Vendors A-H

New York Education Law §2-d gives parents the right to access certain information about agreements the NYC DOE has entered into with outside entities (such as vendors) who are permitted to receive or to access identifiable student information from the DOE. These entities are required to answer a number of questions about their privacy and data security practices. Responses from such outside entities to these questions are found below. Please note that this page will be updated on a periodic basis with responses from additional outside entities.

PLEASE NOTE: The entities listed below do not comprise a list of “approved DOE vendors” and therefore should not be thought of as such. Some entities listed below may have agreements that have expired or were terminated, but whose information has not yet been moved or removed. Other entities, whose names do not appear below, may have agreements with the DOE, or agreements that are in progress, but their responses are still being processed and have not yet been posted.

Listed in Alphabetical Order:

21st CentEd

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:

    Contract State Date: February 1, 2022

    Contract End Date: February 1, 2023

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. 21stCentEd’s online educational services collects contextual or transactional data as part of its operations, often referred to as “metadata.” Metadata refer to information that provides meaning and context to other data being collected; for example, information about how long a particular student took to perform an online task has more meaning if the user knows the date and time when the student completed the activity, how many attempts the student made, and how long the student’s mouse hovered over an item (potentially indicating indecision). This metadata is not linked to FERPA-protected information.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The 21stCentEd Data Security Plan (DSP) details procedures implemented at the administrative level to protect private information such as training personnel on information handling best practices. The DSP also outlines the physical protections implemented for protecting private information such as ensuring paper records and servers are secured and access-controlled. Lastly, the DSP includes 21stCentEd’s technology-based instruments and procedures used to protect private information such as requiring Common Access Cards for System Access and encrypting computers and emails.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Acadience Learning Inc. (ALI)

  1. Type of Entity: Research Institution or Evaluator
  2. Contract / Agreement Term: ALI does not have a current contract, but has submitted under MTAC # R1121. [NYCDOE Comment: NDA was signed on 6/25/2021]
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The purpose for which ALI will receive/access PII is to provide online assessment and data management services for Acadience assessments and for psychometric and research services which may be called upon by NYC DOE.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Acadience Learning Online (ALO) system follows industry-standard best practices to ensure that all system data, including data containing PII, is secure and protected at all times. Technical security protections include, but are not limited to: encryption of data in transit and at rest, use of US based servers, proactive monitoring of network access, and regular security testing and review of results. ALI takes a proactive stance on mitigating data privacy and security risks by utilizing strong security procedures and protocols. Additionally, ALI upholds rigorous internal policies to ensure that employees with access to data containing PII follow strict procedures related to the handling and management of sensitive information. Employees with access to sensitive information must first complete required training before gaining ALO system access, and system access is limited to employees who need access to the information to complete job duties.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

The Achievement Network

1. The exclusive purposes for which Protected Information will be usedThe information collected is first used to enable access to ANet’s online platform, myANet, which provides resources and reports for District and Schools leaders. These data also allow ANet coaches and school leaders to understand student performance on interim assessments administered. These learnings then enable ANet to provide the appropriate guidance and best practices to boost student learning. Additionally, we also occasionally use anonymized, aggregated student response data to inform our own internal analyses of the efficacy of our services and tools.

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: ANet and our partners are considered to be a “School Official” under FERPA. Access to data reports that include more granular student data can only be accessed through our secure data reporting platform. Any individual or non-aggregated student data is available only to that student's school leaders and teachers, not to other educators in the network.

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: ANet typically retains all data collected. In the event that a partnership with ANet is concluded, user access to the myANet platform will be terminated on a mutually agreed upon date. This ensures that the data collected for that partner is no longer available to other schools within the district that utilize the platform.

[NYC DOE comment: The current agreement became effective starting on December 20, 2019 and terminates when all NYC DOE schools and/or offices cease using The Achievement Network’s products/services. The terms of the agreement remain effective through the period during which The Achievement Network possesses or otherwise is in control of covered protected information.]

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.

[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Our data and servers are part of AWS and are housed in US-based AWS data centers. https://aws.amazon.com/compliance/data-center/controls/. At our offices we do not have any servers.

6. How the data will be encrypted (described in such a manner as to protect data security): 

- Applications communicate with RDS databases within a secure Virtual Private Cloud (VPC) via Transport Layer

Security version (TLS) 1.0 and 1.2.

- AWS RDS encryption at rest with KMS uses FIPS 140-2 validated hardware security modules (HSMs) to generate

AES-GCM 256-bit keys.

Actively Learn Inc

1. The exclusive purposes for which Protected Information will be used: Actively Learn uses Protected Information solely to provide the Actively Learn educational service to NYC students, teachers, and schools.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We will carefully review sub-processor privacy agreements and terms of service to ensure that they abide by the data protection and security requirements required by our NDA with the NYC DOE.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon written request from NYC DOE, we can delete or de-identify NYC data in our platform. 
[NYC DOE comment: The current agreement became effective starting on March 20, 2020 and terminates when all NYC DOE schools and/or offices cease using Actively Learn Inc’s products/services. The terms of the agreement remain effective through the period during which Actively Learn Inc possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All Protected Information is stored in the US (AWS us-east-1 and us-west-2 datacenters). Data is encrypted both at rest and in transit. Actively Learn employees with access to Protected Information access it via a browser over SSL (support staff) or directly over a password-protected private-key SSH tunneled. Connection to our platform database (engineering staff).
6. How the data will be encrypted (described in such a manner as to protect data security): Platform data is encrypted at rest using AES-256-GCM encryption provided by AWS’s Aurora managed clustered database service and AWS’s Key Management Services (KMS), Platform data is encrypted in transit between the database and our platform via SSL. 

Adobe

The exclusive purposes for which Protected Information will be used:

The NYCBOE uses Adobe products and services for its students in the K-12 school environment. Protected information (as defined in the Additional Terms) will be provided to Adobe and used by Adobe for the purposes of providing such student services to the NYCBOE and its students under the agreement between Adobe an NYCBOE. [NYC comment: Adobe refers to the New York City Department of Education as NYCBOE throughout the agreement.]

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

In the event that Adobe engages subcontractors or other authorized representatives to perform one or more of its obligations under the agreement, it will require those to whom it discloses protected information to be subject to contractual data protection terms at least as restrictive as those set forth in the agreement, and those subcontractors or other authorized representatives shall have a legitimate need to access protected information in connection with their responsibilities in providing services to Adobe.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

The initial term of the agreement with the NYCBOE will be thirty-six (36) months from the effective date. Upon expiration of the additional terms without renewal, or upon termination of the additional terms prior to expiration or termination of a student account, Adobe will adhere to the student data retention and deletion protocols agreed to with the NYCBOE and set forth in Seton 5.4 of the Additional Terms of the Agreement. [NYCDOE comment: the Agreement was signed and put into effect on February 28, 2022.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Pursuant to Section 6.3 of the Additional Terms, Adobe will work with the NYCBOE to process requests for copies of, and challenges to the accuracy of, protected information in the custody or control of Adobe. Such requests should be directed to the NYCBOE at studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

Any protected information Adobe receives will be stored on systems in a secure data center facility. Adobe processes and stores information in the U.S. and other regions, which made include Europe and Japan. Adobe Cloud Services meet the specific requirements of data protection, including, but not limited to, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability) and ISO 27001 compliant and others as indicated at http://www.adobe.com/go/cloudcompliance. Additional information on Adobe’s various security controls and processes for its products and services are located in Exhibit C (Technical Organizational Measures) to the Additional Terms of the Agreement.

How the data will be encrypted (described in such a manner as to protect data security):

Adobe uses technologies, safeguards and practices, including, but not limited to, encryption, firewalls, password protection, and/or equivalent that are consistent with its industry standards. Adobe Cloud Services meet the specific requirements of data protection, including, but not limited to, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability) and ISO 27001 compliant and others as indicated at http://www.adobe.com/go/cloudcompliance. Additional information on Adobe’s various security controls and processes for its products and services are located in Exhibit C (Technical Organizational Measures) to the Additional Terms of the Agreement.

Agile Mind

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: [NYCDOE Comment: NDA was signed on 7/12/2021]
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Agile Mind provides comprehensive math and science programs for middle and high schools. To that end we store a student’s name, school, grade level and DOE assigned login ID– all nonsensitive PII.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data (not just PII) is stored in a highly secure fashion. Data is protected using encryption while in motion and at rest by serving all data via HTTPS and storing it in a secure manner. For storage specifically, all data is stored by MySQL Data at Rest Encryption. The security of this data is ensured by limited employee electronic access to production databases, and databases are housed in a secure data center with physical security and a named access list for visitors.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. 

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Amplify Education, Inc. 

1. The exclusive purposes for which Protected Information will be used: PISI will be used in accordance with Section 2 above.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Recipient will share Confidential Information in accordance with Section 4 above.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Recipient shall treat PISI in accordance with Section 7 above.
[NYC DOE comment: The current agreement became effective starting on August 20, 2019 and terminates when all NYC DOE schools and/or offices cease using Amplify Education, Inc.’s products/services. The terms of the agreement remain effective through the period during which Amplify Education, Inc. possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: The Recipient shall notify the BOE of any such challenges in accordance with Section 5 above.
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be stored only in the United States. Recipient will follow the Security precautions as described in Attachment B.
6. How the data will be encrypted (described in such a manner as to protect data security): As described in Attachment B, Recipient follows NIST guidelines and industry best practices in data encryption.
• In transit: Recipient encrypts all student personal information in transit over public connections, using Transport Layer Security (TLS), commonly known as SSL, using industry-standard ciphers, algorithms, and key sizes.
• At rest: Recipient encrypts student personal information at rest using the industry standard AES-256 encryption algorithm.

Aperture Education, LLC

1. Name of Entity 

  • Aperture Education, LLC

2. Type of Entity

  • Commercial Enterprise

3. Contract / Agreement Term

  • Contract Start Date: July 1, 2021
  • Contract End Date: June 30, 2024

4. Description of the exclusive purpose(s) for which Entity will receive/access PII

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

  • Aperture will use PII to administer student social and emotional assessments to be completed by students, teachers and (optionally) parents. PII will also be used in reporting (e.g., to disaggregate data by subgroup).

5. Type of PII that the Entity will receive/access

  • Student PII

6. Subcontractor Written Agreement Requirement

In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations.

  • The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.

7. Data Transition and Secure Destruction

  • Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII

8. Challenges to Data Accuracy

In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  • The entity agrees to follow the procedure outlined above.

9. Security and Storage Protections

Describe where PII will be stored or hosted:

  • Using a cloud or infrastructure owned tool hosted by a subcontractor

10. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. (Please do so in a manner that ensures that disclosure of the description on NYC DOE’s website will not compromise the security of the data or the Entity’s security practices and protocols):

  • Aperture Education considers security of PII to be of utmost importance. As such, we follow a rigorous security policy which includes, but is not limited to, third party penetration and security testing, annual security training of all of our employees, completion of background checks on our employees, encryption of confidential information in transit and at rest, and limiting user access to confidential information based on role. Please see our security policy for more information.

11. Encryption

Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

  • Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Attainment Company

The exclusive purposes for which Protected Information will be used:

Products provided include AAC applications & devices for student communication needs; student & teacher instructional applications/software for special education.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

Attainment provides industry standard data protection and security; annually authorized staff are trained on the appropriate requirements of FERPA, COPPA & SOPPA. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

Protected information is returned to the district & after 30 days purged from Attainment systems. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

All data is stored in the US with AWS certified protected industry standard practices.

How the data will be encrypted (described in such a manner as to protect data security):

The transmission is controlled using TLS (Transport Layer Security) encryption for the browser to database connection. The data is encrypted between the client computer and Attainment’s servers. The Hub uses HTTPS (Hypertext Transfer Protocol Secure) over a secure SSL.

Big Ideas Learning, LLC

1. The exclusive purposes for which Protected Information will be used: We store and process your personal information to authenticate your user's license and to grant you access to the applicable materials. We also use information we collect to analyze trends, to administer the site, and to track users' movements around the site. We also use this information to improve the site and to make it more useful to visitors.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We contractually bind any subcontractors with access to Protected Data to the same rules we must follow.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: We will delete the Protected Information within 90 days of agreement expiration.
[NYC DOE comment: The current agreement became effective starting on November 25, 2020 and terminates when all NYC DOE schools and/or offices cease using Big Ideas Learning, LLC’s products/services. The terms of the agreement remain effective through the period during which Big Ideas Learning, LLC possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Physical safeguards are conducted by Big Ideas Learning's contracted server hosting company,
Rackspace. PDF certificates for data center infrastructure [redacted] are available upon request. Technical safeguards include (1) encrypting district data in transit and at rest using SSL (Secure Sockets Layer), (2) PII database encryption, and (3) deploying Sophos anti-virus protection and Fail 2 Ban intrusion detection. Data is stored in the United States. 
6. How the data will be encrypted (described in such a manner as to protect data security): User data tables are encrypted at rest and in transit. See answer 5 for more information.

CareerSafe, LLC

The exclusive purposes for which Protected Information will be used:

Student name and course completion information is used to process course completion wallet card from the U.S. Department of Labor, OSHA.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

As an OSHA-Authorized Provider, CareerSafe is required to provide student data to OSHA. We are contractually obligated to provide student name and course completion information to OSHA for the purpose of providing students with an OSHA completion card. OSHA, as part of the U.S. Department of Labor, complies with Federal data security standards. No student data is shared with any other organization or individual. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

Student completion records will be maintained for five years, after which, CareerSafe will destroy and delete all the data in its entirety in the manner that prevents its physical reconstruction. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

In accordance with their contract, CareerSafe will work with the NYC DOE in processing challenges to the accuracy of student data in CareerSafe’s custody. 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

All at rest data is FIPS 140-2 compliant / certified process used to encrypt the student data while at rest on the application database. Student data is stored in/on an application database, located in the Amazon Web Services hosting facilities. The back-up data is presently stored on site in a secured storage unit. No data is store outside of the US. All data is fully encrypted to an AES 256 bit standard at rest and while in transit. All network devices and storage units are restricted to only be access by administrators. 

How the data will be encrypted (described in such a manner as to protect data security):

All data is fully encrypted to an AES 256 bit standard at rest and while in transit.

CareMonkey Inc. 

1. The exclusive purposes for which Protected Information will be used: CareMonkey is used by schools to send consent and other school forms and collect responses from parents/guardians and/or staff members. It is also used for internal approval processing such as a field trip being approved. PISI is used to know who to send notifications to, e.g., an email notification to a parent to tell them there is a new consent form they need to sign, or an email notification to a school principal informing them there is a field trip to approve. The system uses basic information about students, parent contacts, classes (roster) and staff so that forms can be delivered to the right people or parents of a class.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: • Note, we have no sub-contractors. Our support services are provided by our own team.
• CareMonkey follows the principle of “Least Privileged Access” whereby user accounts are provided the most restrictive access necessary to perform the required business function.
• Access to data is restricted depending on job roles and all access is tracked.
• As part of our Information Security Program we maintain a systems access register.
• Access to sensitive data is restricted to those few with a need to know and must be approved by management.
• Access accounts have username and passwords with Two Factor Authentication (2FA).
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The NDA will apply for each school upon signing up to CareMonkey.
The NDA will end for each school when they close their CareMonkey account.
Schools can close their account and delete their data at anytime. The data is immediately no longer available after deletion. Backups are retained for three years.
Note that after closing their accounts schools can choose to retain their data in archive only mode for as long as required.
[NYC DOE comment: The current agreement became effective starting on August 6, 2019 and terminates when all NYC DOE schools and/or offices cease using CareMonkey Inc’s products/services. The terms of the agreement remain effective through the period during which CareMonkey Inc. possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. However, please note, that the data is entered by the parent (re parent forms) and entered by the staff member (re staff forms) so this type of scenario is unlikely.
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): 

• CareMonkey’s physical infrastructure is hosted and managed within Amazon’s secure data centers, utilising Amazon Web Services (AWS) technology.

• AWS data centers are state of the art, utilising innovative architecture and engineering approaches. AWS provides a highly reliable, scalable and secure infrastructure platform that powers hundreds of thousands of businesses in 190 countries across the world.
• Your data is stored on servers in your region and will never be stored outside of that region. Hence, United States User data is stored in the United States.
6. How the data will be encrypted (described in such a manner as to protect data security):
• CareMonkey uses the highest standards in Internet and data security. 
• Data is always encrypted at rest and in transit. 
• Our security layers include strong cryptographic implementations (such as 256 bit encryption, 128 bit data encrypted SSL systems using Advanced Encryption Standards) and defensive-in-depth network protection (with multiple firewalls, intrusion prevention appliances, and active monitoring systems).

CCI Learning Solutions Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:

    Contract Start Date: March 2022

    Contract End Date: March 26, 2026

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Jasperactive is a web-based learning product designed for Microsoft Office with tailored exercises for Word, Excel, and PowerPoint, Outlook and Access. Students are delivered a Benchmark, Lessons and Create Exercises. The primary purpose of Jasperactive is to teach the students the required fundamentals to pass the Microsoft Office Certification exams.
  4. Type of PII that the Entity will receive/access: Student PII
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CCI Learning Solutions Inc. is committed to protecting users’ privacy and PII and developing technology that gives users’ the most powerful and safe online experience. We safeguard PII through a combination of policies, procedures, training, segregation of duties and robust systems, security and technology. We mitigate data privacy and security risks by following and adhering to industry protocols, standards and practices, employing up to date technology, training and segregation of duties and user access controls.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Circles Learning Labs, Inc

1. The exclusive purposes for which Protected Information will be used: Our goal is to provide an easy, fast and reliable meeting platform. For this reason, we ask for and store minimal information; first name, last name and email. Your information is stored in a safe and protected environment (encrypted at rest and in motion). 

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We do not share data with external parties. Employees of Circles are required to sign a non-disclosure agreement when starting their work agreement with Circles. 

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Start: 7/31/2020, End: unknown

All meeting data is stored for 2 hours after the end of the conference, after which it is deleted. During this time, any user can choose to download the chat from the meeting room should they wish to save the data. Additionally, a user can make notes during a meeting and share these with others later. 
 
Participant attendance to a meeting is recorded, as is the duration (much like you’d expect from a phone call record.)
 
Action items are stored on the local server so they can be used in the next meeting. This data is private between you and circles only. It is never given or sold to a third party.
 
Troubleshooting data to help detect and resolve technology problems is stored for 30 days, and automatically deleted after. This may contain user identifies such as names/system ID’s to help the support and operation teams, but no other personal information. 
 
Upon termination of the contract all data is automatically deleted from our database. Anonymized feature data is retained to enable us to improve services by helping us understand which features of the system are most used, and which are not. 
 
[NYC DOE comment: The current agreement became effective starting on July 31, 2020 and terminates when all NYC DOE schools and/or offices cease using Circles Learning Labs, Inc’s products/services. The terms of the agreement remain effective through the period during which Circles Learning Labs, Inc possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. 
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All our data centers are based in the US in the amazon cloud; and as such benefit from all the encryption and security measures that AWS provides.  
 
6. How the data will be encrypted (described in such a manner as to protect data security): All information and data is stored in a safe and protected environment (encrypted at rest and in motion).
 

Claire Weisz Architects LLP (dba WXY)

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

    Contract Start Date: 9/1/2021

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    WXY will lead in development of a comprehensive review of the status of each recommendations presented in the D15 Diversity Plan. WXY will primarily use interviews and stakeholder meetings, combined with data analysis to report on how relevant stakeholders in the D15 community have approached implementation in the three years since the plan’s release.

    In the Spring of, 2021, WXY conducted an initial review of the status of the Plan’s implementation and synthesized the findings into a presentation Superintendent Anita Skop delivered to the CEC on April 29, 2021. WXY will expand on that initial presentation and will conduct interviews and analysis with the D15 leadership, the DOE offices responsible for implementing recommendations, and with the wider D15 community to compile a more thorough progress update. Additionally, WXY will conduct a wide range of data analysis in support of District 3 and District 13’s New York State Integration Project grants including the analysis of student level data.

    WXY will support D14’s District Equity Initiative. WXY will take responsibility for organizing and performing all work in a timely manner and ensure the various elements effectively build on one another. WXY will introduce the process to up to six identified stakeholders, collect reflections and input, and share out with D14 leadership. WXY will work closely with D14 leadership to establish a D14 Equity Working Group, comprised of stakeholders from across District 14, as deemed appropriate by the DOE. WXY will conduct data research on Equity Audit best practices and precedents. WXY will conduct data analysis in support of a district wide equity audit.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Established data management workflows will be employed when transferring, storing, and using the data. Clear roles within the Processor organization will be established at the outset of the project, distinguishing responsibilities for obtaining, analyzing, and deriving insights from the datasets. Furthermore, raw data will be formatted, analyzed, and presented using industry-standard conventions and best practices. Each of these responsibilities will be allocated based on the Processor’s policies governing confidentiality and prior experience interacting with sensitive information. Any identifiable information linked to the datasets that is unnecessary to perform the stated scope of work will be erased. Any derived products will be de-identified and presented at a resolution that is consistent with the Processor’s standards as well as the BOE’s requirements for internal use and for external publication. Clear communication channels between analysts, communications managers, project managers, and the public will be clearly identified to interface between the Processor and BOE. These functions address the Control-P and Communicate-P functions of the NSIST Privacy Framework.

    Access to the raw data will be limited to personnel identified to the BOE. Each personnel will receive an overview of this document, the sensitivity of the Protected Information, and the repercussions of violating local, state, and federal privacy laws before finally being introduced to the dataset. The Processor intends to limit the number of personnel interacting directly with the data to the bare minimum.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

College Board 

1. The exclusive purposes for which Protected Information will be used: Students who choose to take College Board’s standardized national AP exam provide PISI to College Board for the AP exam. College Board uses the PISI in connection with the provision of the AP exam to NYC students. Data is used exclusively in the registration, delivery of score reports to students and schools, and test security processes associated with each of the assessments. 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All College Board vendors are required to complete our Data Security questionnaire to identify the security controls that they have in place. After a risk assessment of each vendor is completed, any remediations are provided to the organizations. Furthermore, each vendor that stores PISI on behalf of College Board is required to agree to College Board Data Security Requirements and, in most cases as applicable, provide evidence of their compliance via a SOC 2 report.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At the end of the agreement, PISI collected from the students, or data that is connected to the student accounts, is retained by College Board on behalf of the students, for legitimate educational purposes including but not limited in order for students to continue to access their assessment scores and related data from assessments. This allows students to send scores to colleges and other programs, as well as use the information to support students direct contact with College Board. The data continues to be protected via College Board information security management system
[NYC DOE comment: The current agreement became effective starting on July 1, 2018 and terminates when all NYC DOE schools and/or offices cease using College Board’s products/services. The terms of the agreement remain effective through the period during which College Board possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI collected through this agreement is stored within the United States. College Board does make use of cloud service providers but restricts this data to US-based regions.
College Board maintains a comprehensive, layered security program that is based upon the ISO 27001 framework. Wherever possible, it also uses the NIST Cyber Security Framework and the CIS benchmarks as guideposts for standards. The security program, which is evaluated annually by third party audits, consists of physical, network, system, data, and application security-related components. College Board maintains ISO 27001 and SOC 2 certifications, as well as PCI DSS compliance. It has a comprehensive set of policy controls, awareness training for all users who interact with PISI, and third-party risk management programs. In addition to its annual compliance audits, it engages multiple third parties to conduct assessments and penetration tests to continually evolve.
6. How the data will be encrypted (described in such a manner as to protect data security): All PISI data is encrypted at rest and in transit using industry standard or better practices. In transit, the College Board uses TLS 1.2 as its standard, and at rest data, it uses multiple industry standard formats such as AES-256 or better. In cases where data cannot reasonably be encrypted, a wavier and evaluation process exists, and additional mitigating controls are put in place to ensure the security of the data.

Curriculum Associates, LLC (i-Ready)

  1. The exclusive purposes for which Protected Information will be used: Personally Identifiable Student Information (PISI) will be used to make online i-Ready product available to the NYC DOE.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Curriculum Associates does not use subcontractors. Individual contractors sign NDAs and/or Student Data Privacy Acknowledgments. 
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI is deleted upon written request. [NYC DOE comment: The current agreement became effective starting on January 23, 2020 and terminates when all NYC DOE schools and/or offices cease using Curriculum Associates, LLC’s products/services. The terms of the agreement remain effective through the period during which Curriculum Associates, LLC possesses or otherwise is in control of covered protected information.]  
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipients. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI is stored in the United States.
  6. How the data will be encrypted (described in such a manner as to protect data security): Application data is encrypted at rest with AES-256 algorithm and in transit is encrypted with TLS 1.2 algorithm.

D2L Ltd. 

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

    Contract Start Date: 7/1/2021

    Contract End Date: 6/30/2024

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    Provision of a Learning Management System and related services to NYC DOE.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII; and Make all PII available for retrieval by NYC DOE.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Data is hosted in secure facilities operated by Amazon Web Services. All data in transit is protected using TLS 1.2 protection. All data at rest is encrypted with AES256 at file object level.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

DeltaMath Solutions Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

    Contract Start Date: 1/26/2022

    Contract End Date: 6/30/2025

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Access to and use of deltamath.com, an online platform for the teaching and learning of mathematics.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Data is housed on AWS servers in Ohio, USA and is protected both physically and via data encryption. Data is encrypted both in transit and at rest. Data is only accessed in the case of a legitimate educational purpose and, if so, from registered IP addresses. All employees with access to data undergo criminal background checks and are trained, both on hire and annually thereafter, in the requirements of federal, state, and local privacy laws.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Discovery Education, Inc. 

1. The exclusive purposes for which Protected Information will be used: To provide digital education services.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Pursuant to Recipient’s DPA, attached hereto as Attachment B.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon termination or expiration of the agreement, Recipient will promptly, but without undue delay, destroy student data upon BOE’s written request. Recipient may retain student data to the extent required by the laws, rules, and regulations to which Recipient is subject, or if student data resides in Recipient’s backup archives, Recipient will continue to protect the security and confidentiality of such retained student data in accordance with the agreement and the DPA. Recipient has implemented retention rules so that student data in backup archives is retained for as short a time as necessary.
 
[NYC DOE comment: The current agreement became effective starting on January 23, 2020 and terminates when all NYC DOE schools and/or offices cease using Discovery Education, Inc.’s products/services. The terms of the agreement remain effective through the period during which Discovery Education, Inc.  possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. 
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will not be stored outside of the US. 
 
6. How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest in the database.  We perform daily lookup as well as backups.  For data in transit, our subscription site is SSL embedded with AES-290

Don Johnston Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: TBD
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    Snap & Read Universal is a Text Reader to read aloud materials as well as support students in comprehending materials. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.

    Co:Writer Universal is a Word Prediction, Speech to Text and Translation tool to support struggling writers. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.

    uPAR (Universal Protocol for Accommodations in Reading) is a data tool to help educators match students to reading accommodations. uPar does not require use of personally identifiable student information. Personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution. The only data collected is that which is valuable for educational purposes.

    Word Bank Universal extracts words, places, people, facts and dates into a meaningful format. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.

    Quizbot is a teacher-only tool. Build quizzes automatically from any text with one click. Automatic scoring through Google Forms shows instantly what is being comprehended. No Student Accounts exist (and no data is collected).

    Readtopia is a special education curriculum designed for teachers who work with late elementary, middle, and high school students with autism and other complex needs. It serves as an integrated comprehensive reading curriculum across several domains of study including ELA, Math, Social Studies, Life Skills, and Science. Students do not login and no student data is collected.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII; and Other. Vendor stated “The district has access to student data at all times and is responsible to download data prior to expiration of the Agreement. After that, we will automatically destroy all data in 30 days and 65 days from all backups.”
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Administrative Safeguards: We do annual training for all staff and assign access based on roles, limiting the number of people who have access to the data.

    Physical and Technological Safeguards: All data is kept on AWS (Amazon Web Services) servers.

    AWS has the most stringent physical safeguards that has earned it ISO 27001 compliance, a Department of Defense Impact Level 4 Provisional Authorization, over 400 National Institute of Standards and Technology security controls, and a PCI DSS Level 1 certification among other security standards. All data is located in geographically discrete locations within the United States. Data at Rest - All data at rest is encrypted with AES-256 encryption algorithm. Data in Transit - All data being transmitted is protected with Secure Socket Layer and password hashing.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

DreamBox Learning, Inc.

  1. The exclusive purposes for which Protected Information will be used:
    To provide hosted services and adaptive math software to the district.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: DreamBox does not utilize subcontracts in its delivery of software or services; however, DreamBox will ensure that all authorized persons are aware of the confidential nature of the information being share and have been trained on data protect and security best practices.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Personally Identifiable Student Information (PISI) will be removed from the DreamBox system and returned to the district at the district’s request. [NYC DOE comment: The current agreement became effective starting on October 1, 2019 and terminates when all NYC DOE schools and/or offices cease using DreamBox Learning, Inc.’s products/services. The terms of the agreement remain effective through the period during which DreamBox Learning, Inc. possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be store in the US. DreamBox is ISO27001 certified and meets industry best practices for data security including encrypted at rest and in transit.
  6. How the data will be encrypted (described in such a manner as to protect data security): At rest and in transit.

EBSCO Industries, Inc. DBA EBSCO Information Services

1. The exclusive purposes for which Protected Information will be used: EBSCO uses the Personal Information we collect for the limited purposes of processing your transactions, establishing and/or verifying a person’s or account holder’s identity, customer service, improving and customizing our Services and their content, authorization, content processing, content classification, and providing you with information concerning our Services.

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In situations where we share Personal Information with Service Providers, we ensure access is granted to the Service Providers only upon the condition that the Personal Information is kept confidential and is used only for carrying out the services these Service Providers are performing for EBSCO Information Services. As part of making that determination whether we will share Personal Information with Service Providers, we will obtain assurances that they will appropriately protect and maintain the confidentiality of Personal Information consistent with our Privacy Policy and as required by applicable law.

For additional information, please see EBSCO's Privacy Policy: https://www.ebsco.com/company/privacy-policy#prod_how-do-we-secure-info  

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Contract duration - 4/1/2021 to 3/31/28

EBSCO will only retain information for as long as the account is active, or as needed to provide you Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Upon contract termination, data will be deleted or pseudonymized. If this is not possible (e.g., because the information has been stored in backup archives), then EBSCO will securely store the information and isolate it from any further processing until deletion is possible).

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor.

[NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov] 

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored within EBSCO's data centers located in the greater Boston, MA area. EBSCO maintains an extensive information security policy to protect data which focuses on web application security and includes firewall and router security, data classification and control, vulnerability identification, authentication, etc.  

EBSCO also keeps audit trails to maintain records of system activity both by system and application processes and by user activity, which, in conjunction with appropriate tools and procedures, acts as a technical control facilitating the detection of security violations, performance issues, etc.

6. How the data will be encrypted (described in such a manner as to protect data security): All sensitive data is securely encrypted in the database with restricted access. Data is also encrypted in transit with SS/TLS1.2 2048-bit encryption.

Edmentum, Inc.

1. The exclusive purposes for which Protected Information will be used: The protected information will be used in order to provision and provide access to students to Edmentum’s curriculum resources.  Additionally, the data will be used to automatically generate learning paths and assignments for students utilizing the assessment data from other third party systems. Finally, the data will be used to perform research studies to improve the levels of instruction and administer predictive tests.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Edmentum takes the following precautions:
• Background checks are always completed 
• A form is signed to ensure understanding and compliance of the adherence to federal and state laws governing confidentiality and privacy policies 
• Security training is required and taken annually
• Edmentum also ensures that sub-contractors have background checks. Additionally, all sub-contractors and their contracting firms are required to adhere to all Edmentum policies and procedures.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: This agreement starts on the date signified within this document for execution and ends when all agreements and products cease use in the NYC DOE. As requested, or directed by NYC’s DOE, Edmentum will return or destroy all data in a timely manner.
 
 [NYC DOE comment: The current agreement became effective starting on April 19, 2020 and terminates when all NYC DOE schools and/or offices cease using FMYI, Inc.’s products/services. The terms of the agreement remain effective through the period during which Edmentum possesses or otherwise is in control of covered protected information.]
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
 [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data  should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Edmentum only authorizes the use and access to the data on a need to know basis, ensuring that only the personnel needed to serve the DOE students have access to the data. Edmentum utilizes Tier 3 data centers with the highest levels of security, policy and controls to protect the data.  All customer data is always encrypted in transit and rest through industry accepted encryption methods.
 
6. How the data will be encrypted (described in such a manner as to protect data security): All customer data is always encrypted in transit and rest through industry accepted encryption methods include SSL, TLS and transparent data encryption

Educa

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Educa is a private online sharing platform where teachers document and share children’s learning. It supports heart-led documentation, via Learning Stories, that in one motion meets reporting requirements and provides learning visibility – in other words, images and videos – helping families and teachers work together. In order for Educa to carry out these communication-oriented goals, it is absolutely essential that PII be readily accessible for all teachers, students, and parents that exist in the platform.
  4. Type of PII that the Entity will receive/access: Student PII; APRP PII (Identifiable Teacher or Principal Annual Professional Performance Review Data); Other. The vendor specifies that “Ideally Educa would have access to PII for teachers, students, and their parents. For example, all users in Educa must have a unique email address, which they use to sign into the platform.”
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. [DOE comment: In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement

      In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.]

  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, specifically “inside an MS SQL RDS database, hosted on Amazon Web Services in US East.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data will reside inside an MS SQL RDS database, hosted on AWS in US East. All data to and from the database is encrypted in transit and at rest. Backups are also encrypted and hosted in AWS.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Eduware, Inc.

1. The exclusive purposes for which Protected Information will be used: To provide the requested services and to ensure proper functioning of sites. To provide requested customer support and communicate with user.

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Eduware, Inc. does not use subcontractors, however in the event that Eduware, Inc. engages subcontractors, assignees, or other authorized agents to perform one or more of its obligations under the AGREEMENT (including any hosting service provider) it will require those to whom it discloses Protected Data to execute legally binding agreements acknowledging the obligation under Section   2-d of the New York State Education Law to comply with the same data security and privacy standards required of Eduware, Inc. under the AGREEMENT and applicable state and federal law.

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon expiration of that agreement without a successor agreement in place, Contractor shall assist NYC DOE and any educational agencies that contracts with NYC DOE for the provisions of Contractor’s products or services in exporting any and all student data and/or teacher or principal data previously received by Contractor back to NYC DOE or the educational agency that generated the student data and/or principal data. Contractor shall thereafter securely delete or otherwise destroy any and all student data and/or teacher or principal data remaining in the possession of Contractor or its assignees or subcontractors (including all hard copies, archivist copies, electronic versions or electronic imaging of hard copies of such data) as well as any and all student data and/or teacher or principal data maintained on behalf of Contractor in secure data center facilities. Contractor shall ensure that no copy, summary, or extract of the student data and/or teacher or principal data or any related work papers are retained on any storage medium whatsoever by Contractor, its subcontractors or assignees or the aforementioned secure data center facilities. To the extent that Contractor and/or its subcontractors or assignees may continue to be in possession of any de-identified data (i.e., data that has had all direct and indirect identifiers removed) they agree not to attempt to re-identify de-identified data and not to transfer de-identified data to any party.

[NYC DOE additional information: The current agreement became effective starting on December 1, 2020 and remains effective until November 30, 2027.]

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor.

[NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Student data and/or teacher or principal data transferred to Contractor by NYC DOE or NYC DOE officers, employees, agents, or students will be stored in electronic format on systems maintained by Contractor in a secure data center facility, or a data facility maintained by a board of cooperative educational services, in the United States. In order to protect the privacy and security of student data and/or teacher or principal data stored in that manner, Contractor will take measures aligned with industry best practices and the NIST Cybersecurity Framework Version 1.1. Such measures include, but are not necessarily limited to disk encryption, file encryption, firewalls, and password protection.

More specifically, data is stored in Amazon Web Services (AWS) which are served from data center in Oregon, United States. Servers are secured physically by Amazon, and virtually by installed firewalls and a strict authorization system. Additional security information about AWS system is available online at: https://amazon.com/security/. All data storages are only available through password/key protected instances. User passwords are encrypted in the database, so even Contractor’s high level system administrators can’t view sensitive password information. All of Contractor’s network communication is now encrypted under HTTPS.

6. How the data will be encrypted (described in such a manner as to protect data security): Eduware, Inc. (or, if applicable, its subcontractors) will protect Protected Data in its custody from unauthorized disclosure while in motion or at rest, using a technology or methodology specified by the secretary of the U.S. Department of HHS in guidance issued under Section 13402(H)(2) of P.L. 111-5. 

Everbridge, Inc.

  1. The exclusive purposes for which Protected Information will be used: Data/assets the client provides to the Everbridge platform are utilized solely by the client for their critical event management and communication purposes. Everbridge does not leverage/utilize client data beyond what is outlined in the Everbridge MSA
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Everbridge providers must align to Everbridge’s security requirements as otherwise, Everbridge is unable to obtain and maintain our security and compliance attestations. At no time is any third party granted access to the Everbridge platform or the client data therein. Everbridge is a SOC2, SOC3, FISMA, Safety Act, ISO 27001, EU-US Privacy Shield, G-Cloud 9, UK ICO, and BSI C5 certified organization and we have achieved FedRAMP “Authorized” status. Our security policies are governed by NIST 800-53 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Controls for Moderate Impact systems, and an overview of our security policies and attestations can be found here: https://www.everbridge.com/company/legal/. All policies and attestations are reviewed and updated annually.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Regarding records management and data retention, Everbridge’s controls align to our security framework (which is governed by NIST 800-53 controls, FedRAMP, and ISO 27001 compliance) and there are several facets to this:
    • Product system reporting data, available for all client campaigns, is available in the web based console and product suite for 18 months. At any time, clients may download and archive reports available in Everbridge in various formats (HTML, CSV, PDF) and store these internally within their organization;
    • Security Event Report data is available to authorized client administrators in the web based console and is accessible for up to the prior 6 months from when the report is generated by the administrator;
    • Data that clients store as contacts or assets within the Everbridge platform is not purged or managed by Everbridge, in any way, throughout the life of an active services agreement. However, when an organization’s contract expires, the organization’s account will be deactivated and listed for deletion. Thirty-days from the contract expiration date, the organization’s data will be flagged for purging and all of the organization’s data will be removed from the active system. Everbridge retains the organization’s data for one month in the event the organization wishes to extend its subscription;
    • For clients using our Safety Connection functionality, travel itineraries are stored for 12 months in the past and for 12 months into the future; Last Know Location is kept from the last report from the source and until it is overwritten by the source
    • Business records are kept by Everbridge for 7 years and/or as required by law

      [NYC DOE comment: The current agreement became effective starting on March 19, 2020 and terminates when all NYC DOE schools and/or offices cease using Everbridge, Inc.’s products/services. The terms of the agreement remain effective through the period during which Everbridge, Inc. possesses or otherwise is in control of covered protected information.]

  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Clients are wholly responsible for managing their data set in the Everbridge platform. Thus, any such rights to access, review, update, and correct their personal information will be handled by authorized client administrators. Should Everbridge receive such requests directly from client users, those requests will be re-directed to client administrators to fulfill [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Everbridge maintains four implementation regions around the world for our services: United States, United Kingdom, Germany, and Canada. Clients will choose their implementation region from those listed above and client data will then be stored and processed within the selected implementation region only. Typically, US based clients will be implemented in our US-based implementation of Everbridge (which consists of secure cloud hosting facilities in Northern CA and Northern VA. Regardless of data store chosen, Everbridge is a SOC2, SOC3, FISMA, Safety Act, ISO 27001, EUUS Privacy Shield, G-Cloud 9, UK ICO, and BSI C5 certified organization and we have achieved FedRAMP “Authorized” status. Our security policies are governed by NIST 800-53 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), Controls for Moderate Impact systems, and an overview of our security policies and attestations can be found here: https://www.everbridge.com/company/legal/. All policies and attestations are reviewed and updated annually
  6. How the data will be encrypted (described in such a manner as to protect data security): Everbridge’s implemented encryption technologies align to FIPS 140-2, NIST 800-53 controls, FedRAMP, and ISO 27001 compliance. HTTPS TLS 1.2 and SFTP using SSH are used for secure communication with the platform. Client data is encrypted at rest using AES 256-Bit encryption (database is encrypted at the file level). Platform backups are secured using AES 256-Bit encryption. All encryption keys are managed internally by Everbridge using a digital key management solution.

EverFi, Inc.

  1. The exclusive purposes for which Protected Information will be used:  Personally Identifiable Student Information (PISI) will be used for registration and use of EverFi courses.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Everfi requires employees, subcontractors and authorized persons or entities that receive student data or teacher or principal data to sign agreements that include appropriate confidentiality obligations that covers such data.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: EverFi will return or destroy such data in accordance with the terms of this agreement. [NYC DOE comment: The current agreement became effective starting on March 5, 2020 and terminates when all NYC DOE schools and/or offices cease using EverFi, Inc.’s products/services. The terms of the agreement remain effective through the period during which EverFi, Inc. possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipients.[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be sorted in the U.S. (within contiguous 48 states) in accordance with EverFi’s Data Security Policy. Please see EverFi’s “Data Security Policy” for more details.
  6. How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest and in transit (AES-256 encryption algorithm). Database connections are vial SSL protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384.

Evolution Labs (EL) (Suite 360)

  1. The exclusive purposes for which Protected Information will be used: For the purposes of administering and assessing learning related to the subject material of the program.  
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Data is only shared with Evolution Labs employees with a demonstrated need for that information (i.e. developers, DBAs, Client Services etc).  Each EL employee receives annual training on protecting user data. Data is never shared outside of EL.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: NDA begins on August 27, 2020 and is sustained indefinitely until/unless either party terminates the agreement. Upon expiration of the agreement, archived data is kept for 12 calendar months upon which time it is destroyed. Accelerated deletion of data can occur upon request.
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US and all databases are encrypted and protected with industry standard security.
  6. How the data will be encrypted (described in such a manner as to protect data security): Databases are encrypted at rest. All programs utilize industry standard encryption.

Family Life Time Solutions, Inc.

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term

    Contract Start Date: 11/1/2021

    Contract End Date: 9/1/2022

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    The #SameHere Teacher and Student Apps allow teachers and students to share their feelings in a secure app setting. The app acts as an emotional thermometer. It is not diagnostic, and it does not make recommendations. It strictly allows student to tell teachers how they are feeling, and to track those feeling trends over time.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Log systems are in place so as to identify unauthorized access of the databases. Vulnerability assessments are done periodically to identify any threats or risks. OWASP Top 10 is being followed as much as possible. Also WAF are implemented to avoid DDOS attacks.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

FOCALPOINTK12, INC.

1. The exclusive purposes for which Protected Information will be used: The software provides online learning for middle and high school students in a classroom setting. The student names and their grades will be available to teachers and advisors.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The company have strict data protection and privacy policies in place and adheres to it. The company has built stricter security policies as part of the contracts working with several State DOE agencies.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All the data will be removed and purged from the system.
 
[NYC DOE comment: The current agreement became effective starting on June 6, 2020 and terminates when all NYC DOE schools and/or offices cease using FOCALPOINTK12, INC.’s products/services. The terms of the agreement remain effective through the period during which FOCALPOINTK12, INC. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All the data is securely stored in the US East region in a Microsoft Azure Elastic Cloud Environment. The data is encrypted both in transit and at rest. Azure Cloud provides multi-layered, built-in security controls and unique threat intelligence to identify and protect against rapidly evolving threats.
 
6. How the data will be encrypted (described in such a manner as to protect data security): All the communication between the users and web applications are secured with SSL layer. All communications between the web application and the database happen on a encrypted channel. The data storage inside the database is encrypted

Gradecam, LLC

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Summative and formative student assessment. We require the following data elements for our product: Student first name, Student last name, Student ID, Class name, Class ID – OPTIONAL, Class period – OPTIONAL, Grade level – OPTIONAL, Term, Student grade, Teacher/Administrator first name, Teacher/Administrator last name, Teacher/Administrator email address, Teacher/Administrator ID – OPTIONAL. The information above is required to assign a grade to a particular student in a class taught by a teacher.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using an entity-owned and/or internally hosted solution.
  9. Describe the administrative, technical, and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Gradecam servers are hosted within SOC2-compliant data centers and require multiple factors of authentication to gain access to the data center and server cage. Individuals who are authorized to enter the data centers are very limited and is restricted to those responsible for operating the infrastructure. Gradecam also utilizes firewalls and RBAC based controls to limit the ability to connect to systems housing PII data. All data is encrypted both in transit and at rest using industry standard algorithms. Access to the database systems requires, in addition to a valid username and password, a valid certificate from an internal certificate authority (CA) which is strictly controlled.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, the Entity agrees that PII will be encrypted using industry-standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Great Minds PBC

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Great Minds PBC seek to ensure that all students in America’s public schools, regardless of their circumstances, receive a content-rich education in the full range of the liberal arts and sciences, including English, mathematics, history, the arts, science, and foreign languages. Great Minds does this by working with teachers, scholars, and schools to create curricula and instructional materials, conduct research, and promote policies that support a comprehensive and high-quality education.

    Great Minds Digital Platform may be used by schools, school districts, or teachers in a classroom setting use as part of their selected educational curriculum.Within the Great Minds Digital Platform, teachers have access to curriculum materials, within-application reports and visualizations to help them assess student learning and to assist in planning. Administrative reports and data extracts are also available to district and school admin users. Students may access complete assessments and other activities their teacher has assigned to them.

    Great Minds digital products are hosted by Great Minds in the Amazon Web Services (AWS) cloud, in US-based data centers. Students and teachers access our products through the web browser. Ours is a multi-tenant solution. We ensure isolation of data through secure coding practices, industry-standard claims-based authorization techniques, and routine penetration tests. We support multiple integration options to authenticate and authorize users of our digital products.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. [DOE comment: In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement

      In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.]

  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data, including customer PII, is encrypted at rest and in transit using industry-standard encryption. Data is stored in AWS (Amazon Web Services) data centers, which have stringent physical security standards in place. More information on the physical security controls in place can be found here: https://aws.amazon.com/compliance/data-center/controls/. We have multiple administrative safeguards in place to protect access to PII. Access to sensitive information is restricted to those with valid business justification for doing so and only on a temporary basis. We also have automated systems in place that scan our infrastructure and our logs for any anomalies that could indicate a security event, as well as looking for potential vulnerabilities. Potential vulnerabilities or security incidents are alerted to our DevOps team via multiple channels and action is taken as appropriate.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Grouptrail

  1. The exclusive purposes for which Protected Information will be used: NYC DOE Bridge for All Program.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:  There is no sharing of the student data by Grouptrail for NYC DOE Bridge for All. If there was, we will have the subcontractor sign an amendment to our agreement that includes these data protection and security requirements required by this non-disclosure agreement with the NYC DOE.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:  Upon termination of our relationship with the NYC DOE related to this agreement, the protected information is deleted. Decommissioned media utilizes techniques detailed in NIST 800-88. [NYC DOE comment: The current agreement became effective starting on June 26, 2020 and terminates when all NYC DOE schools and/or offices cease using FMYI, Inc.’s products/services. The terms of the agreement remain effective through the period during which FMYI, Inc. possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information is stored in the US. 
  6. How the data will be encrypted (described in such a manner as to protect data security):  SSL for data in transit, network firewall, and encryption at rest.