) encrypting all access to the information within the Platform stored on these servers; (i) encrypting user passwords; and (j) securing all data stored with AWS behind a firewall.
  • Security audits: We conduct internal and third party security audits and code reviews.
  • Secure programming practices: Our software developers are aware of secure programming practices and strive to avoid introducing errors in our application (like those identified by OWASP and SANS) that could lead to security breaches.
  • Account protection and identity verification: We support account authentication and identity verification exclusively through single sign-on technologies and protocols, such as SAML.
  • Facility security: Our facilities are located in the continental United States. Physical access to our facilities is protected by electronic access devices, with monitored security and fire/smoke alarm systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Brooklyn Bureau of Community Service (also called Brooklyn Community Services)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: Extension is from 7/1/2023 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The LTW program provides student support, guidance, evaluation, assessment, and planning. As such, the program needs to be able to access PII for the purposes of registration and enrollment, attendance and other tracking, communication, and associated needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Apricot 360.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We will follow our HIPAA and DOE’s guideline policies and procedures to safeguard the data. We do not store student data in Google drive. We use https to connect to our data. We use secure VPN to access data. All computers and laptops are encrypted. All documents are sent encrypted with strong passwords.

Student PII collected by LTW on enrollment is:

  • State or school ID
  • Social security card and/or number
  • Birth certificate
  • Tax information, financial information (i.e. for direct deposit)
  • Address and contact information

Student information collected during the course of student time with the program:

  • Grades and academic status
  • Interaction and case notes
  • Medical information in select cases, e.g. a doctor's note to excuse absence
  • Timesheets and attendance

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Brooklyn College Community Partnership

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Community schools collaborate with Lead Community-Based Organization (CBO) partners to create welcoming, supportive environments that help students navigate barriers and build on strengths so that every student can thrive academically, socially, and emotionally.

Community School Lead CBOs use student level data to ensure the right students are getting the right services at the right time. Through collaborative leadership between schools and CBOs, the information is utilized to support family engagement, expanded learning time and wellness and integrated student supports such as mental health services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Rackspace cloud services provider.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data at rest remain stored under secure conditions at all times, All electronically stored data reside on a password protected area of our server, which is backed up regularly. The server is protected by 15 separate firewalls, and is continually scanned by malware protection software. When in transit, confidential data are encrypted and transferred using secure File Transfer Protocol (FTP) account. Upon disposal, printed materials are shredded and electronic files are securely deleted.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

buildOn

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/1/2023 – 9/1/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. buildOn will work with partnering schools providing year-round specialized service learning programming, including during school breaks and summer vacations. Program activities include in-class service projects, after-school, weekends, school holiday programming, as well as school-wide service days. All programming follows buildOn’s IPARD service-learning framework: Investigation, Preparation, Action, Reflection, and Demonstration.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. buildOn implements and maintains reasonable physical, administrative, and technical safeguards designed to safeguard PII in accordance with applicable law and the NIST Cybersecurity Framework. These safeguards include asset management, access controls and identity authentication, encryption, personnel training, and least-privilege functionality. buildOn engages in a risk assessment in accordance with the NIST Cybersecurity Framework to identify areas of improvement to improve its security posture to ensure PII is adequately protected. buildOn also maintains a written information security program and incident response plan to provide clear guidance to personnel.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CAMBA, Inc (Community Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term:

  • PS 306 and PS 1998: 7/1/2021 – 6/30/2024
  • Forsyth Satellite Academy: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

PS 306 and PS 1998: CAMBA’s Community Schools program helps students succeed by offering academic enrichment, along with programs to improve school culture, engage families, and connect students with other nonprofit and public support services to ensure their success. In order to assist these students, CAMBA collects PII to better understand student needs, to stay in contact with the student, and to track outcomes of CAMBA’s work. CAMBA uses the collected data to provide academic and student support, social and educational development, middle school advising and preparation, skills development, and alumni services. CAMBA also uses the data to conduct follow up with graduates after graduation to assist them in maintaining their continuing success, and provides DOE with historical information on outcomes to further improve the on-going services.

Forsyth Satellite Academy: CAMBA’s Community Schools program helps students succeed by offering academic enrichment, along with programs to improve school culture, engage families, and connect students with other nonprofit and public support services to ensure their success. In order to assist these students, CAMBA collects PII to better understand student needs, to stay in contact with the student, and to track outcomes of CAMBA’s work. CAMBA uses the collected data to provide academic and student support, career and educational development, college advising and preparation, work preparation, skills development, alumni services, and paid internships. CAMBA also uses the data to conduct follow up with graduates after graduation to assist them in maintaining their continuing success, and provides DOE with historical information on outcomes to further improve the on-going services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

If granted permission by DOE, CAMBA will remove any identifiers from student data making it no longer PII, and maintain the de-identified data in order to continue reporting on historic outcomes and tracking outcomes for improvement of on-going services.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Eccovia Solutions, Inc, and using an Entity-owned and/or internally-hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAMBA’s polies are designed to ensure that PII is protected. All student files are maintained in locked filing cabinets in the program offices. Access to student files and information is limited to staff with a need to have such access. Electronic PII is kept in a secure database that is segregated from CAMBA’s agency-wide client management system, and only staff with specific permission can have access to information in the database. Mandatory training is provided to all staff on the requirements and importance of the agency’s confidentiality policy. Student information, records, and data are not disclosed by CAMBA to any person, organization, agency, or other entity except as authorized by law or appropriate consents. CAMBA’s database management systems supports the creation of user accounts, roles, user group security, and permissions based on programs’ protocols. CAMBA maintains student data confidentiality by creating the specific workgroups and security organizations in database systems. CAMBA practices Universal Precautions/Standard Protocol & Procedures and compliances with any and all Federal, State, City, and CAMBA confidentiality, privacy, and security laws. CAMBA uses appropriate safeguards to prevent us or disclosure of the PII and implements administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CAMBA, Inc (Learning to Work)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAMBA engages in joint review of student data, both personal and academic, with both NYC DOE and CAMBA staff who work with our students. The Learning to Work Program [at a Transfer School at Brooklyn Academy and for Young Adult Borough Centers (YABC) at Franklin K. Lane] utilizes data monitoring tools and surveys created by DOE and CAMBA’s Data, Assessment, Research and Evaluations (DARE) department to track student attendance and progress. The results from these data monitoring tools and surveys provide the Learning to Work program, Principal, and school administration with the information necessary to create goals and establish areas of focus. Qualitative data is essential to our understanding of what is working well and what needs improvement.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. Upon expiration or termination of the contract for any reason, CAMBA shall return or destroy all PII received from DOE or created by CAMBA on behalf of DOE and certify in writing to such return or destruction. This provision shall apply to PII that is in the possession of CAMBA’s subcontractors. CAMBA shall retain no copies of the PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an entity-owned and/or internally hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAMBA’s policies are designed to ensure that client information is protected. All client files are maintained in locked filing cabinets in the program offices. Access to client files and information is limited to staff with a need to have such access. Electronic information is kept in a secure database that is segregated from CAMBA’s agency-wide client management system, and only staff with specific permissions can have access to information in the database. Mandatory training is provided to all staff on the requirements and importance of the agency’s confidentiality policy. Client information, records, and data are not disclosed by CAMBA to any person, organization, agency, or other entity except as authorized by law. Our database management systems supports the creation of user accounts, roles, user group security and permissions based on programs’ protocols. We maintain clients’ data confidentiality by creating the specific workgroups and security organizations in database systems. We practice Universal Precautions/Standard Protocol & Procedures and comply with any and all Federal, State, City and CAMBA confidentiality, privacy, and security laws, specifically including, but not limited to, HIPPA. We use appropriate safeguards to prevent use or disclosure of the PII and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentially, integrity, and availability of the electronic PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Canva

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/12/2023 – 6/1/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Canva for Education – an online design tool used by students, teachers, and staff to design a wide array of products, including presentations, posters, websites, videos, and much more. The software allows an authorized user to create from scratch or use a library of templates, photos, videos, and other media, through the use of digital design tool elements. Basic user information, including PII such as the user’s first and last name, plus District-issued email address, is required for SAML-based Single Sign On (SSO); allowing the District to centrally control and manage access.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • Measures of pseudonymization and encryption of personal data: Canva encrypts Data transmitted between customers and the Canva application over public networks using TLS 1.2 or higher. Customer Data stored on Canva’s servers is encrypted using AES 256 or stronger.
  • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: Canva has personnel responsible for oversight of security and privacy. It has appointed Heads of Security, Privacy and Data, together with an Information Security Committee that meets quarterly to discuss privacy and security risks managed in its risk registers.
  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: In order to support availability of the service, Canva utilizes Amazon Web Services (AWS) auto scaling, AWS availability zones, extensive application and infrastructure monitoring, and 24x7 application support rosters. Canva maintains backups of the data stores, including Customer Data, that support the core functionalities of the Canva application. Backups are stored in a location geographically-separated from the primary data storage location. Canva maintains a security incident response capability that includes a documented Personal Data Incident Response Plan for security incidents involving Data. This defines how we contain, respond, assess, communicate incidents, as well as roles and responsibilities of Canva personnel and a requirement for post-incident reviews.
  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing: Canva engages a specialist third-party security tester to perform an annual penetration test of its application and infrastructure. Canva also employs a third-party application vulnerability scanning service and runs a public bug bounty program.
  • Measures for user identification and authorization: Where a Customer’s account contains a password for authentication, Canva stores the password salted and hashed using an industry-standard password hashing function. Canva supports Single Sign On (SSO) integration with a customer identity provider using Security Assertion Markup Language (SAML).
  • Measures for the protection of data during transmission: As per item 1, Canva encrypts Data transmitted over public networks between customers and the Canva application using TLS 1.2 or higher.
  • Measures for the protection of data during storage: As per item 1, Customer Data stored on Canva’s servers is encrypted using AES 256 or stronger.
  • Measures for ensuring physical security of locations at which personal data are processed: The service is hosted and Data is stored within data centers provided by Amazon Web Services (AWS). As such, Canva relies on the physical, environmental and infrastructure controls of AWS. Canva periodically reviews certifications and third-party attestations provided by AWS relating to the effectiveness of its data center controls.
  • Measures for ensuring events logging: Canva maintains application and infrastructure security audit logs. Audit logs are analyzed to detect anomalous activity.
  • Measures for ensuring system configuration, including default configuration: Canva hardens its server infrastructure using a hardening standard based on a common industry standard. Canva applies security patches to its servers in accordance with its Vulnerability Management Procedure.
  • Measures for internal IT and IT security governance and management: Canva staff access to Customer Data is role-based and follows the principle of least privilege. Staff are only provided with sufficient access to Customer Data to be able to discharge their responsibilities effectively. Remote network access to Canva systems requires encrypted communication via secured protocols and use of multi-factor authentication. Canva has established and will maintain procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
    • cryptographically protecting passwords when stored in computer systems or in transit over the network;
    • altering default passwords from vendors; and - education on good password practices.
  • Staff access to production infrastructure requires multi-factor authentication (MFA). Canva staff are subject to confidentiality obligations and a Personal Data Handling Policy. Canva requires its staff to undergo information security awareness training, both at the commencement of their employment and then annually thereafter. Canva also requires its staff to undergo privacy law training annually (including to comply with COPPA and FERPA in respect of student data). Canva has implemented privacy by design, including but not limited to, privacy impact assessments.
  • Measures for certification/assurance of processes and products: Canva will maintain an ISO 27001 certification, undergoing periodic external surveillance and recertification audits to ensure that its Information Security Management System (ISMS) meets the requirements of this standard. Canva will maintain an information security policy that meets the requirements of the ISO 27001 standard, an internal audit program that assesses Canva’s ISMS and information security controls, and a management committee that is responsible for oversight of Canva’s Information Security Management System (ISMS).
  • Measures for ensuring data minimization: Canva allows visitors to use certain functionalities of its platform anonymously and minimizes the Data it requires from Customers to only what is necessary to provide the service requested.
  • Measures for ensuring data quality: Canva ensures the quality of its data through verification of emails that sign up to the canva.com platform. Canva also allows users to update the information in their accounts themselves or via requests to its customer support function, the Customer Happiness Team.
  • Measures for ensuring limited data retention: Canva maintains a Data Retention Policy setting out the retention periods for various types of data based on legal requirements, justified interests of Canva and the purposes of collection.
  • Measures for ensuring accountability: Canva has designated local representatives in Europe and the United Kingdom. Canva’s local representative in the European Economic Area is European Data Protection Office (EDPO) with registered address at Avenue Huart Hamoir 71, 1030 Brussels, Belgium. Our local representative in the United Kingdom is European Data Protection Office UK (EDPO UK) with registered address at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom. Data Protection Impact Assessments are carried out for high risk processing activities and Canva maintains records of its processing activities.
  • Measures for allowing data portability and ensuring erasure: Canva has an automated process for deleting Customer Data on request within 28 days and enables the download Customer Data to provide to alternative service providers.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Canvas Institute

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/15/2023 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This program will deliver Compassionate Systems tools and Practices to students including social emotional learning and well-being education/guidance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Vendor selected “Other: No PII will be stored in a database. Any information such as surveys will not have students full name, address or personal information that can compromise their identity.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The program is taking place in person. No personal information will be uploaded or stored in any data base. Any surveys that administration will have access to will not have any student identifiers on them that can pose a security risk to the students or the school.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CAPIT Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAPIT Reading provides teachers with a lesson plan and a phonics curriculum that teaches students to read and spell. [Information collected: Student first name, last name, username, password, student ID, grade, class, teacher, school, and district.]

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAPIT collects only the information necessary to deliver its services and ensure students learn to read. This data is never stored on personal devices, never emailed or sent from one user to another, or made accessible to anyone other than those who are directly involved in delivering or aiding in the delivery of student instruction. All data is encrypted and stored on AWS cloud services. All CAPIT employees and subcontractors are made aware of our security and privacy practices and must agree to abide by them.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CareerSafe

The exclusive purposes for which Protected Information will be used: Student name and course completion information is used to process course completion wallet card from the U.S. Department of Labor, OSHA.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: As an OSHA-Authorized Provider, CareerSafe is required to provide student data to OSHA. We are contractually obligated to provide student name and course completion information to OSHA for the purpose of providing students with an OSHA completion card. OSHA, as part of the U.S. Department of Labor, complies with Federal data security standards. No student data is shared with any other organization or individual. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Student completion records will be maintained for five years, after which, CareerSafe will destroy and delete all the data in its entirety in the manner that prevents its physical reconstruction. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: In accordance with their contract, CareerSafe will work with the NYC DOE in processing challenges to the accuracy of student data in CareerSafe’s custody. 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All at rest data is FIPS 140-2 compliant / certified process used to encrypt the student data while at rest on the application database. Student data is stored in/on an application database, located in the Amazon Web Services hosting facilities. The back-up data is presently stored on site in a secured storage unit. No data is store outside of the US. All data is fully encrypted to an AES 256 bit standard at rest and while in transit. All network devices and storage units are restricted to only be access by administrators. 

How the data will be encrypted (described in such a manner as to protect data security): All data is fully encrypted to an AES 256 bit standard at rest and while in transit.

CareerWise

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CareerWise New York is a youth apprenticeship system based in New York City. CareerWise New York offers a three-year applied-learning environment for high school students and an innovative talent-acquisition strategy for businesses. With apprenticeship, students earn debt-free college credit and nationally-recognized industry certifications through their work experience in fields such as IT, financial services, and business operations…all while graduating high school on-time.

We are trying to offer youth apprenticeships in high growth areas such as health care and technology to high school aged students. We hope to use this software to facilitate the hiring of students into apprenticeships.

We use this software as a means of managing our youth apprenticeship programming such as supervisor training, apprentice training, recruitment, and hiring. We also use this software for case management, relationships management, and communications management. It is what allows us to be an effective intermediary between industry and education. Through this system we can post available apprenticeships, recruit students, and communicate to both employers and school staff where students are at in the process. Students can create profiles, search through job descriptions and apply. They can also see how close an apprenticeship is to their home or school. Teachers and counselors can manage a caseload of students who are interested in apprenticeship, provide feedback on their profiles and applications, and have the final say in terms of approving students and ensuring that they are eligible to apply. CareerWise staff can use the system to provide feedback, offer application support and interview preparation to students. We can use this information to track progress on a school by school basis which allows us to assist schools at an individual level.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII information is only accessible to the staff that need access to the information. Any staff who do not need to see the PII information for their jobs will not be able to access this information through encryption and access restrictions.

CareerWise has implemented data security measures to monitor the data on a regular basis to ensure the data is protected from unauthorized users. For any incident that is reported CareerWise has an incident response coordinator to assemble the data that is affected and communicating to specific parties and incident response handler to analyze evidence so the incident can be resolved. CareerWise will manage incidents with phases defined in NIST SP 800-61 of preparation, detection, containment, investigation, remediation, and recovery.

If someone requests the deletion of PII information, CareerWise will take the proper steps in deleting all personal information from our cloud based Customer Relationship Management software, cloud storage, back ups, and the learning management system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CareMonkey 

The exclusive purposes for which Protected Information will be used: CareMonkey is used by schools to send consent and other school forms and collect responses from parents/guardians and/or staff members. It is also used for internal approval processing such as a field trip being approved. PISI is used to know who to send notifications to, e.g., an email notification to a parent to tell them there is a new consent form they need to sign, or an email notification to a school principal informing them there is a field trip to approve. The system uses basic information about students, parent contacts, classes (roster) and staff so that forms can be delivered to the right people or parents of a class.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Note, we have no sub-contractors. Our support services are provided by our own team.

  • CareMonkey follows the principle of “Least Privileged Access” whereby user accounts are provided the most restrictive access necessary to perform the required business function.
  • Access to data is restricted depending on job roles and all access is tracked.
  • As part of our Information Security Program we maintain a systems access register.
  • Access to sensitive data is restricted to those few with a need to know and must be approved by management.
  • Access accounts have username and passwords with Two Factor Authentication (2FA).

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The NDA will apply for each school upon signing up to CareMonkey. The NDA will end for each school when they close their CareMonkey account. Schools can close their account and delete their data at anytime. The data is immediately no longer available after deletion. Backups are retained for three years. Note that after closing their accounts schools can choose to retain their data in archive only mode for as long as required. [NYC DOE comment: The current agreement became effective starting on August 6, 2019 and terminates when all NYC DOE schools and/or offices cease using CareMonkey Inc’s products/services. The terms of the agreement remain effective through the period during which CareMonkey Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. However, please note, that the data is entered by the parent (re parent forms) and entered by the staff member (re staff forms) so this type of scenario is unlikely. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): CareMonkey’s physical infrastructure is hosted and managed within Amazon’s secure data centers, utilizing Amazon Web Services (AWS) technology.

  • AWS data centers are state of the art, utilizing innovative architecture and engineering approaches. AWS provides a highly reliable, scalable and secure infrastructure platform that powers hundreds of thousands of businesses in 190 countries across the world.
  • Your data is stored on servers in your region and will never be stored outside of that region. Hence, United States User data is stored in the United States.

How the data will be encrypted (described in such a manner as to protect data security):

  • CareMonkey uses the highest standards in Internet and data security. 
  • Data is always encrypted at rest and in transit.
  • Our security layers include strong cryptographic implementations (such as 256 bit encryption, 128 bit data encrypted SSL systems using Advanced Encryption Standards) and defensive-in-depth network protection (with multiple firewalls, intrusion prevention appliances, and active monitoring systems).

Castle Software

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Very basic student and teacher rostering information is collected by the Castle Learning application for establishing logins to the application and to securely link students to the appropriate teachers/classrooms. The application provides test item content and supplemental content teachers may assign to students for student learning and assessment for academic progress in core subjects.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The data is stored in SOCII compliant data centers within the US. All data in transit is encrypted to industry standards (TLS 1.2), sensitive data is encrypted at the column level in the database, only authorized staff with a need to access the data to provide the service have access and the network environment is scanned weekly using a third party scanning service. Additionally, Castle Learning uses a Web Application Firewall to further protect the system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

CCI Learning Solutions Inc (Jasperactive)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/2022 – 3/26/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Jasperactive is a web-based learning product designed for Microsoft Office with tailored exercises for Word, Excel, and PowerPoint, Outlook and Access. Students are delivered a Benchmark, Lessons and Create Exercises. The primary purpose of Jasperactive is to teach the students the required fundamentals to pass the Microsoft Office Certification exams.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CCI Learning Solutions Inc. is committed to protecting users’ privacy and PII and developing technology that gives users’ the most powerful and safe online experience. We safeguard PII through a combination of policies, procedures, training, segregation of duties and robust systems, security and technology. We mitigate data privacy and security risks by following and adhering to industry protocols, standards and practices, employing up to date technology, training and segregation of duties and user access controls.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Center for Educational Innovation (CEI)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CEI supports school leaders and educators collaboratively with community members, families, nonprofit organizations, and students to implement the community school model as an equity strategy. CEI’s team of experts provides technical assistance, capacity building, family engagement, and youth development programs in the arts, STEM education, Esports, academic support, character education, and the early stages cultural experiences under our signature program Project BOOST(Building opportunities and options for students). PII is necessary to track attendance in CEI programs and activities, including mental health support.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data)

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: CEI is not storing data, therefore no data needs to be destroyed.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CEI Community Schools Directors will use locked offices and file cabinets, when possible, to ensure that hard-copy documents containing PII are protected. At no point will the hard-copy documents leave the school site, in an effort to minimize risk of unauthorized disclosure. Access to PII will be limited to the CEI Community School Directors.

Any data used for analysis by CEI Community School Directors (CSD) shall be viewed, processed, and stored on NYCDOE provided devices and cloud storage under the purview of the NYCDOE’s acceptable use policies and requirements. At no time will any CBD transfer, share, submit or provide access to any data that is located on NYCDOE devices or cloud storage.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Center for Family Life in Sunset Park

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Center for Family Life’s comprehensive, school-based integrated services include whole classroom work to support students’ social emotional development; crisis intervention, counseling, case management and access to a full range of additional supports and referrals to community-based services; professional development and training for school staff; and support for school-wide, community-building initiatives engaging students and families. Our current program models for collaboration with DOE teachers and students during the school day include: 9-11 advisory & 12th grade internship programs at Sunset Park High School; interdisciplinary arts/social emotional learning at MS 136/MS 821; and success mentoring/attendance improvement initiatives. We are receiving or accessing PII so that we may effectively assess and appropriately respond to student needs. Additionally, PII enables us to provide comprehensive supports and services to the students and families in our partner schools, as needed.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft 365 – OneDrive/SharePoint.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • Microsoft Defender for Office 365 has been configured to provide secure use of all email communications. OneDrive and SharePoint services provide both at-rest and in-transit data protection.
  • Multifactor Authentication is enabled on every account. Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user's identity for a login.
  • N-Able Remote Monitoring and Management allows us to remotely monitor desktops, laptops, and servers across a variety of operating systems. We can monitor network devices, switches, firewalls, routers, and more using SNMP. This also assists in preventing cyberattacks, perform routine maintenance, and update devices remotely with automated patch management. The managed antivirus features allow us to remotely push out and protect our devices against known viruses and malware. BitDefender Antivirus works against all e-threats, from viruses, worms and Trojans, to ransomware, zero-day exploits, rootkits and spyware.
  • CFL assures all physical devices used for transmitting confidential data are always in a secure location.
  • Security Breach Response
    • Notify Center for Family Life Response Teams
    • Engage Tech Alliance, outside IT Security Consultant, if needed, depending on severity
    • Secure network, computer and cloud solution systems
    • Determine the nature, content and extent of the breach – (I.e., exactly what was breached)
    • Update all data breach protocols
    • Test to make sure new cybersecurity defenses work
    • Let CFL's employees (& Clients if applicable) know about the data breach
    • Notify the NYC DOE of any breach or unauthorized release of PII in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of such breach
    • Cooperate with the NYC DOE and law enforcement to protect the integrity of investigations into the breach or unauthorized release of PII
    • Pay for or promptly reimburse the NYC DOE for the full cost of parental notifications, where a breach or unauthorized release is attributed to the TPC
    • As a DOE partner, Center for Family Life will comply with all provisions of the Data Privacy/Security Policy for Schools and Offices as posted on the DOE website, including Compliance with Law and Policy, Restrictions on PII Use, and Data Privacy and Security Practices

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Center for Supportive Schools

The exclusive purposes for which Protected Information will be used: Center for Supportive Schools (CSS) serves as a Lead CBO under the Community School initiative to provide community school services at awarded partner schools. In addition, CSS under a sub-contract agreement with the Board of Education of the City School District of the City of New York also supports the NYS Integration Project – Professional Learning Communities (NYSIP-PLC).

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In entering data agreements with schools and school districts, CSS agrees and adheres to the below general protocols:

  • Receive data through secure sites, as requested by the partner school and/or district.
  • Maintain data security throughout use, by restricting data access to vetted individuals and keeping data stored on password protected devices. CSS will communicate with the appropriate parties within 24 hours should a breach occur.
  • Maintain additional server security through a partnership with SureTech/IVIONICS, a cloud IT service company that provides data and hardware security through anti-virus protection software, Total Network Defense (TND) and SNAP Monitoring (a malware and instruction monitoring and alert system).
  • Destroy any data within an agreed upon/appropriate timeline.
  • Share only aggregate reports of non-identifiable data with staff and external audiences.
  • Community with data sender post-analysis, if requested, to share analyses.
  • Review these protocols annually to ensure proper adherence and adjust where necessary.
  • Maintain team awareness of applicable federal and state laws that govern the confidentiality of personally identifiable information.
  • Remain subject to any applicable law, most prominently, FERPA and HIPPA regulations.

In addition to the above safeguards in place, CSS also commits to managing its authorized users (including subcontractors) as follows:

  • Timely and appropriate training for any and all authorized users to understand CSS data protection policies and NYC DOE contractual requirements. Consideration is being offered to the Board that all authorized users sign a training document that ensures understanding and compliance.
  • The Director of Contracts & Compliance will work with the IT/System Administrator to ensure compliance of data protection and security.
  • Access to the raw data is restricted internally at CSS to members of CSS’s Evaluation Team, the Regional Executive Director, and the CEO. Only these individuals will have access to the credentials that will allow them to access the data files and they will use the data files only on their password protected computers.
  • Data will only be sent through the secure FTP site (Box.com). All transmission of data via the FTP site will be encrypted.

CSS acknowledges the responsibility to ensure compliance with the confidentiality provisions of the Family Educational Rights and Privacy Act of 1974 (FERPA 34 CFP 99) and the Code of Maryland Regulations (13A.08). CSS acknowledges that any unauthorized disclosure of confidential student information is a violation of FERPA and shall not be permitted to occur.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon completion, and/or termination, of this agreement with NYC DOE, CSS shall certify that Protected Information has been surrendered or destroyed in accordance with this Rider via the "Certificate of Records Disposal" form attached to this Rider as Exhibit D. Any and all measures related to the deletion, destruction or disposition of Protected Information will be accomplished within 90 days upon expiration of the agreement. CSS agrees to utilize an appropriate method of confidential destruction, including shredding, burning or certified/witnessed destruction of physical materials or verified erasure of magnetic media using approved methods of electronic file destruction.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, CSS will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests will be directed to studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): No Protected Information will be stored outside the USA. CSS policies ensure that secure data is housed on protected and secured platforms. All computers that host these platforms are protected through passwords and a secure and virus protected network. CSS understands the importance of data security. We do not request data that is not necessary for our work and when we do, it is housed appropriately. PII data is NEVER stored on personal equipment.

How the data will be encrypted (described in such a manner as to protect data security): CSS understands that data encryption helps to keep data safe and compliant and provides extra security against unforeseen mishaps. CSS has hired a full-time IT System Administrator that has begun reviewing data management policies and identifying a high-quality data encryption strategy which identifies data needed to manage encryption keys and block unauthorized access to company data.

When data is stored or when accessed (by authorized staff) it is done securely within the Data Protocol Framework which includes: data management, ethical walls, privileged user monitoring, sensitive data access auditing and secure data trail tracking.

CSS utilizes a complex cipher to make data unreadable to third parties. The encryption strategy incorporates technologies that defend data in all three of its states:

  • Data at Rest: this is data located in data storage areas or within various devices, including authorized CSS and school staff.
  • Data in Motion: this is data that is being transmitted from one endpoint to another across a network. This includes local LAN and WWW.
  • Data in Use: this is when data is being actively accessed by a credentialed user.

CSS understands that developing a solid encryption strategy is a long-term, collaborative process that includes IT, operations, and management stakeholders. CSS continuously identifies high-value data and regulatory requirements and has processes in place to identify and prioritize the most sensitive or valuable data for encryption. A new IT Director is in place to ensure critical data security, implement access controls and properly train all staff on data security policies and procedures. CSS also works with a cybersecurity firm to ensure data lifecycle management.

Central Family Life Center

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The Central Family Life Center will be conducting services associated with Project Pivot, which will include counseling, mentorship, mediation, and restorative services for students. As such, it is reasonably expected that PII will inform select activities, practices, and approaches implemented through the work of counselors, mentors, and mediators serving on the Project Pivot contract.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CFLC will collect and disclose students’ PII only as necessary and only for educational purposes. The organization commits to ensuring that all administrative files and protected documents are stored and protected by password protection, and any physical files containing information will be stored securely in a locked filing system. The organization further commits that access to any/all files containing PII is restricted and made available to only those staff and/or affiliates who have a need for utilizing such data/information in the course of their implementation of program activities. All staff and affiliates, including subcontractors, if/as applicable, will receive comprehensive training in data privacy and security, including applicable laws, policies, and safeguards associated with industry standards and best practice; the policies, practices, and protocols of the organization; and all policies and regulations established by DOE and the related/relevant contract.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CEV Multimedia

 Type of Entity: Commercial Enterprise

Contract / Agreement Term: September 2023 – September 2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NYCDOE is using iCEV CTE curriculum to prepare students for taking certification exams in several subjects. Including pre-med electives: medical terminology, anatomy & physiology, and medical assisting. The district will provide basic roster related PII as they need to manage their classroom roster and records in the solution. This includes at the district’s discretion PII such as the teacher and student first name, last name, email address or UPN.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Simpatico Systems US based and certified data centers in Dallas and Los Angeles.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administrative access to PII is limited to named privileged authenticated users required to support the services that the DOE has contracted.  NIST CSF policies and procedures are followed to provide the service. Sharing of PII is limited to what is required to provide the services and confidentiality agreements are in place to protect DOE data. Team members are provided cybersecurity and data privacy awareness training throughout the year with training. Systems are hosted in US based, certified, and secure hosting environments.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."

Changing Perceptions Theater

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Participants learn to write and perform original dramatic works such as monologues, short plays and full length-plays for their school community and families. Participants will see professional plays performed in New York City. PII will be utilized to contact parents regarding trips, emergencies, program updates, invitations to events and to keep enrollment or attendance lists, and progress reports.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Cloud and "if there are physical attendance sheets they will be kept in a locked and secure space at the school that is agreed upon by the school administration and CP.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • A child’s PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with state and federal law.
  • A centralized staff person is responsible for supervision and monitoring appropriate safeguards, policies, and practices in place to protect the data.
  • Staff will participate in mandatory 2-part training about applicable laws, policies, and safeguards associated with industry standards and best practices; consistent with NYC DOE’s data security and privacy policy.
  • Encryption, firewalls and password protection will be mandatory for all emails and cloud usage to electronically transmit sensitive PII information.
  • CP will not maintain copies of participant’s PII once PII is no longer needed for the educational purpose/ for which the DOE has disclosed PII to CP.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Children’s Aid Society

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. In accordance with FERPA, Children’s Aid agrees that to the extent that the services provided relate to the processing of protected information, the services are for Children’s Aid to perform an institutional service or function for which the BOE would otherwise use its employees.

The services being provided are the continuation of Community School services previously funded through 21st Century Community Learning Center grants that expired on June 30, 2022. Community Schools emphasize family engagement, characterized by strong partnerships and additional support for students and families designed to counter environmental factors that impede student achievement. While some of the specific attributes of a community school program vary based on the needs of its respective community, all Community Schools share three foundational pillars:

  • A rigorous academic program with strong supports to prepare all students for college, careers, and citizenship, and that supplements quality curriculum with expanded learning opportunities that keep students engaged, coupled with high levels of accountability for results;
  • A full range of school-based and school-linked programs and services that, based on a needs assessment of the community, address the comprehensive needs of students and their families and that work with families as essential partners in student success; and
  • Partnerships that demonstrate collaboration with the local community, including by engaging families and other community stakeholders and drawing on a broad set of resources, incorporating local and State government agencies, non-profit service providers, institutions of higher education, and the philanthropic and business communities in order to extend the impact and depth of services and programs.

It is important to emphasize that Community Schools do not seek to duplicate effective services that already exist in their communities; rather, through partnerships, these schools leverage existing high quality programs and assets by linking them to the school and providing robust services to students and their families.

Children’s Aid uses protected information to provide the following required Expanded Learning and Enrichment Activities:

  • in coordination with the Principal, SLT and CST, determine the focus, content and manner of expanded learning and enrichment programming to be provided at the school(s), considering the needs and expressed interests of students at the school(s) in alignment with the grant(s). Children’s Aid shall work with existing after school and expanded learning providers at the school(s) to align their work with the school’s instructional focus in order to provide more opportunities for personalized learning for as many students as possible. Children’s Aid shall also consider student and parent input via the community school planning process and use such input to inform the selection of specific activities to be offered, and such input must be reflected in the CS plan.
  • ensure that expanded learning and enrichment programming delivered at the school is tailored to the needs of the school(s) and its student population, and is in alignment with the goals and objectives of the grant(s).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Children’s Aid employs administrative, operational, and technical safeguards including policies regarding the protection of confidential information, policies regarding the acceptable use of technology resources, training, and data system monitoring.

Confidential data is protected and only used in accordance with state and federal laws, rules and regulations, and Children’s Aid policies to prevent unauthorized use and/or disclosure. Staff must obtain written consent prior to the disclosure of personally identifiable information, except in those instances specifically allowed for by law. These include disclosure pursuant to a valid court order, or lawfully issued subpoena, a request for disclosure by authorized representatives of the officials or agencies headed by State or local educational authorities, a health or safety emergency where disclosure of PII is necessary to protect the public health of the student or others, and reason permitted by law.

Education records may be released without consent after the removal of all personally identifiable information provided that a reasonable determination that a student’s identity is not personally identifiable (whether through single or multiple releases, and considering other reasonably available information) has been made.

Reasonable methods must be used to identify and authenticate the identity of parents, students, school officials, and any other parties to whom PII in education records is disclosed.

Violation of the Children’s Aid policies by staff is grounds for dismissal. Staff agree to abide by the rules covering the maintenance and use of mobile equipment assigned to them. All devices and accounts are subject to inspection without user permission. Handling of protected information must be exclusively for the conduct of job-related duties and may not include dissemination of confidential information for unauthorized purposes nor any commercial uses. Use of technology and devices must incorporate use of strong passwords, dual authentication when required, protection of unique passwords, physical security of devices, and safe practices that protect systems from viruses and spyware. Use of technology and devices must not include any effort to circumvent data protection configurations, decrypt intentionally secure data, or copy data to non-secure devices for any purpose.

Children’s Aid utilizes subcontracted systems that demonstrate Systems and Organizations Controls (SOC) through SOC 2 audit reports based on the Auditing Standards Board of the American Institute of Certified Public Accountants' Trust Services Criteria (TSC). The purpose of the SOC 2 is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy. These reports are intended to provide detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Security principles within the fundamental designs of the systems permit users to access information they need based on role while restricting them from accessing information not needed for the role. Encryption technologies protect data at rest and in transit. Subcontractor information security and availability policies define how systems and data are protected. These include policies around how the service is designed and developed, how the systems is operated, how the internal business systems and networks are managed, and how employees are hired and trained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Chinese American Planning Council (Community Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The services we provide are in alignment with the needs assessment based on the school population. Our food panty aims to reduce food scarcity for families in need with our high need families being able to utilize our food panty every 2 to 3 weeks and our low need families a couple of times per year. Our afterschool program aims to reduce the number of students in of afterschool services. We work with the other CBOs in the building along with the school leadership team to identify and prioritize students and families that are in need of after-school services. We meet with the school leadership team formally on a quarterly basis as well as keeping an open line of communication in terms of highlighting new needs that the school community may need, for example offering workshops on topics such as identify theft. We determine the effectiveness of such services by eliciting feedback from the school leadership team as well as the school community itself. The PII which we have access to are necessary for student identification, family communication, and record keeping purposes for the services we are providing.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365 Enterprise.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CPC uses Microsoft Office 365 Enterprise. Microsoft 365 Enterprise’s data at rest is located in the United States. It also has inherent high-quality security protections. For example, in the event a staff member sends an email or shares a file through email containing personal information, Office 365 uses DLP policies to protect the information. For emails it will encrypt the message so that only the receiver can read it. A link and a pin will be sent to them to open the email. File sharing also uses the same verification method.

CPC inherits the same Data Encryption provided by Microsoft on their Office 365 Enterprise platform. All sensitive information is given an extra layer of encryption, as part of CPC multifactor authentication (MFA). The user login is paired with a password and an SMS code to verify the login. CPC and our technology vendors maintain encryption, firewalls, and password protection protocols. CPC staff also participate in an annual cyber security training to ensure staff are aware of digital threats to privacy such as malware and phishing.

Physical copies of community member information such as intake forms will be filed into participant folders and kept under lock and key in a file cabinet with only designated staff access (Program Director, Program Aide, and if appropriate Division Lead and Chief Program Officer). Staff are trained during onboarding not to leave files out in the open and to return files to the cabinet as soon as possible.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Chinese American Planning Council (Project Pivot)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 11/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The services and activities are aligned with violence prevention by providing the following: specialized and intensive academic coaching supports for students who need to be reengaged in the schooling and learning process; targeted and tiered supports to improve student attendance in school; engaging and connecting families to resources; classroom focused behavioral services and strategies to ensure students are able to get the most out of each lesson, remain on task, and meet the learning objectives for the day; and offering in‐school and after school tutoring. CPC will be evaluating the program through participant’s daily attendance, report cards and feedback through surveys and weekly evaluations. The PII shared with CPC will be student names, student ID, addresses, phone.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity‐owned and/or internally hosted‐solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII will be maintained and tracked at the school level and store in a secured filing cabinet. Attendance and Email correspondence with students are kept on Office ‐ OneDrive & Outlook. Our Office Suite includes Two‐factor authentication (2FA), which is an identity and access management security method that requires two forms of identification to access resources and data. This safeguards our most vulnerable student data information

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Chinese American Planning Council (Project Reach)

Please include a brief description of the product(s) or service(s) being provided, and the exclusive purposes for which Protected Information will be used, collected or otherwise processed: The Chinese-American Planning Council, Inc. (CPC) Project Reach program will provide Department of Education (DOE) funded MTAC R1155 for Components of 1) Social Emotional Learning, 2) Respect for Diversity and 3) School Culture and Climate/Approach to Establishing and Sustaining a Positive School Culture as part of the services to promote safe and supportive school communities. DOE Principals, through this contract, request CPC Project Reach staff to provide workshops and trainings to support and enhance safe school cultures for youth, families and staff of DOE schools.

While it is not the policy of CPC to retain protected information, identifiable information may be kept in certain records required to work with the DOE, such as sign-in sheets showing attending students' names which are generally collected to verify that workshops were provided.

CPC Project Reach, to evaluate its own services, shares an anonymous survey at the end of a workshop for students, family members and/or school staff. No identifiable protected information will be requested and any results reported in the aggregate.

Occasionally, CPC staff, usually by request of city or state agencies, may ask for student or staff home zip codes to better understand where in NYC Project Reach has had a possible impact. This information is collected but only shared in the aggregate.

How you will ensure that the subcontractors or other authorized persons or entities that you will share Protected Information with will abide by data protection and security requirements required by your agreement with the NYC DOE: Any CPC subcontractors, authorized persons or entities will adhere to the protocols and protections set forth in Education Law § 2-d.

CPC uses several services such as internet providers like online Microsoft 365 Enterprise services and some technical vendors who support our program administrations/operations. Any technical vendors CPC retains will honor those protections for students and participant information to meet the standards of the Education Law § 2-d.

CPC has insurance in place and follows a yearly review of IT and technical processes agency wide to ensure best practices are continuously reviewed, monitored, and improved annually.

When your agreement with the NYC DOE starts and ends, and (ii) what happens to Protected Information upon expiration of the agreement: Upon expiration of the DOE-funded MTAC R1155 program, or upon request by the DOE, CPC can provide the appropriate certification that destruction of data related to any protected information is completed. In general, CPC's current practices involve maintaining data for the prescribed period of time per the requirements of the funder, City, New York State or federal guidelines. After this, CPC destroys all paper documents on-site or through a third-party vendor specializing in this process/activity. Digital records are deleted and servers scrubbed.

If and how a parent, student, eligible student, teacher or principal may obtain copies of, and challenge the accuracy of, the Protected Information in the custody or control of the Contractor: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and (ii) the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): CPC uses Microsoft Office 365 Enterprise. Microsoft 365 Enterprise's data at rest is located in the United States. It also has inherent high-quality security protections. For example, in the event a staff member sends an email or shares a file through email containing personal information, Office 365 uses DLP policies to protect the information. For emails it will encrypt the message so that only the receiver can read it. A link and a pin will be sent to them to open the email. File sharing also uses the same verification method.

How the data will be encrypted (described in such a manner as to protect data security): CPC inherits the same Data Encryption provided by Microsoft on their Office 365 Enterprise platform. All sensitive information is given an extra layer of encryption, as part of CPC multifactor authentication (MFA). The user login is paired with a password and a SMS code to verify the login. CPC and our technology vendors maintain encryption, firewalls, and password protection protocols.

Circle Blocks EDU (also called PlaBook)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PlaBook is an innovative reading technology platform designed to assist children in developing their reading skills. Leveraging artificial intelligence, natural language processing, gamification, and speech recognition, PlaBook offers a range of services to make the learning process engaging and effective. Our platform provides interactive reading exercises, personalized assessments, and adaptive learning experiences tailored to each child’s needs. Through a combination of AI-driven feedback, gamified elements, and speech recognition features, PlaBook helps children improve their reading fluency, comprehension, and vocabulary, fostering a love for reading while enhancing their overall literacy skills.

While PlaBook may collect Personally Identifiable Information (PII) from users, it is solely for the purpose of delivering personalized and tailored learning experiences. PII helps us create individual profiles, track progress, and provide targeted recommendations to optimize the learning journey for each user. However, PlaBook ensures that all collected PII is securely stored, encrypted, and handled in compliance with privacy regulations. User consent and data transparency are fundamental principles that guide our approach to maintaining the privacy and security of PII within the PlaBook program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS S3 storage, AWS RDS Database, AWS Redis caching, Cloudflare firewall and SSL protocol.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. No one has access to AWS server other than the applications. Caching server and DB is only allowed from approved IPs. Database and caching server password rotation every 6-9 months. We are using Cloudflare firewall protection for DDOS attack and other known attacks. Application is using token authentication for api protection.

  • Data Encryption: All personal data will be stored and transmitted using strong encryption methods to prevent unauthorized access or interception. All data is encrypted at rest and in transit.
  • Access Control: Implement strict access controls based on the principle of least privilege, ensuring that only authorized personnel can access and manage sensitive data.
  • Data Encryption at Rest: Use encryption mechanisms to encrypt PII stored in databases, file systems, and backup archives. Employ native encryption features provided by the database or storage systems.
  • Data Encryption in Transit: Utilize secure communication protocols like SSL/TLS for encrypting data in transit between systems and during data transfers.
  • Access Control and Authentication: Implement strong authentication mechanisms, such as multi-factor authentication (MFA), to ensure that only authorized users can access PII.
  • Security Audits: Regular security audits and vulnerability assessments will be conducted to identify and address potential weaknesses in our systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Circles Learning Labs

The exclusive purposes for which Protected Information will be used: Our goal is to provide an easy, fast and reliable meeting platform. For this reason, we ask for and store minimal information; first name, last name and email. Your information is stored in a safe and protected environment (encrypted at rest and in motion). 

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We do not share data with external parties. Employees of Circles are required to sign a non-disclosure agreement when starting their work agreement with Circles. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All meeting data is stored for 2 hours after the end of the conference, after which it is deleted. During this time, any user can choose to download the chat from the meeting room should they wish to save the data. Additionally, a user can make notes during a meeting and share these with others later. Participant attendance to a meeting is recorded, as is the duration (much like you’d expect from a phone call record.)

Action items are stored on the local server so they can be used in the next meeting. This data is private between you and circles only. It is never given or sold to a third party.
 
Troubleshooting data to help detect and resolve technology problems is stored for 30 days, and automatically deleted after. This may contain user identifies such as names/system ID’s to help the support and operation teams, but no other personal information. 
 
Upon termination of the contract all data is automatically deleted from our database. Anonymized feature data is retained to enable us to improve services by helping us understand which features of the system are most used, and which are not. 
 
[NYC DOE comment: The current agreement became effective starting on July 31, 2020 and terminates when all NYC DOE schools and/or offices cease using Circles Learning Labs, Inc’s products/services. The terms of the agreement remain effective through the period during which Circles Learning Labs, Inc possesses or otherwise is in control of covered protected information.]
 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All our data centers are based in the US in the amazon cloud; and as such benefit from all the encryption and security measures that AWS provides.

How the data will be encrypted (described in such a manner as to protect data security): All information and data is stored in a safe and protected environment (encrypted at rest and in motion).

City Year New York

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/01/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Data will be used to monitor progress and complete compliance reports regarding attendance rates, academic outcomes in math and ELA courses, and behavior.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Under federal law, due to our AmeriCorps grant, City Year is required to retain student data for 7 years. At the end of the retention period the data will be deleted.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. City Year has a comprehensive security program documented in our Written Information Security Program (WISP). We require all staff and ACMs to read and attest to following our data security and breach policies. Furthermore, we provide annual cybersecurity training and student data protection training. Access to any data requires a password and multi-factor authentication. We have a security incident process. We have selected high-quality IT cloud vendors to manage our systems with PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Claire Weisz Architects LLP (also called WXY)

Type of Entity: Commercial Enterprise

Contract Start Date: 9/1/2021 

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. WXY will lead in development of a comprehensive review of the status of each recommendations presented in the D15 Diversity Plan. WXY will primarily use interviews and stakeholder meetings, combined with data analysis to report on how relevant stakeholders in the D15 community have approached implementation in the three years since the plan’s release.

In the Spring of, 2021, WXY conducted an initial review of the status of the Plan’s implementation and synthesized the findings into a presentation Superintendent Anita Skop delivered to the CEC on April 29, 2021. WXY will expand on that initial presentation and will conduct interviews and analysis with the D15 leadership, the DOE offices responsible for implementing recommendations, and with the wider D15 community to compile a more thorough progress update. Additionally, WXY will conduct a wide range of data analysis in support of District 3 and District 13’s New York State Integration Project grants including the analysis of student level data.

WXY will support D14’s District Equity Initiative. WXY will take responsibility for organizing and performing all work in a timely manner and ensure the various elements effectively build on one another. WXY will introduce the process to up to six identified stakeholders, collect reflections and input, and share out with D14 leadership. WXY will work closely with D14 leadership to establish a D14 Equity Working Group, comprised of stakeholders from across District 14, as deemed appropriate by the DOE. WXY will conduct data research on Equity Audit best practices and precedents. WXY will conduct data analysis in support of a district wide equity audit.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Established data management workflows will be employed when transferring, storing, and using the data. Clear roles within the Processor organization will be established at the outset of the project, distinguishing responsibilities for obtaining, analyzing, and deriving insights from the datasets. Furthermore, raw data will be formatted, analyzed, and presented using industry-standard conventions and best practices. Each of these responsibilities will be allocated based on the Processor’s policies governing confidentiality and prior experience interacting with sensitive information. Any identifiable information linked to the datasets that is unnecessary to perform the stated scope of work will be erased. Any derived products will be de-identified and presented at a resolution that is consistent with the Processor’s standards as well as the BOE’s requirements for internal use and for external publication. Clear communication channels between analysts, communications managers, project managers, and the public will be clearly identified to interface between the Processor and BOE. These functions address the Control-P and Communicate-P functions of the NSIST Privacy Framework.

Access to the raw data will be limited to personnel identified to the BOE. Each personnel will receive an overview of this document, the sensitivity of the Protected Information, and the repercussions of violating local, state, and federal privacy laws before finally being introduced to the dataset. The Processor intends to limit the number of personnel interacting directly with the data to the bare minimum.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ClassDojo

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ClassDojo is a school communication platform that helps bring teachers, school leaders, families, and students together. Among other things, ClassDojo provides the following services through its platform:

  • Communication tools to help teachers, students and parents connect with each other
  • A way for teachers to give feedback and assignments to students, and other classroom management tools
    • A way for teachers to share photos, videos, files, and more from the classroom for parents and students to see
    • A way for parents and students to post comments and “likes” on Class Stories and School Stories
  • Student portfolios, where students can share their work with teachers and parents
  • Activities and other content that teachers or parents can share with students. 
  • A way for school leaders to see how connected their school community is, and also to communicate with parents and other teachers and school leaders
  • “Dojo Island”- a virtual playground for kids and their classmates where they’ll explore a variety of activities focused on creativity and collaboration to explore, build, and live in a world with their classmates.

It’s important to note that this document does not apply to any services or products that you may use for non-school related services (i.e., ClassDojo services you use at home and not related to school).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

“It’s important to note that this does not apply to any services or products that you may use for non-school related services (i.e., ClassDojo services you use at home and not related to school).”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud, AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Consistent with industry standards, ClassDojo shall employ the following administrative, physical, and technical safeguards:

Infrastructure Security

  • Encryption at Rest and In Transit
  • Access to the ClassDojo Service occurs via encrypted connections.
  • (HTTP over TLS, also known as HTTPS) which encrypt all data before it leaves the ClassDojo Service's servers and protects that data as it transits over the internet. All of our Services are in Amazon Web Services (AWS) and served from either Cloudfront or Elastic Load Balancer (ELB). We use HTTP Strict Transport Security to ensure that pages are loaded over HTTPS connections and our TLS configuration receives an A+ from Qualys SSL Labs.
  • Student Data is stored at our Service Provider, AWS, and the following applies to their technical and organizational measures. In addition, we secure decentralized data processing equipment and personal computers. All personally identifiable information is encrypted at rest using modern encryption algorithms. In AWS S3, we use AES-256 with AWS managed keys, in Aurora (MySql) we use AES-256 with customer managed keys and in Redshift we use AES-256 with AWS managed keys. Additionally, we use MongoDB with AES-256 with keys managed by AWS.

Network Security

  • The ClassDojo Services use AWS, to host the infrastructure. AWS undergoes strict ongoing security assessments from external audit firms to ensure compliance with security standards including ISO 27001, SOC 2, PCI DSS Level 1, and FISMA. See https://aws.amazon.com/compliance/programs/ for more details.
  • Network access to the ClassDojo Services infrastructure is highly restricted. AWS hosted infrastructure resides in a dedicated Virtual Private Cloud (VPC) which is designed to ensure that only authorized traffic over approved ports is allowed. We use ThreatStack to monitor for suspicious activity.

Patching

  • We use automated processes to regularly install security updates on the infrastructure that powers the ClassDojo Services, these processes include:
    • AWS Managed Services (e.g., Relational Database Service):** AWS proactively notifies our engineering team when updates are available and we apply them in a timely fashion.
    • AWS EC2:** All EC2 instances are monitored by ThreatStack and AWS inspector and updates are applied in a timely fashion
    • Classdojo Application:** Monitored by Snyk.io and Github for vulnerabilities and they are updated in a timely fashion.

Backups and Availability Control

  • We have a data backup and recovery capability that is designed to provide a timely restoration of the ClassDojo Services, with minimal data loss, in the case of catastrophic failure. These backups are encrypted and stored in multiple availability zones. Additional technical and organizational measures to ensure that Student Data are protected against accidental destruction or loss (physical/logical) include:
    • Uninterruptible power supply (UPS);
    • Remote storage; and
    • Firewall systems.
  • Note: Student Data is stored at our Service Provider - currently AWS - and the above applies to their technical and organizational measures as well as any other relevant such as MongoDB. In addition, we have a disaster recovery plan in place.

Physical Security

  • Physical Access Controls
  • Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Student Data are Processed*, include:
    • Establishing security areas, restriction of access paths;
    • Establishing access authorizations for employees and third parties;
    • Access control system (ID reader, magnetic card, chip card);
    • Key management, card-keys procedures;
    • Door locking (electric door openers etc.);and
    • Surveillance facilities, video/CCTV monitor, alarm system.
  • Note: The ClassDojo Services are currently hosted in AWS and Student Data is stored at our Service Provider - currently AWS – which employs industry- leading physical security measures to protect their data centers and the above applies to their technical and organizational measures. These security features are regularly audited by third -party auditors.

Virtual Access Control

  • Technical and organizational measures to prevent data processing systems used for Student Data from being used by unauthorized persons include:
    • User identification and authentication procedures;
    • ID/password security procedures (special characters, minimum length, change of password); and
    • Encryption of archived data media.
    • Data Access Control
  • Access to the ClassDojo Services infrastructure is highly restricted. We limit access to individuals who need access to do their jobs such as engineers, data scientists, product managers, and support personnel. All access to our infrastructure is logged. All access to our infrastructure requires the use of strong passwords and multi-factor authentication.
  • Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Student Data in accordance with their access rights, and that Student Data cannot be read, copied, modified or deleted without authorization, include:
    • Internal policies and procedures;
    • Control authorization schemes;
    • Differentiated access rights (profiles, roles, transactions and objects);
    • Monitoring and logging of accesses;
    • Disciplinary action against employees who access personally identifiable information without authorization;
    • Reports of access;
    • Access procedure;
    • Change procedure;
    • Deletion procedure;

Disclosure Control

  • Technical and organizational measures to ensure that Student Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Student Data are disclosed, include:
    • Encryption/tunneling;
    • Logging; and
    • Transport security.

      Entry Control

  • Technical and organizational measures to monitor whether Student Data have been entered changed or removed (deleted), and by whom, from data processing systems, include:
    • Logging and reporting systems; and
    • Audit trails and documentation.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Clever Prototypes (also called Storyboard That)

 Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Storyboard That Education Edition for Teachers and Students. Storyboard That is a web-based product for teachers and students. With our Award-Winning Storyboard Creator, teachers and students can create storyboards, graphic organizers, comics, and powerful visuals to enhance their learning in all grades and subjects. We have over 5,000 resources for teachers to easily integrate Storyboard That meaningfully into their curriculum. PII Collected: IP Addresses of users, use of cookies, students school of enrollment, student grade level, student scheduled courses, teacher names, student app username, student app passwords, student name first and/or last, student generated content such as writing and pictures.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • Privacy-centered design means that students can use Storyboard That with as little PII as possible. Student accounts and all relevant personal data may also be deleted at any time.
  • To keep your personal data secure, all data is encrypted in transit and at rest.
  • Data is stored in access-controlled data centers with 24/7 monitoring by Microsoft Azure, an industry-leading provider.
  • Employee access to personally identifiable information is provided on an as-needed basis, to provide customer support for example.
  • Employees with access to personal data are required to undergo background checks, sign a nondisclosure agreement.
  • Storyboard That has signed the Student Privacy Pledge.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Clickview

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ClickView is an educational video platform specializing in K-12 video resources. ClickView lets teachers find and share video that engages students in a format they understand. The ClickView platform also lets teachers transform videos into interactive quizzes with formative assessment tools to show evidence of learning and engagement. ClickView receives PII to enable it to provide the platform to students, teachers and school or district administrators.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administrative safeguards include the documentation of policies and processes, the allocation of roles and responsibilities, training, risk management, human resources security, asset management, access management, system hardening measures and data logging. Physical safeguards include physical security systems, entry controls, equipment maintenance, equipment security, controls against physical damage and environmental controls. Technical safeguards include encryption, firewalls, antivirus, intrusion detection system and intrusion prevention system, authentication, data retention and database separation.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Code.org

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Code.org® is a 501(c)(3) nonprofit that provides an online curriculum for teaching computer science and an online learning platform to support that curriculum. Access to its CS education platform and curriculum for free. For more information please visit https://code.org. The PII processed by Code.org is necessary in order to provide the service and retain student progress (e.g., teachers may enter a student name in the teacher’s section so the teacher can identify the student’s progress vs. that of other students).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

“The Services are intended for use both within schools (i.e., as part of classroom sections established by teachers in the K-12 setting) and outside of school (i.e., for use at home and not for K-12 school purposes). Upon the NYC DOE’s request, following a process outlined between the DOE and Code.org, Code.org will ensure the deletion of all Code.org student accounts enrolled in a DOE’s teacher’s section In the absence of a deletion request by the teacher, the DOE, or student (as the case may be), the Code.org Personal Data Retention and Deletion Policy provides for automatic deletion or de-identification of Code.org student accounts after five (5) years of inactivity.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of