Vendors I-Q

New York Education Law §2-d gives parents the right to access certain information about agreements the NYC DOE has entered into with outside entities (such as vendors) who are permitted to receive or to access identifiable student information from the DOE. These entities are required to answer a number of questions about their privacy and data security practices. Responses from such outside entities to these questions are found below. Please note that this page will be updated on a periodic basis with responses from additional outside entities.

PLEASE NOTE: The entities listed below do not comprise a list of “approved DOE vendors” and therefore should not be thought of as such. Some entities listed below may have agreements that have expired or were terminated, but whose information has not yet been moved or removed. Other entities, whose names do not appear below, may have agreements with the DOE, or agreements that are in progress, but their responses are still being processed and have not yet been posted. Additionally, there are some entities that do not collect personally identifiable information. Their information may not appear below. 

Listed in Alphabetical Order:

iChineseEdu (for iChinese Reader)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII is used to set up accounts for teachers and students, and connecting with SSO. 

Type of PII that the Entity will receive/access: Student PII and Other (teacher’s information, class assignment, and students’ class assignment)

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. “All PII data is stored in the AWS database, which can’t be access directly. Customers need accounts to use the app. The APIs relative to PII data need to be called with authtoken, which can be got by login successfully. SchoolAdmin account can access teachers and students PII data in the school, teacher account can access teacher and students PII data in the class, student account can access his/her PII data, parent account can access his/her children’s PII data.”

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Idiom Publishing Co

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Idiom Publishing Co., Inc. is offering Digital Yearbooks to the students of NYC. The only PII Idiom needs is a student’s NAME and EMAIL address, which is necessary to create a login credential to allow students to access their Digital Yearbook.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. “Idiom may retain PII beyond the term of the agreement for Subject Students who have provided duly executed express written consent.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All student Personal Information will be protected with multiple programs both within the company as well as programs provided by the company (AWS) that hosts the servers that contain the digital yearbook. Information will be restricted to authorized personnel only. Cyber incidents will be addressed immediately and the DOE will be notified within 24 hours. Students PII will be protected using all industry standards such as encryption, firewalls, and password protection and there will be regular training on data privacy. Additionally, data will be encrypted both at rest and in transit. As data will be stored with AWS, they will use secure physical access to data centers, server rooms and other facilities where PII is stored.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Illuminate Education

The exclusive purposes for which PISI will be used: The provision, implementation, administration, and/or maintenance of K-12 education technology products and services related thereto.

How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Any and all subcontractors or other authorized persons or entities that Illuminate shares data with will be required to enter into strict confidentiality provisions in accordance with similar terms contained herein, and Illuminate retains the right to demand certification of compliance to said terms.

When the agreement expires and what happens to PISI upon expiration of the agreement: There is no one set term for the non-disclosure agreement, as individual schools may purchase Illuminate’s products or services at different times and for different periods. Within thirty (30) days of the termination of any license or data sharing agreement, Illuminate destroys all PISI. The data privacy and security terms of Illuminate’s agreement with NYC DOE will remain in effect for as long as Illuminate is in possession of NYC DOE confidential information. [NYC DOE additional information: The current agreement became effective starting on January 24, 2020 and remains effective through the period during which Illuminate Education, Inc. possesses or otherwise is in control of covered protected information, which varies depending on the services a given school purchased from Illuminate Education, Inc.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. Challenges should be emailed to studentprivacy@schools.nyc.gov or mailed to the attention of the Chief Privacy Officer Rm 308, NYC Department of Education, 52 Chambers Street, New York, NY 10007. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: All PISI data is hosted primarily with Amazon Web Services, and there are select products hosted with Google Cloud Platform, which are being migrated to AWS. AWS hosts the data in the United States. Either provider’s SOC2 report is available upon request or can be accessed by contacting AWS or GCP directly.

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at both rest and in transfer in accordance with NIST Cybersecurity Framework requirements.

ImageWork Technologies

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/01/2023 – 2/28/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our IT consultants are providing IT Services for NYC DOE's OPE division, under the DOE's MWBE contract # P0030. Under this contract, ImageWork is serving DOE as a staffing service provider, placing one Senior Project Manager/BA, one Full Stack Developer, one Data Developers one UX/UI Designer /Developer, one Senior QA Analyst and one Document Writer in the team towards staff augmentation. We understand that our consultants might have access to PII data during their services under this project. But no data of any kind of PII or otherwise, will be removed from DOE systems and none will be shared with our company or anyone outside. It is important to note that this is not a project managed by lmageWork, but it will be managed by the DOE managers at the DOE office. Further, our consultants will not be storing, collecting, or otherwise using PII on anywhere else but DOE-owned or controlled networks, data systems, devices, or applications, and so there will be no PII in its custody or control for it to delete or destroy. Our Access Control Mechanism will manage and govern access within the DOE Compliance Systems Modernization Project. This will have clear definitions as to accounts that can access DOE Compliance Systems Modernization and in what capacity and extent these accounts can access DOE Compliance Systems Modernization Project. We will create hierarchal role-based access control, that uses a Least privilege policy (LP2). We will implement our access control using Claims Based Identity Management for providing DOE’ users with an SSO (Single Sign-On) Experience while accessing DOE Compliance Systems Modernization Project. Our Authentication and Authorization mechanisms will elaborate in detail our proposed access control mechanisms. Team IMAGEWORK will implement a custom authorization manager for defining and identifying roles within DOE Compliance Systems Modernization Project. We will store roles in a Roles database and will have user map identifying the roles for each user. We will implement roles manager using “Principal” interfaces from ASP.NET framework. “Principal” Interface will allow for interoperability for roles management across all layers within DOE Compliance Systems Modernization Project. As part of our role management process, we will ensure that roles can be managed through a configuration editor. We will set up roles in a hierarchical manner that will identify various access levels for DOE, and respective modules. We will use windows Identity Foundation to extract and process claims form the authentication and authorization processes. Claims are set of properties, identifying who the user is and what roles they have. Claims are a globally accepted source for authentication exchanges, provided the claim originates from a trusted identity provider. The advantage of using Windows Identity Foundation for claims-based authentication is to enable the integration of the DOE Compliance Systems Modernization application with External Authentication providers or OAuth providers. This will be useful when DOE is ready to expose DOE Compliance Systems Modernization on Internet to offer True SSO.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We understand that our consultants might have access to PII data during their services under this project. We ensure that the data will be controlled and secured as per the DOE Guidelines and will not be harmed by our consultants. Further, our consultants will not be storing, collecting, or otherwise using PII on anywhere else but within DOE-owned or controlled networks, data systems, devices, or applications, and so there will be no PII in its custody or control for it to delete or destroy. ImageWork will limit access to Confidential Information by the following methods:

  • Not use Confidential Information for any other purposes than those authorized in our contract.
  • Confidential information will never be disclosed to anybody except fully authorized personnel but in special needs and provisions for advance reporting or critical updates to be communicated for time sensitive scenarios. Proper approval process will be followed and agreed by both lmageWork Technologies Corporation and DOE
  • Maintain reasonable technical, administrative, and physical safeguards to protect Covered Confidential Information. Below listed are few highlighted action steps:
    • Proper encryption of data
    • Assess the Data to Encrypt
    • Formulate Industry standard Security Strategy
    • Establish Secure and Key Management
  • Not sell covered Confidential Information, nor use Confidential Information for any commercial settings.
  • Provide training on laws governing confidentiality to our officers, employees, and assignees with access to such Confidential Information.
  • Notify the DOE of any security breach resulting in an unauthorized release of Confidential Information, and promptly reimburse DOE for the full notification cost.
  • Below is high level procedure followed for reporting and handling security breaches.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Imagine Learning LLC

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Imagine Learning provides digital K-12 core, supplemental and intervention courses for each grade level. Our innovative teaching solutions use insights from real-time data to meet each student where they are and enable their success in class today and for a lifetime of learning. Users must create an account to access the product site. We use PII to create these accounts for students and teachers. Products include:

Core

  • Imagine EL- A comprehensive, content-based K-8 core language arts program that utilizes real-world compelling texts to engage and excite learners.
  • Illustrative Math- Offers the highest quality core math curricula for grades K–12, powered by a best-in-class integrated learning experience.

Supplemental

  • Edge (Courseware)- Dynamic courses help students in grades 6–12 maximize their potential. Initial credit and credit recovery courses adapt to each student's unique learning journey.
  • Purpose Prep- A CASEL-aligned social and emotional learning program for your primary and secondary students, as well as for your faculty and staff.
  • Imagine Galileo-A forward-thinking ELA, SLA, math, science, and College Prep benchmark and formative assessment system for K–12 that offers a powerful blend of convenience and flexibility.
  • Imagine Espanol- A rigorous and personalized program for Spanish language and literacy development in grades K–2, building the foundational skills of bilingualism, biliteracy, and cultural competency.
  • Imagine Language & Literacy- Accelerate reading and language development in PreK-6 with our personalized learning solution designed to complement any core literacy program.
  • Imagine Lectura- Empower bilingual students in grades 3–5 to unlock comprehension of authentic Spanish texts and succeed with grade-level learning tasks.
  • Imagine Math- A supplemental math program that builds students' aptitude to solve problems and justify reasoning both inside the classroom and in day-to-day life, ultimately moving them beyond computation to real comprehension.
  • Imagine Math Facts- With award-winning gamification, make practicing fluency in addition, subtraction, multiplication, and division fun, fast, and effective for elementary students.
  • Imagine Reading- Scaffold learning for students in grade 3–8 using a library of exemplary genre texts to pique interest and deepen comprehension and conversation.

Intervention

  • MyPath- An intervention solution for math that delivers targeted, age-appropriate learning paths for all students, and targets achievement gaps using our intuitive Smart Sequencer™ technology.
  • Pathblazer- Is a personalized intervention program for K–6 designed to accelerate struggling learners in math and reading toward grade-level achievement using data-driven learning paths.

Instructional Services

  • Imagine Learning virtual instructors are highly qualified, certified teachers who prioritize student success in K–12. They work across time zones and devices to provide students with the personalized instruction and the support they need to learn, grow, and reach their full academic potential.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Other: Upon the earliest of any of the following (i) whenever requested by the BOE, (ii) whenever the Processor no longer needs the Confidential Information to provide the Services to the BOE, (iii) whenever a BOE school or office ceases use of a product or service of the Processor, with respect to the Confidential Information Processed for the school or office with respect to that product or service, or (iv) no later than upon termination of this Agreement, the Processor shall promptly (a) with respect to physical copies of Confidential Information, surrender, or if surrender is not practicable, securely delete or otherwise destroy Confidential Information and (b) with respect to digital and electronic Confidential Information, securely delete or otherwise destroy Confidential Information remaining in the possession of the Processor and its Authorized Users, including all hard copies, archived copies, electronic versions or electronic imaging of hard copies of such data.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS and Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In addition to the protections afforded by our cloud hosting providers, practices employed at Imagine Learning to protect personal data include, but are not limited to:

  • Data encryption. Data is encrypted in transit and at rest.
  • Access. Access to personal information is restricted to a limited number of Imagine Learning employees who need such access to perform their job.
  • Data Systems Monitoring. Imagine Learning employs several third-party services that continuously monitor and scan our online services for vulnerabilities and misconfigurations. Employees dedicated to operating our services monitor these services and receive automated alerts when performance falls outside of prescribed norms.
  • Incident Response Plan. Imagine Learning regularly reviews and maintains an incident response plan.
  • File Transfer Protocol. Data is securely transferred to Imagine Learning using File Transfer Protocol (FTP) over secure (SSL/TLS) cryptographic protocol.
  • Firewalls. Anti-virus software and firewalls are installed and configured to scan our systems. The firewall is periodically updated and configured so that users cannot disable the scans.
  • Security audits. Imagine Learning conducts security audits and code reviews, both by outside providers and by executive summary.
  • Secure programming practices. Imagine Learning software developers are aware of secure programming practices and strive to avoid introducing errors in our applications (such as those identified by OWASP and SANS) that could lead to security breaches.
  • Account protection. Each user of Imagine Learning is required to create an account with a unique account name and password. Single Sign-On (SSO) users are authenticated with secure tokens.
  • Facility security. Imagine Learning is located inside the continental United States. Physical access is protected by electronic access devices, with monitored security and fire/smoke alarm systems.
  • Security Breach. In the event of a security breach that results in unauthorized release of personal data, Imagine Learning will notify affected customers of such breach, will investigate, and will restore the integrity of its data systems as soon as possible. We will fully cooperate and assist with required notices to those individuals affected by such breach.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Impacter Education Corporation

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. IMPACTER PATHWAY is a comprehensive web-based Social-Emotional Learning (SEL) platform designed to foster personal growth and character development in students. This innovative platform is utilized within schools to provide students and educators with a suite of online tools and resources aimed at promoting self-awareness, empathy, resilience, and responsible decision-making.

IMPACTER PATHWAY requires access to Personally Identifiable Information (PII) for the primary purpose of providing teachers and administrators with targeted analytics and data-driven insights regarding student growth and performance in Social-Emotional Learning (SEL). Specifically, PII is necessary to enable the following:

  • Track individual student progress and growth in SEL competencies over time.
  • Analyze and visualize grade-level trends and comparisons in SEL development.
  • Provide detailed reports on class/section-level SEL performance to inform instructional strategies.
  • Compare SEL growth and achievement across relevant cohorts
  • Deliver targeted recommendations and interventions based on individual student needs.

By accessing key PII elements such as student names, identification numbers, grade levels, and demographic information, IMPACTER PATHWAY can generate comprehensive analytics dashboards and reports. These data-driven insights empower educators to monitor student progress, identify areas for improvement, and tailor SEL instruction to meet the diverse needs of their student populations effectively.

Ultimately, the purpose of receiving and processing PII is to enhance the educational experience by providing educators with the tools and information necessary to support the holistic development of students' social-emotional skills, a critical component of their overall success and well-being.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. “The Processor will securely delete and destroy all Personally Identifiable Information (PII) upon termination of the Agreement or when no longer required to provide the agreed-upon services. No data, including de-identified or aggregate data, will be retained beyond the termination or expiration of the Agreement.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Impacter Pathway is committed to data privacy and mitigating security risks. To this end, we employ the following administrative, technical, and physical safeguards:

  • Administrative Safeguards
    • Comprehensive Data Security Policies and Procedures: IMPACTER PATHWAY has implemented robust data security policies and procedures that govern all aspects of PII handling, from collection and storage to access and disposal. These policies are regularly reviewed and updated to ensure compliance with industry best practices and regulatory requirements.
    • Access Controls and Least Privilege: Access to PII is strictly controlled and granted based on the principles of least privilege and need-to-know. Employees and authorized personnel are granted access only to the specific data and systems necessary to perform their job functions, minimizing the risk of unauthorized access or misuse.
    • Role-Based Access Management: IMPACTER PATHWAY employs a role-based access control system, where access privileges are assigned based on job roles and responsibilities. This approach ensures that individuals have access only to the information and resources required for their specific roles, further enhancing data security.
    • Regular Access Reviews: Periodic reviews of access privileges are conducted to ensure that access levels remain appropriate and aligned with the principles of least privilege. Any changes in job roles or responsibilities are promptly reflected in access rights, preventing unauthorized access to PII.
    • Employee Training and Awareness: All employees and authorized personnel undergo mandatory data security and privacy training to ensure they understand their responsibilities in handling and protecting PII. Regular awareness campaigns and refresher training sessions are conducted to reinforce best practices and maintain a culture of data security.
  • Technical Safeguards:
    • Encryption in Transit and at Rest: IMPACTER PATHWAY employs industry-standard encryption technologies to protect PII both in transit and at rest. Data transmitted over networks is encrypted using secure protocols such as HTTPS and TLS, while data stored in databases and backups is encrypted using strong encryption algorithms like AES-256.
    • Secure Data Centers: IMPACTER PATHWAY's data is hosted in secure, state-of-the-art data centers operated by industry-leading cloud providers like Amazon Web Services (AWS). These data centers employ robust physical and environmental controls, including biometric access controls, video surveillance, and redundant power and cooling systems.
    • Vulnerability Management: IMPACTER PATHWAY has implemented a comprehensive vulnerability management program that includes regular vulnerability scanning, patch management, and prompt remediation of identified vulnerabilities. This proactive approach helps to minimize the risk of exploitation and ensure the ongoing security of systems and data.
    • Incident Response and Disaster Recovery: IMPACTER PATHWAY maintains a detailed Incident Response Plan and Disaster Recovery Plan to ensure prompt and effective response to security incidents and data breaches. These plans outline procedures for containment, forensic analysis, notification, remediation, and recovery, minimizing the impact of incidents on data security and operations.
  • Physical Safeguards:
    • Secure Facilities: IMPACTER PATHWAY's corporate offices and facilities are protected by physical security measures, including access controls, video surveillance, and alarm systems. Access to sensitive areas is restricted to authorized personnel only, further safeguarding PII and system components.
    • Environmental Controls: IMPACTER PATHWAY's facilities are equipped with appropriate environmental controls, such as temperature and humidity monitoring, fire suppression systems, and power redundancy, to protect against environmental threats and ensure the continued availability and integrity of data and systems.
    • Media and Device Security: IMPACTER PATHWAY enforces strict policies and procedures for the secure handling, storage, and disposal of physical media and devices containing PII. These measures include secure storage, data sanitization, and destruction protocols to prevent unauthorized access or data leakage.

By implementing these comprehensive administrative, technical, and physical safeguards, IMPACTER PATHWAY ensures the protection of PII and mitigates data privacy and security risks throughout the data lifecycle, from collection to disposal. Additionally, regular risk assessments and continuous improvement efforts are undertaken to identify and address potential vulnerabilities, ensuring the effectiveness of the security measures in place.   

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

In Class Today

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. In Class Today will receive PII for the exclusive purpose of implementing an attendance support program. The program includes the analysis of student attendance data to select students most likely to benefit from the program, and the delivery of mailed attendance letters to the parents and guardians of selected students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services, Moonlight BPO, Box.com, Files.com, and Twilio.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All Protected Information is encrypted to a minimum 256-bit encryption standard, both in transit and at rest.

Only those In Class Today personnel and subcontractors who need to access Protected Information to perform the services outlined in the contract will be administratively, operationally, and technically authorized to access that information.

Access to Protected Information is password-protected, and strong passwords are enforced and stored only in encrypted vaults.

All systems that are used to store, access, transmit, or otherwise use Protected Information enforce a one user, one account policy. Within all systems used to store, access, transmit, or otherwise use Protected Information, each individual’s access will be limited to the Protected Information they need to access in order to perform the service.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Inspiring Minds (for Community Schools services)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/22/2022 – 7/21/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Inspiring Minds will provide a holistic community school model which will provide leadership development during the day, sports enrichment activities, extra-curricular afterschool programs, professional development workshops for teachers and serve as a thought partner to the school admins to serve the children of the campus. Inspiring Minds, at times, may data logs PII (Personal Identifiable Information) on all program participants. PII is used to make user accounts and track student progress within our programs. We employ strict safeguards and a PII protection policy to keep this data private and to ensure the integrity of the data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Confidential data requires additional security controls in order to ensure its integrity. The company requires that the following guidelines are followed:

  • Strong Encryption. Strong encryption must be used for confidential data transmitted external to the company. If confidential data is stored on laptops or other mobile devices, it must be stored in encrypted form.
  • Network Segmentation. Separating confidential data by network segmentation is strongly encouraged.
  • Authentication. Strong passwords must be used for access to confidential data.
  • Physical Security. Systems that contain confidential data should be reasonably secured.
  • Printing. When printing confidential data the user should use best efforts to ensure that the information is not viewed by others. Printers that are used for confidential data must be located in secured areas.
  • Faxing. When faxing confidential data, users must use cover sheets that inform the recipient that the information is confidential. Faxes should be set to print a confirmation page after a fax is sent; and the user should attach this page to the confidential data if it is to be stored. Fax machines that are regularly used for sending and/or receiving confidential data must be located in secured areas.
  • Emailing. Confidential data must not be emailed outside the company without the use of strong encryption.
  • Mailing. If confidential information is sent outside the company, the user must use a service that requires a signature for receipt of that information.
  • Discussion. When confidential information is discussed it should be done in non-public places, and where the discussion cannot be overheard.
  • Confidential data must be removed from documents unless its inclusion is absolutely necessary.
  • Confidential data must never be stored on non-company-provided machines (i.e., home computers).
  • If confidential data is written on a whiteboard or other physical presentation tool, the data must be erased after the meeting is concluded.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Inspiring Minds (for Project Pivot)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Inspiring Minds will be developing leadership skills though basketball, martial arts and a youth conference for approximately 75 middle school students. We will need access to names, addresses, phone numbers and email addresses of the students participating in our program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. Information will be collected and stored through a google survey application that transfers all data to an excel document.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information will be stored on an encrypted excel document. Confidential data must not be 1) transmitted outside the company network without the use of strong encryption, 2) left on voicemail systems, either inside or outside the company's network.

  • Confidential data requires additional security controls in order to ensure its integrity. The company requires that the following guidelines are followed:
  • Strong Encryption. Strong encryption must be used for confidential data transmitted external to the company. If confidential data is stored on laptops or other mobile devices, it must be stored in encrypted form.
  • Network Segmentation. Separating confidential data by network segmentation is strongly encouraged.
  • Authentication. Strong passwords must be used for access to confidential data.
  • Physical Security. Systems that contain confidential data should be reasonably secured.
  • Printing. When printing confidential data the user should use best efforts to ensure that the information is not viewed by others. Printers that are used for confidential data must be located in secured areas.
  • Faxing. When faxing confidential data, users must use cover sheets that inform the recipient that the information is confidential. Faxes should be set to print a confirmation page after a fax is sent; and the user should attach this page to the confidential data if it is to be stored. Fax machines that are regularly used for sending and/or receiving confidential data must be located in secured areas.
  • Emailing. Confidential data must not be emailed outside the company without the use of strong encryption.
  • Mailing. If confidential information is sent outside the company, the user must use a service that requires a signature for receipt of that information.
  • Discussion. When confidential information is discussed it should be done in non-public places, and where the discussion cannot be overheard.
  • Confidential data must be removed from documents unless its inclusion is absolutely necessary.
  • Confidential data must never be stored on non-company-provided machines (i.e., home computers).
  • If confidential data is written on a whiteboard or other physical presentation tool, the data must be erased after the meeting is concluded

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Instructure (for Canvas)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Instructure is providing Canvas LMS which is a software-as-a-service learning management system used by K-12 schools. Canvas LMS is used by learning institutions, educators, and students (collectively “end-users”) to access and manage online course learning materials and communicate about skill development and learning achievement. Canvas LMS includes a variety of customizable course creation and management tools, course and user analytics and statistics, and internal communication tools.

Instructure is receiving and accessing PII via Canvas LMS to (a) provide secure end-user access to Canvas LMS, (b) provide teaching and learning services (such as classes, quizzes, assignments), (c) facilitate communication between educators and students about courses and related work, (d) permit uploads of educator and student content related to their courses, and (e) provide course related analytics the learning institution.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Instructure maintains administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal information processed by Canvas LMS, as follows:

  • Security policies are reviewed and approved by the executive leadership of Instructure on an annual basis.
  • Canvas LMS is regularly assessed and tested by security staff and third parties.
  • Use of Canvas LMS and network access policies are required in order to control and limit access to internal systems.
  • Physical access to systems containing pesronal information is restricted.
  • Access to Canvas LMS is based on the principle of least privilege, separation of duties, and is regularly reviewed.
  • Applicable and necessary security patches are kept up-to-date.
  • Use of default system passwords is prohibited and the use of a public/private key exchange is mandated on all systems including Canvas LMS.
  • An employee information security policy is maintained that addresses employee responsibilities, including protection of confidential information.
  • Employees receive annual security awareness training and must sign confidentiality agreements as a condition of employment.
  • Remote access by employees to internal control and management systems is restricted and requires two-factor authentication.

Access Limitations

  • Instructure restricts access to personal information only to those employees who have a need to know or otherwise access personal information to enable Instructure to perform its obligations under the Agreement; provided that (a) a background check has been conducted of its employees, and (b) such employees are bound in writing by obligations of confidentiality sufficient to protect personal information in accordance with requirements herein.

Personal Data Transmission

  • All access into Canvas LMS utilizes secure protocol HTTPS; All clear text HTTP connections are disabled by default.
  • Copying of personal information outside of Canvas LMS operations environment by any employee of Instructure is restricted by policy and only permitted for legitimate business needs.
  • Personal information is transmitted into and out of Canvas LMS via secure TLS exclusively; SSL is disabled by default.

Data Storage, Retention and Availability

  • Data retention timelines are defined for all elements of Canvas LMS.
  • Instructure will ensure back up of Canvas LMS on a daily basis onto an electronic storage medium and shall store all such backups in separate geographic locations. Personal information contained in Canvas LMS is transmitted using secure protocols, on dedicated link, and stored in a secured facility for backup.

Security Breach Response

  • Instructure maintains a security incident response plan and a team of personnel trained to identify, investigate, and respond to security issues.
  • In the event of a security breach impacting personal information, Instructure will:
    • take immediate steps to remedy the breach;
    • notify the customer as soon as is practicable; and
    • take any other prompt actions towards prevention of any additional security breach.
  • In any notification to the customer, Instructure shall, at a minimum:
    • provide a description of the incident, the personal information accessed, the identity of affected third parties, if any, and such other relevant information determined by Instructure, and
    • designate a single individual as a point of contact for the customer.

Third Party Testing

  • Instructure contracts annually with a reputable third party security firm to conduct a comprehensive security audit (penetration test and web application vulnerability tests) of Canvas LMS.

Compliance

  • Data center providers for the Canvas LMS operations environment maintain an AICPA SOC2 Type 2 report or a successor standard.
  • Instructure maintains and follows change management processes. All changes to the Canvas LMS production environment are risk-assessed, logged, and approved. Releases to the Canvas LMS production environment are promoted through a pre-production test environment.
  • The Canvas LMS operations environment is separate from the Canvas LMS development and staging environments.
  • The Canvas LMS environments are separate from Instructure’s corporate IT environment.
  • Logical access to the Canvas LMS infrastructure is restricted using the principles of least privilege and need-to-know.
  • Access to all Instructure networks and systems are controlled by an authentication method involving a minimum of a unique user ID/password combination. Privileged users and administrators must use strong authentication.
  • Remote network access to Canvas LMS is secured by an authenticated VPN.
  • Canvas LMS is hosted in a Tier 3 SOC 2 Type II certified computing facility equipped with fully redundant power backup and fire suppression systems, 24/7 security guards, mantraps, controlled access, biometric authentication, and video surveillance.
  • Security relevant events, including login failures, use of privileged accounts, changes to access models or file permissions, modification to installed software, or operating systems, changes to user permissions or privileges or use of any privileged system function, are logged on all systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Instructure (for Mastery Connect)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: Multiple dates depending upon the relevant Services Agreement(s).

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Instructure is providing MasteryConnect which is a software-as-a-service K-12 digital assessment management system. We limit our collection and use of personal information only to those elements required to operate our Products. Please note that if we process your personal information for a purpose other than the purpose for which it was collected, we will provide you with notice in advance of the new processing and obtain consent if required. We do not engage in automatic decision making, advertising to students, or profiling. We use the information described above to provide, analyze, and improve our products, including to:

  • Create and maintain your account
  • Identify you as a user
  • Notate and assign support tickets
  • Provide, operate, maintain, and improve our Products
  • Personalize and improve your experience
  • Contact you and communicate with you, including to respond to your comments or inquiries
  • Provide customer support
  • Solicit feedback about our Products, including by asking you to respond to surveys or questionnaires (with your permission)

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Instructure takes student privacy seriously. Instructure’s Mastery Connect SaaS product has robust administrative and technical controls to make sure that their information stays private. We've built our operations around international standards such as ISO 27001 and are audited by third parties to make sure that we're actually doing what we say we're doing. We use Amazon Web Services to host our software and they have technical and physical controls designed (and audited) to store everything from students’ homework to top secret documents at the FBI. We take security and privacy seriously and you can learn more at https://www.instructure.com/products/canvas/security

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Intellispark

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Intellispark provides a technology platform for improving student support. Key features include the ability to identify and assess student support issues, share relevant student information with designated teachers and other authorized members of a student’s support team, communication tools to enable team-based communication and collaboration, customizable libraries of available student supports, customizable workflows to notify responsible parties of issues to be addressed, and reporting of support interactions and outcomes. Intellispark will use PII provided by the district solely to enable district users to track and address student support issues as described above.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All client data are stored in an Amazon Web Services (AWS) Relational Database Service instance that is secured using AWS recommended best practices such as encryption at rest, encryption in motion, automated password rotation, and limitation of access. Access control limits access to client data to users authorized by the client and to Intellispark staff who have signed confidentiality agreements and who have a need to access those data to support client users.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

IntelliVOL

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. IntelliVOL provides access to x2VOL. a program that allows students to track and report community service hours, service learning hours, work based learning or CTE hours and experiences. PII is used to create user accounts for students and admins. PII is used to allow users (students) to record their volunteer hours. PII is used to allow users (admins) to view and approve volunteer hours.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option

and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • Physical Safeguards
    • Alarm systems and intrusion detection are used to protect electronic information systems and building equipment from unauthorized intrusions.
  • Administrative Safeguards
    • Designated security officers are assigned to be operationally responsible for assuring compliance to security policies.
    • Security risk management used to identify and implement security measures to reduce risk to a reasonable and appropriate level based on the covered circumstances.
    • Security incident response used to respond to an incident preserving evidence; mitigating, to the extent possible, the situation that caused the incident; documenting the incident and the outcome; and evaluating security incidents as part of ongoing risk management.
    • Password policies used to safeguard information. All users are given guidelines for creating passwords and changing them during periodic change cycles.
  • Technical Safeguards
    • Server Firewalls used to guard against unauthorized access to electronic data.
    • Data Encryption used to convert PII into encoded data
    • Secure Authentication used to ensure that a person is who he or she claims to be before being allowed access to x2VOL website.
    • Data Loss Prevention implemented using daily rolling backups used to prevent the loss qt any user data

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Internationals Network for Public Schools

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 - 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Internationals Network for Public Schools provides contracted professional development and support services to the 15 NYC-based International High Schools and 1 Middle school that fall under the NYC Department of Education. All services focus on academic success of English Language learners who are enrolled in those schools. Services include workshops, professional development one-on-one and in small groups, curriculum development, working groups, professional learning communities and leadership development and support. Data compiled by Internationals Network for Public Schools are used exclusively for program improvement and support of individual NYC public schools. Internationals Network for Public School does this through the analysis of student enrollment, student attendance, overall GPA, credit accumulation, grade advancement, test scores, graduation rates and discharge rates data. This analysis supports school leaders and educators in the implementation of educational procedures and processes that help advance curricular and instructional goals within our network of schools in NYC with services listed below:

  • Professional development with teachers, school leaders, counselors, instructional coaches and parent coordinators
  • Strategic data check-ins and inquiry sessions with school leaders.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data is kept in password-protected files accessible only by authorized staff members who have been vetted and fingerprinted by the NYCDOE and our organization. At no time will any data be bought, sold or transmitted to vendors for commercial purposes.

Several administrative, technical and physical procedures are used to ensure that Student PII data is protected. For one, the use of data with student identifiers is restricted to staff working directly with that school to support individual students, and whenever possible, aggregated data are preferred to student level data when sharing program data internally. Internationals Network accesses data from NYCDOE ATS/STARS system. Internationals Network stores this data in Google Drive to fulfill the programmatic services. Google Drive is only used to store this data. Data stored is password and access restriction protected. No confidential data may be shared with any personal account. Outside of explicitly utilizing Google Drive for storage, we do not grant access to restricted folders containing student PII, with Google employees. Data stored is password and access restriction protected. No confidential data may be shared with any personal account. Student PII are never shared via email attachments nor via “public to the web" sharing methods. Other physical safeguards are taken regarding Student PII data access by ensuring data is never saved to a personal machine or unauthorized storage device. Furthermore, Virtual Private Networks (VPNs), are used as an additional layer of security if and when needing to access student PII data remotely via a non-INPS and/or Staff secured internet connection. When needed, authorized storage devices are obtained from the technology team. Furthermore, where printouts are made with student PII they are shredded immediately after use.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Intrado (for SchoolMessenger)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Data is stored in School Messenger databases for the express purpose of allowing school and district administrators to contact parents / guardians with helpful information about their student. Lntrado makes no use of the data internally.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. lntrado's instance of AWS is used to house SchoolMessenger Communicate and lntrado's instances of Microsoft Azure are used to house SchoolMessenger Presence and SchoolMessenger CustomApp.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All SchoolMessenger solutions are built to adhere to industry and security best practices. All session information (including data exchanges between school/district systems and the Schoo Messenger service) is protected by 256-bit SSL encryption (TLS 1.2). All data is encrypted at rest (using an AES cipher). Further, direct access to the hosts is protected by SSL and SSH and no clear channel connections are allowed. Further, SchoolMessenger separates all customer data into separate logical secure database partitions. Database access requires authorization via a separate authentication server.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Irvin Simon Photographers

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. School portraits, yearbook publishing services. In preparation for Picture Day, Irvin Simon requires certain roster information (i.e. name, grade, class, email address) from your school. This data is used to produce and deliver portrait-based products and services needed for schools’ administrative purposes and/or for use in the school yearbook (the “School Service Items”), to deliver Picture Day notices on behalf of schools, and to provide parents of students photographed opportunities to purchase portraits.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Irvin Simon uses a variety of safeguards to protect School Data. Irvin Simon has implemented a variety of physical, technical, and organizational security measures to help protect School Data from unauthorized access and use.

Facilities: Irvin Simon data, including School Data, is maintained in cloud-based storage or in our on-premises data center that meet or exceed industry standards for cybersecurity. All facilities and systems are protected by strong physical security controls such as restricted role-based access, ID cards, and video monitoring. We have a secure backup process and utilize high availability systems and equipment to maintain availability.

Networks: Devices storing or providing access School Data are protected with the same multi-layered security strategies that we use to protect Irvin Simon’s sensitive and confidential business records. Image databases supporting our photo processing labs and websites are separated from associated data files containing identifiable information, all databases are protected by firewalls, monitoring, vulnerability scanning, and authentication procedures. We apply instruction prevention methods and perform regular network penetration testing and code scanning on a periodic basis using both internal and authorized third party testing services and our systems enable secure transmission of School Data from and to the Irvin Simon network with encryption technologies. School Data is segregated from other databases in our systems and is securely disposed of when no longer needed. Devices or media containing or accessing School Data are password protected and encrypted and stored in secure, locked areas when not in use. Laptops and tables used by our field are also protected by software that, in the event of theft, notifies Irvin Simon immediately if the device is connected to any network and allows Irvin Simon to remotely erase the device.

Personnel: Irvin Simon’s policy is to collect, use, and disclose personal information only in ways that are consistent with our respect for an individual’s privacy. We require Irvin Simon employees to sign confidentiality agreements as a condition of employment, and we provide training on the appropriate use and handling of School Data. Access to School Data is limited to those who need it to perform their jobs. We also take appropriate measures to enforce these policies.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

IXL Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

  • Wyzant: As the largest and most widely used tutoring service in the United States, Wyzant helps learners and administrators get results that matter. Founded in 2005, Wyzant has a community of over 65,000 educators and professionals offering students personalized high-dosage tutoring in more than 300 subjects, including math, English, and science. The Importance of PII for Wyzant is that Student basic information (Name, Grade Level, and/or Class) is needed so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
  • IXL Math: NYS Next Generation P-12 Learning Standards aligned. On IXL, students receive the support they need to reach any math milestone. While learning, immediate feedback and step-by-step answer explanations help them quickly understand and correct their mistakes. When students are ready to tackle something new, IXL Recommendations offers personalized skill suggestions that help them strive for mastery, address trouble spots, and more. With IXL, students become active and engaged learners, equipped with the tools they need to excel. The Importance of PII for IXL Math is that individual student Math assignment data collected is under their basic information (Name, Grade Level, and/or Class) so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
  • IXL Language Arts: IXL Language Arts is NYS Next Generation P-12 Learning Standards aligned bringing the fundamentals of writing to life in a personalized, engaging environment that features interactive questions, fun visuals, and playful content. Students encounter rigorous questions adapted to their abilities, allowing them to engage with reading comprehension, grammar, word choice, and composition in new and exciting ways. Whether you are teaching students the basics of phonics or helping them understand complex ideas like writing style and tone, IXL supports you. Crucial skills are broken down into adaptive building blocks to ensure understanding and reinforce critical thinking outside of reading instruction. Your students will learn to weigh the subtleties of any text, as well as develop the language mechanics to express their own unique voices. The Importance of PII for IXL Language Arts is that individual student Language Arts assignment data collected is under their basic information (Name, Grade Level, and/or Class) so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
  • IXL Science: IXL's in-depth content covers hundreds of skills and is aligned to the Next Generation Science Standards and NYS standards, providing support to teachers for any science curriculum. With compelling, interactive skills, IXL drives mastery of:
    • Physical science: properties of matter, force and motion, energy and heat, atoms and molecules, electricity and magnetism, chemical reactions, waves.
    • Life science: plant and animal systems, genetics, life cycles, ecosystems, traits and adaptations, cells, natural selection, conservation.
    • Earth science: fossils, weather and climate, rocks and minerals, plate tectonics, astronomy, natural resources.
    • Plus science literacy, experimental design, engineering practices, units and measurement, and much, much more! The Importance of PII for IXL Science is that individual student Science assignment data collected is under their basic information (Name, Grade Level, and/or Class) so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
  • IXL Social Studies: NYS Next Generation 2-8 Learning Standards aligned. IXL offers crucial tools for understanding history-including primary sources, maps, and data sets-in a fresh, expansive format that ignites students' enthusiasm for social studies. Topics include:
    • Geography: oceans and continents, countries and regions, U.S. states and capitals, letter-number grids, latitude and longitude
    • U.S. history: colonial period, Revolutionary War, Civil War, the Great Depression
    • World history: ancient civilizations, Greece and Rome, Middle Ages, Renaissance, Early Americas, Age of Exploration
    • Civics: the three branches of government, checks and balances, state and local government
    • Economics: natural resources, costs and benefits, supply and demand, trade and specialization
    • Plus economics, historical figures, holidays and cultural celebrations, and much, much more! The Importance of PII for IXL Social Studies is that individual student social studies assignment data collected is under their basic information (Name, Grade Level, and/or Class) so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
  • IXL Analytics: IXL's reports are flexible, helping you uncover student data at every level. Get a full overview of school-wide trends, or drill down into grade or classroom level data - and teacher-level insights to assess progress and growth for individual learners. No matter what data you need, IXL's reports enable you to make meaningful decisions in every situation. IXL Analytics are a series of reports educators can run to analyze the progress students are making within IXL as they are working through the subject skill questions that have been assigned to them. These reports aggregate student data showing progress towards grade level standards in Math, ELA, Science, Social Studies and Spanish. Educators can then use this information for targeted instruction, small-group instruction, or one-on-one work with students. What is more, IXL Analytics allows teachers to monitor students' work on a given skill in real time, thus making this formative component an ideal tool for both differentiated instruction. The Importance of PII for IXL Analytics is that Student basic information (Name, Grade Level, and/or Class) is needed so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
  • IXL Spanish: With IXL, students build Spanish fluency in a supportive environment that allows them to learn at their own pace. Our skills focus on making learning both purposeful and relevant. Students apply grammar and vocabulary to real-world scenarios and interact with more than 1,000 words in dozens of different contexts. Topics like verb conjugation and prepositions get a fresh spin with interactive question types, fun visuals, and intriguing narratives. We put the joy of learning a new language front and center as students discover a whole new way to communicate. The Importance of PII for Spanish is that individual student Spanish assignment data collected is under their basic information (Name, Grade Level, and/or Class) so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
  • Real Time Diagnostic: IXL's Real-Time Diagnostic quickly assesses students' grade-level proficiency, and provides you and your teachers with insights that help you 1) Get data you would normally receive from NYS assessments, 2) Determine student placement in programs, 3) Meet each student's needs with personalized learning plans. IXL Real-Time Diagnostic assesses students across concepts in the K-12 curriculum and delivers up-to-the minute insights on their grade-level proficiency in math and English language arts (ELA). Using these insights, IXL creates personalized action plans that guide every learner to the exact skills that will help them grow. To measure a student's knowledge levels, the Real-Time Diagnostic applies item response theory (IRT) models to estimate the numeric scores for a set of strands (i.e., a broad category of skills). For math, the strands include (a) Numbers & Operations, (b) Algebra & Algebraic Thinking, (c) Fractions, (d) Geometry, (e) Measurement, and (f) Data, Statistics, & Probability. For ELA, the stands include (a) Vocabulary, (b) Grammar & Mechanics, (c) Reading Strategies, and (d) Writing Strategies. The overall diagnostic scores for math and ELA are weighted averages of the strand scores. The Importance of PII for Real Time Diagnostic is that Student basic information (Name, Grade Level, and/or Class) is needed so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services (AWS} (a cloud hosting and data analytics provide), Century Link (used for telecommunications), Google G Suite (a cloud computing, productivity and collaboration tool} and Salesforce Inc. (a Customer Relationship Management (CRM) Solution); and using an entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have implemented a variety of physical, administrative and technological safeguards designed to preserve the integrity and security of the personal information we collect and to protect against unauthorized access to data. These include internal reviews of our data collection, storage, and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data. We restrict access to personal information to IXL employees, contractors, and agents who need to know that information in order to operate, develop, or improve our services. Details are further outlined in our Data Processing Addendum. IXL provides encryption for customer data as follows:

  • Network connections to IXL' s production environment utilize Transport Layer Security (TLS) or Secure Shell (SSH);
  • All data stored in IXL' s production environment is encrypted at rest using AES-256 bit encryption; and
  • All data stored on IXL-owned laptops is encrypted at rest. IXL employs automated log collection and audit trails for production systems.
  • Connections originating from untrusted networks segments will be governed by firewall rules and other security safeguards that grant the minimal access required to access the intended service provided by the company.
  • System passwords and access keys are stored in a privileged location accessible only to IXL security administrators, and all credentials are changed from factory default settings.
  • Production systems receive regular maintenance to apply security patches; and
  • Physical access to systems requires security RFID badges and biometric authentication, and is limited to IT staff performing physical maintenance.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

I’RAISE Girls & Boys International Corporation

Type of Entity: Community-Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. I’RAISE Mental Health Program provides clinical therapy and mental health services to students in grades K-12. Licensed clinicians and therapists need to have access to student academic records and psychological records (if applicable) in order to provide therapeutic treatment and mental health services to students.

It is necessary for I’RAISE to receive and access student PII for the purposes of conducting counseling services. This type of service requires clinicians to effectively assess and treat participants of the program.

As part of I’RAISE process, our clinicians/therapists collect the following information:

  • Student academic records
  • Student psychological records maintained by the DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Cloud; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The agency maintains and stores all student PII information in a manner consistent with the New York Child Data Privacy and Protection Act, S9563. The agency stores all student electronic and physical records in a manner consistent with the Health Insurance Portability and Accountability Act of 1996 (HIPPA).

Physical Safeguards – I’RAISE stores student PII in a locked file cabinet on each school site; this includes student academic, counseling, and psychological records. Only I’RAISE personnel authorized to access student PII has access to these secured filed cabinets onsite.

Technical Safeguards – I’RAISE therapists upload electronic copies of student PII into the company cloud owned by the agency. The cloud is password protected and only authorized personnel (therapists treating students) have access to the student’s PII. The agency has an active business associate agreement with Amazon cloud service which ensures the safe and secure storage of our students PII.

Administrative Safeguards – I’RAISE Clinical Deputy Director is responsible for overseeing and ensuring the safe and secure storage of student records and student PII. The Clinical Deputy Director conducts monthly audits of student PII to ensure all safeguards are in place and to mitigate any potential data privacy and security risks. To mitigate data privacy and security risks, the Clinical Deputy Director trains and manages the authorized personnel (therapists and social workers). Additionally, I’RAISE IT Director conducts monthly security checks of the agency and checks for any potential security and privacy risks. The IT Director works alongside the Clinical Deputy Director to ensure the agency is in compliance with the safe and secure storage of students’ PII in a manner that aligns with the New York City Department of Education.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Jewish Child Care Association of New York (JCCA)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2024.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. JCCA provides comprehensive care to thousands of children, young people and families who come from New York’s diverse communities. Since 1822, we have embraced those who need us most — abused, neglected and traumatized young people who are struggling with poverty, developmental disabilities and complex mental illness.

The Learn to Work (“LTW”) program is dedicated to providing academic and socioemotional support, pre-employment skills, and opportunities to NYC youth enrolled in Transfer High Schools or YABC’s. In order to provide the services in the LTW program, it is necessary to access PII to register youth, determine student needs and goals, monitor progress and provide ongoing related services for the duration of the LTW student enrollment.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Anti-virus software is installed on all JCCA computers and servers. Virus update patterns are updated daily on the JCCA servers and workstations. Virus update engines and data files are monitored by appropriate administrative staff that is responsible for keeping all virus patterns up to date. Procedures are defined for implementation of anti-virus tools. JCCA utilizes appropriate network-based and host-based intrusion detection systems.

User IDs and passwords are required in order to gain access to all JCCA networks and workstations. All passwords are restricted by a corporate-wide password policy. Passwords shall not be shared with any party, must be kept confidential, and may not be written down on paper. Passwords are masked or suppressed on all online screens, and are never printed or included in reports or logs. Passwords are stored in an encrypted format.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Jigsaw Learning (for TeachTown)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TeachTown provides standards-based core curriculum for students with moderate to severe disabilities. The student emails and names are needed in order to make them individual accounts to track progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS in the US.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TeachTown is committed to maintain strong privacy and security protections. The privacy and security of this information is a significant responsibility, and we value the trust of our students, parents, and staff. TeachTown secured a Chief Information Security Officer (CISO) and Chief Data Privacy Officer in 2021. TeachTown’s Privacy Program is responsible for creating, maintaining, communicating, and enforcing a comprehensive privacy control environment to ensure the company meets its legal, contractual and other organizational requirements for Processing Personal Information. TeachTown complies with its responsibilities under all applicable state and federal laws and regulations that protect the confidentiality of personally identifiable information and Student Data, including the Federal Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 12329(g); Children’s Online Privacy Protection Act (COPPA), 15 U.S.C 6501-6502; Protection of Pupil Rights Amendment (PPRA), 20 U.S.C 1232; and applicable State laws governing the protection of personally identifiable information from students’ educational records (“Student Data”), including New York Education Law Section 2-d and Part 121 of the Commissioner’s Regulation.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Jostens

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Jostens prints and publishes the yearbook that the school/students create and assists the school with sales of that same yearbook. Data is received from the schools on a yearly basis coincidental with the beginning of a new school year), with that data only being used for that respective school year. All communications sent by Jostens regarding sales are preauthorized and preapproved by the school before being sent and are only sent to the parents (using data obtained by the school) of the students attending that school who would be interested in buying their student(s)’ yearbook for that year.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Information is only accessible by those necessary to perform per the Agreement. Onboarding and annual training for anyone with access to PII includes training on privacy/proper handling of PII. Per Jostens Cybersecurity Compliance Program:

  • Jostens will protect the confidentiality, integrity, and availability of data and systems, regardless of how the data is created, distributed or stored. Jostens security controls are tailored accordingly so that controls can be applied commensurate with the risk and sensitivity of the data and system, in accordance with all legal obligations.
  • Jostens establishes responsibility for managing information privacy and data security controls for handling sensitive Personally Identifiable Information (PII). Jostens ensures PII is collected, used, stored, transferred, and destroyed according to privacy requirements.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

JumpRope

Type of Entity: Commercial Enterprise

Contract/Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. JumpRope collects and processes Protected Information input by NYC DOE teachers and administrators for the exclusive purpose of providing the NYC DOE with the services and support to which NYC DOE has subscribed via the Agreement. NYC DOE determines the type and scope of Protected Information it houses on JumpRope and how such Protected Information is used on JumpRope. JumpRope does not collect any Protected Information directly from the end user. School administrators and teachers may input Protected Information into JumpRope about themselves or about students enrolled with NYC DOE. Examples of Protected Information NYC DOE might input on JumpRope includes student name, birthdate, grade level, home address, and parent or guardian contact information, attendance-related information, student grades, and student-related comments that are associated with grades. NYC DOE may house and process Protected Information on JumpRope in a variety of ways to achieve NYC DOE’s gradebook, curriculum and development goals.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. As part of JumpRope’s Information Security Program, JumpRope protects data using a series of industry-standard encryption and data security safeguards. Company policy requires the use of only proven, standard algorithms as the basis for encryption technologies. All keys used for encryption and decryption must meet complexity requirements described under Password Security. The company reviews algorithms, key length, and complexity annually and upgrades as technology allows. Users accessing JumpRope’s information systems must be properly authenticated with a strong encryption method invoked prior to their password being requested. Company policy requires that passwords are never stored online without encryption. All mobile devices containing stored data must use an approved method of encryption to protect data at rest. Laptops must employ full disk encryption with an approved software encryption package. No Protected Information may exist on a laptop in cleartext. Depending on the method of transmission and recipient of the data, Protected Information will be encrypted using appropriate protection methods such as Rights Management Services (RMS) or password protected using strong password methodology and transmitted only via JumpRope devices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Jupiter Ed

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Jupiter Ed is an online Gradebook, Learning Management System (LMS) and Student Information System (SIS). Our LMS includes our gradebook, remote learning features, online assignments and tests, including an online essay grader. There are messages (email and text) and discussion forums for teacher/parent and student communication. The student information system module also includes report cards, transcripts, attendance, discipline records and scheduling. Schools can also select online enrollment and online payment modules. Our products can be used with students from pre-school through high school levels. We also offer both in-person and online teacher and administrator trainings. Schools have the option to enter PII into Jupiter but it is not required. See a detailed list of each module here: https://jupitered.com/modules.php.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • Jupiter stores PII on dedicated servers, not shared infrastructure.
  • Jupiter encrypts PII in transit using industry standard SSL technology.
  • Jupiter encrypts data at rest using industry standard HDD encryption.
  • Jupiter employs intrusion detection software to safeguard critical infrastructure.
  • Employee access to Jupiter servers is managed via VPN.
  • PII is transmitted across infrastructure using encrypted channels, never via “thumb drive”, email, or other insecure method.
  • Jupiter uses automated systems to destroy PII when a customer has not renewed their contract. No manual action by staff is required.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

K Systems Solutions

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/23/2023 – 10/22/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. KSS will provide a consultant who will be working on The NYC School Transportation Modernization Project as part of OPT operations’ Planning and Innovation team. This project will solve problems for caregivers, students, school administrators, drivers (external stakeholders) and OPT staff (Internal stakeholders). This is an extensive business process reengineering initiative involving change in business processes, use of new products and replacing of old applications.

The consultant will provide deliverables including but not limited to: Managing, monitoring, tracking milestones. Additionally, the consultant will be collecting, maintaining, and revising requirements. Lastly, the consultant will be testing, training, and releasing projects. PII will be obtained and maintained during the requirements gathering process. Also, PII will be accessed during testing and training initiatives. The consultant will also potentially be exposed to PII during various project meetings.

Type of PII that the Entity will receive/access: Student PII. “It’s possible that the Staffing Consultant will also have access to the PII for the following groups: caregivers, students, school administrators, drivers (external stakeholders) and OPT staff (Internal stakeholders).”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “The on-site consultant represented by K Systems Solutions will only be accessing data.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • In our policy, we have reiterated that the employees must read and understand the data privacy and procedure in safeguarding all sensitive information in compliance with the US law (see the Information security policy).
  • Regular Auditing and Monitoring: Monitor systems and networks for unusual activities or unauthorized access. Regularly review access logs, audit trails, and security alerts to detect and respond to threats.
  • All employees undergo mandatory data privacy and security training upon onboarding and annually thereafter. Making data privacy and security training a mandatory component of the onboarding process is crucial to ensure that all employees are equipped with the knowledge and awareness needed to protect sensitive information.
    • All employees must be trained in the following key data privacy regulations: FERPA and NY Education Law 2-d, etc.
    • Employees will be provided with a comprehensive training module that covers key topics such as data classification, access controls, encryption, incident reporting, and compliance with relevant regulations.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “The on-site consultant represented by K Systems Solutions will only be accessing PII.”

Kaplan K-12 Learning Services (for DREAM program)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/1/2022 – 12/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kaplan works with the NYC DOE Office of Equity and Access to support the DREAM program, and its students and teachers. For the SHSAT prep program beginning early July 2022, Kaplan will SHSAT prep books, Kaplan SHSAT Practice Test kits and assessment reporting. PII (i.e. OSIS number) will be used for reporting assessment results.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor: Amazon (AWS)

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • Kaplan will maintain compliance with all state, federal, and local data security and privacy requirements through implementation of security controls governed by an Information Security Management System (ISMS) that is based on ISO 27001 requirements.
  • The following security controls, governed by the ISMS, are in place to protect the Pl it will receive under the contract:
    • Strong access controls, including utilization of unique usernames (in this case, the student number), strong password requirements, and requirements for heightened privileges (which are reviewed on a regular basis) to access the backend system for in-scope activities;
    • Protection of data at rest within the AWS environment using best practices encryption standards and algorithms in compliance with ISO 27001 standards. Such data encryption includes use of 2048-bit RSA encryption, utilization of AWS KMS for key management (creation, management, and destruction), and protection of key exchange standard integrity through the use of security certificates created and maintained within the AWS environment using AWS's CMS;
    • Protection of data in transit using similar industry-recognized best practice encryption standards and algorithms in compliance with ISO 27001 standards. This includes strict usage of TLS 1.2 or better with HTTPS. Data that is in transit within Kaplan's environment (e.g., from the AWS instance to Kaplan employees) is protected through use of an encrypted-tunnel VPN;
    • Protection of network and other communication channels through a zero-trust network design with micro-segmentation principles; such design is created through utilization of Zscaler's zero trust network technologies, implementation of advanced firewalls (including web application firewalls and NGFWs), and creation and use of DMZs (using Zscaler's proxying technologies coupled with installed firewalls); Kaplan also requires use of an encrypted-tunnel VPN (AES-256 encrypted P2P tunnel) with MFA for remote access;
    • Physical and environmental controls managed by AWS that are in compliance with ISO 27001, SSAE 18 SOC 2 Type 1 and Type 2, and other industry standard requirements; and
    • Constant vigilance over its systems through use of in-depth logging and monitoring practices, utilities, and software. Kaplan's assets, networks, and users are monitored through collection and analysis of log data in Alertlogic SIEM and other utilities, including Orea, Qualys, and Crowdstrike. Kaplan also uses AlertLogic, Orea, Qualys, and Crowdstrike socs to monitor Kaplan's environment and alert Kaplan's information security teams to potential malicious activity. Alerts from these organizations are reviewed by Kaplan's SecOps team immediately; logs collected are reviewed on a daily basis as well.
  • Kaplan's ISMS serves as the framework for implementing security controls that ensures compliance with New York State Education Law§ 2-D and the NYC DOE's Parents' Bill of Rights for Data Privacy and Security. In general, maintaining a data security and information privacy program that is based on ISO 27001 controls ensures that Kaplan maintains compliance with all major international, national, state, and local laws, regulations, and standards. More particularly, the ISMS and associated security controls listed above as well as the further security controls placed on Kaplan's systems, networks, and data ensure that the rights prescribed in the Parents' Bill of Rights for Data Privacy and Security are protected and provided to NYC DOE. Beyond the security controls listed above, Kaplan also maintains a data privacy mailbox through which data access requests can be made. Kaplan privacy officers will review the requests against what is allowed by the Parents' Bill of Rights for Data Privacy and Security as well as what is allowed by New York state law, US federal law, and international law, and provide access, allow for changes and/or deletion, and other activities permitted by these legal and regulatory sources.
  • Kaplan's use of AWS and the security controls in place as governed by Kaplan's ISMS allows for continual data backups placed in hot standby for immediate availability within the AWS environment. Snapshots of Kaplan's applications and data are taken throughout the day and stored concurrently in multiple secondary/fallback AWS data center locations. Confidentiality, integrity, and availability are therefore ensured through this backup and immediate availability scheme taken together with Kaplan's access controls, encryption protocols, and other security measures.
  • Kaplan requires extensive training for its personnel who will be interacting with or handling in­ scope data or systems. Such training covers, inter alia, the following topics: proper data labeling and handling; proper use of Kaplan assets (including use of Kaplan workstations, remote access to Kaplan's systems, and general acceptable use policies); maintaining compliance with applicable international, national, and local information security, data privacy, and other laws, regulations, industry standards, and contractual obligations. Such training is provided in general form during the onboarding process and thereafter throughout the year in more particular form per subject/topic area, culminating in requirements to retake the general course at the two year mark.
  • Kaplan maintains strong access controls on all aspects of its environment and ensures such controls are implemented through a vigorous and well maintained user rights management program. The user rights management program is managed, reviewed, updated, and overseen by an internal Identity and Access Management (1AM) team; the 1AM team is in turn responsible for access provisioning and deprovisioning (implemented through AD/Azure AD), privilege reviews (performed through Archer URM software), and ensuring compliance with Kaplan's strict password requirements, amongst other responsibilities. Of particular note, access to in-scope systems that host client data is tightly controlled by Kaplan's 1AM team, with any provision of access privileges reviewed on at least a quarterly basis for heightened privileges and twice a year for all other access.
  • Only a select few organizations, third-party contractors, and subcontractors have access to the in­ scope data. The primary subcontractors that will be used in this relationship are used for hosting purposes and legitimate business, legal, and technical activities within Kaplan's environment. They are contractually restricted from accessing the data without explicit authorization from Kaplan.
  • Subcontractors for the in-scope relationship are limited to those used to host Kaplan services (e.g., AWS) and those required for internal critical business functions (e.g., legal, business, and technical activities). They are all contractually restricted from accessing in-scope data without explicit written permission from Kaplan.
  • In the event of a data security incident, Kaplan follows an incident management procedure that is part of its ISMS. This procedure includes steps for internal alerts, investigations, remediation, and, importantly, communicating information concerning the breach to affected third parties. Such external communications will be performed at the direction of the Vice President of Information Security and Privacy, or as applicable, the NYC DOE, within the time periods required by applicable laws and regulations.
  • Kaplan's systems, ISMS policies and procedures, and security controls are tested multiple times throughout the year through external audits, internal audits, penetration tests, and vulnerability assessments. This includes external audits for ISO 27001 purposes; internal audits for purposes of ISO 27001 certification, PCI and SOX compliance, and sound risk management practices; and penetration tests and vulnerability assessments to identify vulnerabilities in Kaplan's systems and remediate those vulnerabilities immediately.
  • Data will either be returned to NYC DOE or permanently deleted in accordance with the Agreement.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Kelvin Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kelvin will allow schools to administer and report on the NewSchools Venture Fund Staff and Student surveys.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Heroku Cloud Application Platform and Google Cloud Platform.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Kelvin Education, Inc utilizes processes, procedures, and policies that are in accordance with SOC 2: Type 2 framework. Kelvin framework is supported internally with compliance specialists Secureframe and is audited by Modern Assurance. Please review our included Attachment B – Processor Data and Security Plan as well as Terms of Service and Privacy & Student Data Security Policy for more detailed information. If you have further questions or concerns, please contact Kelvin Security Team at security@kelvin.education.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Khan Academy

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: Contract Start Date coincides with the start date of the contract entered into by the DOE (or school within the NYC DOE school system) for Khan Academy Districts service and contract expires at the end of the school/school district’s subscription to the Khan Academy Districts service.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Khan Academy is a non-profit organization that provides access to a free website located at http://khanacademy.org and related mobile applications (together “Website”), through which it provides educational services, including, but not limited to, educational content, products, and services (together, the "Services"). The Services include a wide range of content and learning activities, including instructional content and exercises aligned to core curriculum, test practice courses, a personalized learning dashboard, and other learning activities and education programs. Access to the Website and educational content is made available for free. Standard features, including account creation and the ability to assign lessons to and monitor learning progress, are also available for free. Content can be viewed without creating an account; however, for most school use, individual user accounts are created for each individual student, teacher, or other user. The accounts may be used for work in the classroom or for at-home learning.

In addition to free standard features, Khan Academy offers supplemental services to school districts and educational agencies to facilitate implementation by the district or agency, under paid subscriptions. These supplemental services include MAP Accelerator, which uses scores from a standardized assessment (known as MAP Growth scores) and the Khan Academy personalized learning system to give each student custom learning paths, while educators get real-time data to inform instruction. In order to provide MAP Accelerator each student is registered with an individual user account on the Website. In addition to providing personalized learning plans specific to the MAP Accelerator, user accounts provide access to all of Khan Academy's content and standard features.

Khan Academy’s use of personally identifiable information may vary based on the services or programs selected, but generally includes use (i) to provide students with individual Website accounts; (ii) to provide adaptive and/or customized learning features of the Service and educational programs offered through the Service; (iii) to allow teachers and other school personnel, and parents and coaches associated with students, to review and evaluate student educational achievement and progress on the Service; (iv) to provide school personnel with insights regarding student learning and (v) to communicate with users regarding use of the Service and provide information regarding educational and enrichment programs.

Parents may learn more about Khan Academy’s services by viewing our terms of service and privacy policy, each of which are available on the Website. Parents are able to establish parent accounts on the Website and to associate the parent account with their child’s account in order to view their child's progress and assist them with at-home learning.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Khan Academy has established technical and administrative safeguards designed to help protect personally identifiable information from unauthorized access, disclosure, use or acquisition by an unauthorized person, including when transmitting and storing such information. A summary of Khan Academy’s security safeguards are set forth below:

Technical Safeguards

  • Khan Academy knows that encryption is key to protecting data. We use industry standard encryption technology to protect data transmitted over the internet. The Khan Academy website is hosted on the Google Cloud Platform, and we rely on Google for server and datacenter security. All data on the Google Cloud Platform is encrypted at rest in accordance with Google’s security practices.
  • We limit access to data on a need-to-know basis. Khan Academy uses role-based permissions to limit access to sensitive data and systems to our personnel who need it for a legitimate business purpose.
  • We follow industry best standard practices in developing our software.
  • Laptops provided to our employees for work purposes are managed to ensure that they are properly configured, regularly updated, and tracked. Our default configuration includes full-disk encryption of hard drives, on-device threat detection and reporting capabilities, and lock when idle for a specified amount of time. All laptops are securely wiped before we re-issue or dispose of them.

Administrative Safeguards

  • All personnel are required to follow our Information Security Policy, which specifies how we protect data and comply with our security commitments.
  • We employ a variety of methods to assess and manage risk, including policies, procedures, and use of industry standard tools to monitor and protect data and systems.
  • Khan Academy has established a vendor management program which includes review of the security controls, privacy and data protection policies, and contract terms of our service providers upon initial engagement and periodically thereafter.
  • Khan Academy has an incident response plan in place to identify and address any potential data or security incident.

Personnel

  • Our employees are required to complete information security awareness training upon hire and periodically thereafter. Personnel are required to acknowledge and agree to our written information security policy and our employee handbook which, among other things, highlights our commitment to keep Student Education Records and confidential information secure.
  • Employees that have access to Student Education Records receive training on applicable federal and state privacy laws.
  • Khan Academy employees are screened with background checks prior to their employment with us.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Kiddom

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kiddom, Inc. is providing a cloud-based software service which enables teachers to instruct students with customizable curriculum served from the Kiddom platform. We receive PII in the form of names and emails during initial setup of class and school rosters, as well as optional guardian/parental names and emails. Our platform also allows students to upload digital files as a part of their school assignments.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We are signatories of the Student Privacy Pledge, and our processes are subject to our privacy policy . PII is scrubbed from any dataset which is used for internal analysis. All disks are encrypted at rest (AES-256, keys are rotated yearly). All data is encrypted in transit (AES-128, certificates are rotated yearly) and at rest. Files are stored encrypted and are protected by permissioning, accessible only to authorized individuals. We follow the NIST Cybersecurity Framework Version 1.1 best practices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Kids Discover

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kids Discover Online is a web-based application that offers educators and students access to a growing library of over 2,000 engaging science, social studies, and nonfiction articles, at 3 Lexile ® Reading Levels. Educator and Student PII is only needed/used to authenticate access to certain services that Kids Discover Online provides, such as a virtual Classroom, Gradebook, and Individual assigned Reading Levels. Through Kids Discover Online’s Library Media Plan, no Student or Educator PII is collected nor required in order to use or authenticate the services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • Kids Discover Online requires a minimal amount of student data or teacher or principal data. In some instances, Kids Discover Online may not require the collection of any student data or teacher or principal data whatsoever.
    • Collecting a minimal amount of student data or teacher or principal data is the first step in mitigating cybersecurity risk. This in turn simplifies Kids Discover’s management and protection of such data, and requires less Kids Discover personnel that have (and need) access to such data.
  • The Personally Identifiable Information that Kids Discover Online may collect is limited to the following student data or teacher or principal data:
    • Student Data PII
      • First Name and Last Name
    • Teacher or Principal PII
      • First Name and Last Name
      • Email Address
      • Job Title or Role
      • School Building Name and Address, including Zip Code
      • Kids Discover Online explicitly prohibits the collection of any other personally identifiable information for any Teacher or Principal that uses the service.
  • Student data or teacher or principal data that is collected by Kids Discover Online and used to provide the services are protected in the following ways:
    • Access to any and all student data or teacher or principal data is limited to authorized Kids Discover personnel, and requires company issued credentials that are updated every 3 months. The number of Kids Discover personnel with authorization is limited to individuals that have received proper training, and fully understand their roles and responsibilities.
      • All authorized personnel have received training from IT professionals and senior executives at Kids Discover.
    • Student data or teacher or principal data that is collected by Kids Discover Online is stored in a cloud managed, enterprise grade Microsoft Azure SQL Server Database. The database utilizes the SHA1 hashing algorithm, with a hash sequence of 160 bits in length.
      • Data is automatically backed up every 24 hours.
      • Database capacity is 250GB, more than double the capacity needed to effectively store and run its contents.
      • Kids Discover Online utilizes three different development environments, including a local environment, staged environment, and production environment for both the database and general code base of the platform. This ensures that any testing, enhancements, bug fixes, data handling and/or data conversions are executed in two different test environments before being executed in a production environment (with live data).
      • Data that has been dormant for 12 months is automatically deleted from the database.
        • Data can be deleted within 24 to 48 hours by written request from any School, School District, Educational Agency, or Customer.
        • Data can be provided and delivered to any School, School District, Educational Agency, or Customer within 24 to 48 hours by written request.
    • Kids Discover Online’s database is virtually managed. Updates and upgrades are performed through Kids Discover’s Microsoft Azure account, utilizing Microsoft Azure’s market leading infrastructure and resources.
  • Kids Discover utilizes a suite of tools afforded by Microsoft Azure to monitor, detect, and in turn alert Kids Discover personnel of any anomalous activity.
    • Kids Discover personnel are alerted in real-time to anomalous activity based on predetermined thresholds and triggers. Depending on the nature of the anomalous activity and subsequent alert, Kids Discover personnel are clear in their roles and responsibilities in terms of response time and prioritization.
  • Once an anomaly is detected, authorized Kids Discover personnel will conduct an investigation.
  • Information is then shared to the appropriate Kids Discover personnel, including Kids Discover Management, to determine the depth and magnitude of any further investigations and potential data recovery procedures needing to be conducted.
  • If it is determined that an incident such as a data breach has occurred, and that any data may have been effectively altered or compromised from the resulting incident, Kids Discover personnel will then notify any customers, Schools, or Educational Agencies as defined in this document of the nature of the incident, whose data may have been affected.
    • It is important to note that Kids Discover views all customers as partners and will work diligently to communicate transparently to all stakeholders of any issues or incidents that have arisen.
    • Kids Discover will continue to communicate with any customers, Schools, or Educational Agencies until the issue has been resolved and rectified, and both parties agree about the best possible path forward.

Kids Discover will then work to restore, retrieve, correct, and improve any and all affected data, along with the systems, software, hardware, and general processes that resulted in the situation.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Kinvolved (KiNVO)

The exclusive purposes for which Protected Information will be used: KiNVO is an app that is used by educators and administrators to inform parents of a student’s attendance. Educators and administrators can also send contacts information relevant to a student’s education, such as homework assignments, school event, and so forth.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:  Kinvolved requires subcontractors or other authorized persons or entities to sign non-disclosure agreements and abide by company-driven privacy and security protocols.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI is permanently deleted from Kinvoled’s database, Kinvolved does not maintain a record of PISI. Note: Data may exist in backups for a period of 35 days after the data is deleted from the database. [NYC DOE comment: The current agreement became effective starting on August 22, 2019 and terminates when all NYC DOE schools and/or offices cease using Kinvolved, Inc.’s products/services. The terms of the agreement remain effective through the period during which Kinvolved, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data and the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI is stored in the United States.

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted in transit and at rest.

KittyHawk Digital

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 6/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. At KittyHawk, we specialize in custom software solutions for schools. Our primary focus is to support these schools with their educational needs by providing a Learning Management System (LMS) and a user-friendly communication tool.

This LMS is designed to optimize a personalized learning experience for students. It offers a secure and intuitive platform where students can access course materials, assignments, and grades. Teachers can utilize the system to create and manage their courses, track student progress, and deliver engaging content personalized to the student’s learning needs. Additionally, parents have the opportunity to stay informed about their child's educational journey by receiving updates and communication channels within the LMS.

Personal Identifiable Information (PII) is utilized for the purpose of establishing user accounts and monitoring the academic advancement of students enrolled. PII is further employed to facilitate effective communication between teachers and parents concerning the educational progress of students. Additionally, PII is employed to oversee and assess student progress, thereby guiding them towards appropriate subsequent courses of study.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS for Application, Database, and File Storage.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have implemented the following safeguards to ensure the protection of Student Information and to mitigate data privacy and security risks. These safeguards include but not limited to:

  • Administrative:
    • Access Controls: We have established strict access controls to ensure that only authorized personnel can access student information. This includes user authentication, security groups, role-based access, 90-day key rotation, and regular review of access privileges.
    • Policies and Procedures: We have implemented corporate policies and procedures that govern the collection, storage, use, and sharing of PII. These policies are regularly reviewed and updated to align with industry standards and legal requirements.
    • Incident Response Plan: In the event of a data breach or privacy incident, we have a response plan in place. We have system alerts and monitoring in place and this allows us to respond swiftly and effectively, minimizing any impact on student data.
  • Technical:
    • Encryption: We utilize the latest encryption techniques to protect student PII both during system communication and while stored in our systems. This ensures that the data remains secure even in the event of unauthorized access.
    • Data Backup and Recovery: Daily backups are stored on private storage accounts (S3). This ensures the availability and integrity of student information. Recovery mechanisms are also in place to maintain system availability in case of any unforeseen incidents.
    • System Monitoring: We employ monitoring tools and Intrusion Detection systems that continuously track and analyze our infrastructure for any suspicious activities or potential  security breaches.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."

KiwiWrite Software (for KiwiWrite Math)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. KiwiWrite Software, LLC provides a web-based application named KiwiWrite Math, which provides to select students with specific need an online platform to act as an alternate means of entering and completing math or math-containing classwork or assessments. Minimal PII will be accessed that is needed to create and maintain student accounts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Physical safeguards are provided by AWS, our cloud provider. We do not store PII in any location except in our encrypted database on the cloud. Administrative safeguards to protect data include limiting access to a minimal number of authorized personnel who have a legitimate need for such access, and requiring confidentiality agreements for any personnel with access. Test environments do not use student data and have separate security keys. Technical safeguards include encryption of data in transit and storage, access controls, and implementing regular and encrypted backups.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Klett World Languages

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The KWL is an app from Klett World Languages, Inc. We are a publisher of world language materials. Students engage with our interactive books and assignment workflow on the platform. There is a lot of student generated content, which includes audio recordings, writing samples, etc. This is for standards mastery of the NYS LOTE standards. Our platform needs PII data because student names, usernames are used to relate student responses/generated work with users. Teachers need to send assignments to specific students or groups of students. PII is needed to identify students and groups. Moreover, District Admins can export these reports for standards mastery and this is why PII is needed.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Various methods are used to protect Personally Identifiable Information (PII). In transit, TLS/SSL is used when transferring user information and our AWS servers. Amazon RDS and Amazon S3 that support encryption at rest.

Database-level access controls are implemented to restrict users' access to specific tables or fields containing PII. All development is done on a private internal server, and this ensures that code is not compromised. AWS DevOps tools are used to ensure secure coding practices and automate deployment pipelines.

Logging and Monitoring tools are used by our Developers: Amazon CloudWatch has been implemented for logging and monitoring the AWS resources to detect and respond to security incidents. AWS CloudTrail is used to monitor and log AWS API calls for auditing and compliance.

Regularly backup PII data and have robust disaster recovery plans in place to ensure data availability in case of accidental deletion, corruption, or other unforeseen events.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

KneoWorld, Inc.

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Students from 3rd Grade to 8th Grade perform a series of 8 science investigations (experiments) in school science laboratories or classrooms that lead to the State exam in science at each grade level. The observations from these investigations are currently captured and submitted using paper (printed out PDFs) and the teacher marks the student observations manually, on paper. KneoScience is migrating this paper-based approach to a digital, Cloud, browser based online software as a service. PII is necessary to make student accounts, allocate and mark assignments, and track student and class progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Learnosity and Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. To ensure the protection of Personally Identifiable Information (PII) and mitigate associated data privacy and security risks, our organization implements a comprehensive suite of administrative, technical, and physical safeguards:

  • Administrative Safeguards: Our administrative measures include implementing a robust data governance framework that delineates clear policies and procedures for handling PII. We conduct regular training programs for all employees to ensure they understand their roles and responsibilities regarding data security and privacy. This includes training on the proper handling of PII, understanding potential security threats, and how to report and respond to data breaches. We also perform routine audits and compliance checks to ensure policies are adhered to, and to adjust strategies as needed based on emerging threats and changes in compliance requirements.
  • Technical Safeguards: On the technical front, we employ state-of-the-art encryption technologies to secure PII both at rest and in transit. Access to sensitive data is controlled through robust authentication mechanisms, including multi-factor authentication and strong password policies. We also utilize advanced cybersecurity measures such as firewalls, anti-virus software, intrusion detection systems, and regular security patching to defend against unauthorized access and cyber threats.
  • Physical Safeguards: Physically, we secure all facilities that house PII with controlled access measures to prevent unauthorized entry. This includes security personnel, surveillance systems, and secure locks on doors containing sensitive data. Equipment and storage media containing PII are stored in locked, secure areas with limited access. Furthermore, we have protocols in place for the secure disposal or destruction of PII, such as shredding paper records and securely wiping electronic media.

Risk Mitigation: To mitigate risks associated with data privacy and security, we continuously monitor our network and systems for any unusual activity that might indicate a security breach. We have an incident response plan that outlines procedures for addressing data breaches, including immediate containment and mitigation steps, notification processes, and post-incident analysis to prevent future occurrences. Additionally, we engage in regular risk assessments to identify vulnerabilities and update our security practices and technologies to address new and evolving threats.

By implementing these safeguards and continuously evaluating their effectiveness, we ensure that PII is protected against unauthorized access, use, or disclosure, thereby maintaining the trust and confidence of all stakeholders.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Kognity USA

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kognity is a digital web browser accessible teaching and learning platform primarily used by International Baccalaureate (IB), IGCSE and NGSS. It offers interactive textbooks, quizzes, videos, and other resources, allowing teachers and students to engage with curriculum-aligned content in a dynamic way. Kognity's platform aims to enhance student understanding, retention, and application of knowledge while providing teachers with tools to monitor and support student progress. Kognity receives Student Data in two ways: (i) from our School Customers to implement the use of our Products (including allowing for access to the Products by Authorized Users); and (ii) from Authorized Users.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Heroku/AWS Customer Application Isolation, which provides an isolated cloud environment within Heroku, and cannot interact with other applications or areas of the system.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We take a comprehensive approach to safeguarding sensitive educational information. It covers governance frameworks, incident management, hosting and data storage, access controls, encryption, vulnerability assessments, staff and subcontractor compliance, and risk assessments, all in compliance with relevant laws and standards.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

KPMG LLP 

The exclusive purposes for which Protected Information will be used:The exclusive purposes for which PISI will be used is not known at this time. KPMG will be providing the deliverables, documents, reports and other materials as required by the DOE under Task Order Request assigned to KPMG during the course of the Agreement.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: KPMG uses third party service providers within and without the United States to provide, at KPMG’s direction, certain administrative and clerical services, including information technology development and support services, to KPMG. For these purposes, KPMG would not provide access to student data or teacher or principal data with the third party service providers. KPMG has contractual terms in place with the third party service providers that dictate policy, procedural and technical controls designed to preserve the confidentiality, integrity and availability of the information to which the third party has access.
 
KPMG Subcontractors or other authorized persons with who we share student data or teacher or principal data would be subject to the same data confidentiality terms and conditions as contained in the Agreement. Please note, NYC DOE has informed us that, the confidentiality section of our Agreement would serve to cover our confidentiality obligations under this Agreement.
 
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: KPMG will return data to the Company at the end of the contract or upon the related Task Order completion, whichever is earlier. KPMG has policies and procedures in place related to the retention and destruction of client data, as described below.
 
KPMG uses commercially reasonable industry practices for destruction of physical documents and, if data destruction occurs as part of KPMG asset disposal and renewal process, will wipe electronic media such that Client data is rendered unreadable and unrecoverable. If laws or professional standards applicable to KPMG do not permit such return or disposal of the Client data, in whole or part, KPMG shall retain such data as required by such laws or professional standards, shall maintain the continued confidentiality and security of such data in accordance with the requirements of the Agreement, and shall not actively process or use Client data for any purpose other than as required by laws or professional standards.
 
KPMG will appropriately wipe or degauss storage media used to store or process client

Information prior to media reuse, at the end of its life, and prior to transfer of such media offsite to a third party for maintenance or destruction. Information stored on routine back-up media for the purpose of disaster recovery will be subject to destruction in due course. 

[NYC DOE comment: The current agreement became effective starting on December 11, 2019 and terminates when all NYC DOE schools and/or offices cease using KPMG LLP’s products/services. The terms of the agreement remain effective through the period during which KPMG LLP. possesses or otherwise is in control of covered protected information.] 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to the Agreement, KPMG will work with the NYC DOE where such data is expected to be collected under a specific Task Order Request to put appropriate processes in place to address any such challenges to the accuracy of student data or teacher or principal data that is collected in the course of performing the scope of work under that Task Order Request. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): If a task order request will involve us receiving PISI, PISI will only be stored in the US. KPMG has legal, regulatory, professional, contractual, and ethical obligations to protect all confidential information including Personally Identifiable Information (PII) that is entrusted to us by our clients, during the provision of professional services, as well as by our own employees and vendors. KPMG’s information security framework aligns with a number of authoritative sources and industry standards (e.g. ISO27001, NIST, COBIT, HIPAA, etc.) which cover physical and environmental security, logical access, incident management, business continuity management, system development, and compliance. Our framework consists of comprehensive IT policies, procedures, baselines and standards used to secure information resources and protect confidential information entrusted to us by our clients. Our system of internal controls is consistent with professional standards promulgated by AICPA for public accounting firms. KPMG complies with all applicable data protection and privacy laws and regulations.
 
How the data will be encrypted (described in such a manner as to protect data security): KPMG all sensitive data (PII/PHI/PISI) at rest, and some KPMG applications – including KPMG workstations – encrypt all data at rest. KPMG’s encryption standard is AES-256, and technologies used will vary based on the application. For example, we use Bitlocker to encrypt workstations, and TDE to encrypt databases. For data travelling over public networks, we encrypt using TLS 1.2

Kweller Prep Tutoring and Educational Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/1/2023 – 5/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As a tutoring business, it is necessary for our Entity to receive and access Personally Identifiable Information (PII) of students to conduct its services. Our Entity needs this information to provide personalized and effective tutoring services to students. This information may include the student's name, age, grade level, academic performance, learning style, and any relevant medical or behavioral information.

Our Entity may also collect contact information such as email addresses, phone numbers, and addresses to communicate with students and their parents or guardians regarding tutoring sessions and scheduling.

It is essential for our Entity to maintain the confidentiality and security of the PII it collects, uses, and discloses. The Entity must comply with applicable data privacy laws and regulations governing the collection, use, and disclosure of PII, such as the Family Educational Rights and Privacy Act (FERPA) in the United States.

Our Entity will also implement appropriate safeguards to protect the confidentiality, integrity, and availability of the PII, such as secure storage, access controls, and encryption. Our Entity will also provide training to its tutors and employees on the proper handling of PII to prevent data breaches and maintain the privacy and security of its students' information.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Kweller Prep will ensure that only individuals who will be working on a project that needs PII information will be allowed to use a PII machine.

  • Machines accessing PII information will be allocated strictly for the use of accessing PII data.
  • Information is protected by strong passwords, which include characters or more and a combination of numbers, uppercase and lowercase letters, and special symbols.
  • A screen lock will be implemented on dedicated PII machines. The screen lock will be set to turn on within 5 minutes of inactivity.
  • Breaches will be immediately brought to the attention of Kweller Prep’s Executive Director and technology security specialist. Our technology security specialist will then immediately evaluate and determine the extent and severity of the breach. Upon summarizing findings (no later than 1 day upon learning of the incident), we will report the incident to the appropriate NYC DOE department.
  • PII will not be stored on personal computers.
  • PII will not be stored on public computers.
  • Kweller Prep will make every attempt possible to only store PII data on encrypted servers and not on locally encrypted computers.
  • PII data will only be used, seen, or shared with people to fulfill the duties associated with the particular PII.
  • PII data will not be left open on a screen when it’s not in use.
  • Physical PII data (papers) will not be left unattended.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

L&G Research and Evaluation Consulting

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: 3/1/2023 – 2/28/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. L&G Research and Evaluation Consulting, Inc. (L&G) is contracted to conduct an implementation and outcome evaluation of the 21st Century Community Learning Centers grant awarded to the New York City Department of Education from July 1, 2022 until June 30, 2027. Our L&G team will support efforts to gain a better understanding of the value of grant-funded activities in meeting the needs of students and their families. This program, funded through a five-year federal grant administered by the NY State Education Department, is intended to offer much needed enrichment and educational supports to target students. In full compliance with the Request for Proposal (RFP) stipulations, L&G developed a meaningful and cohesive evaluation plan that can move the work forward towards meaningful, aligned results in the future.

Our implementation and outcome evaluation plan includes a mixed method qualitative and quantitative research design. We offer assistance with ensuring clients adhere to all state and federal reporting requirements. This typically involves the following: 1) development of program logic models; 2) assessment of program evaluability (Year 1 only); 3) site visits and program observations; 4) development and administration of surveys in fall and spring; 5) attendance and observation of advisory board meetings; 6) EZReports data management and generation of weekly data compliance repots, mid-year and final reporting, and 7) State monitoring visit support as needed. We offer ongoing quality control and technical assistance for all data collection, storage, monitoring and reporting. We work very closely with our schools to provide services that are research-based and support the program goals/objectives as determined by the core leaders.

All student, parent, and teacher data collected during the five years will be used exclusively to assess grant performance, improve program implementation, and support the NYC DOE with the meeting of grant goals and objectives. No other data other than what is required by NYSED and stipulated in the RFP will be collected during the life of the grant.

Type of PII that the Entity will receive/access: Student PII, APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data), and Parent and Family Member PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. L&G’s data storage plan addresses what gets stored, the location, when storage activities occur, who is responsible for management, how much data an organization stores, what it retains and destroys, and how storage takes place. Our plan ensures both the security and availability of the data.

Data storage can be electronic or nonelectronic formats (such as paper surveys), including data files and databases. Nonelectronic data is stored in locked cabinets at the L&G main office located at 55 Broadway, Suit 416, New York, NY 10006. The locker combination is only stored with tram members involved in entering the survey data into the computer. For electronic data storage, L&G uses password protected computers. The password is changed every 30 days and is only accessible to L&G staff members responsible for analyzing the data. Data storage requirements are thoroughly discussed with L&G staff both during onboarding of new staff and ongoing during annual retreats to ensure compliance with our internal data storage plan that protects confidentiality and safety of PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Labster

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Labster Services Description: Labster is a company dedicated to developing fully interactive advanced lab simulations based on mathematical algorithms that support open-ended investigations. We combine these with gamification elements such as an immersive 3D universe, storytelling and a scoring system which stimulates students natural curiosity and highlights the connection between science and the real world.

PII includes name and email of assigned students/teachers, to provision access to the Labster simulation platform and live support services to NYC DOE assigned students/teachers.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. “According to FERPA, Labster must allow students/guardians at least 45 days after contract ends to dispute Labster quizzes scores/reports. Labster will delete DOE data according to retention schedules and applicable contractual obligations.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS in Virigina, USA.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Labster leverages AWS Cloud Services Provider data center in Virginia, USA. This data center is ISO27001 certified.

Labster does implement logical and technical measures to protect NYC DOE Student PII. Those are included but not limited to: Least privilege, need to know, Vulnerability Management, Access Control (RBAC), Security Testings, Security Awareness Training, etc.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Lakeshore Learning Materials (for SANDI/FAST)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 08/2022 – 07/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The SANDI/FAST is an online assessment designed to assess and monitor students with moderate to severe cognitive and low incidence disabilities. It is aligned with Common Core Learning Standards and includes subtests in English Language Arts, Math, Science, Social Emotional/Behavioral, Vocational/Transition-Education/Employment, and Vocational/Transition-Community. The SANDI-FAST also assesses student skills in Fine Motor, Gross Motor and Adaptive Daily Living. The SANDI-FAST is a performance based, periodic assessment aligned to grade-level Common Core State Standards (CCSS). The SANDI provides summative assessment data and measures academic growth over time. The FAST is a short-cycle benchmark assessment administered two times throughout the school year to target four essential standards at three levels. The SANDI provides a summative assessment that goes deeper than other tools into student learning and maintains a focus on individual student need, not just proficiency levels. Formative assessment (FAST) is based on the SANDI and administered as a part of the continuous progress monitoring of the pre/post and interim assessment opportunities built into the system. Student need areas are assessed and then aligned to grade level content standards, giving all students access to a rigorous and relevant education.

Type of PII that the Entity will receive/access: Student PII and Other: For each user (teacher, service provider, administrator) we collect their name and email address, and they are connected through the SANDI/FAST system to their assigned school and class, if applicable.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All access to the SANDI/FAST for NYCDOE personnel is managed directly by NYCDOE. This includes both provisioning user accounts with the appropriate role and authenticating accounts into the system. All outside access to the SANDI/FAST system is restricted to necessary personnel for the sole purpose of supporting the SANDI/FAST system and NYCDOE users. Multi‐factor authentication is implemented for all of the accounts used by the necessary personnel All application servers and workstations have anti‐virus and anti‐malware software for detecting malicious threats. A threat detection service is utilized to continuously monitor for malicious activity and deliver detailed security findings for visibility and remediation. All communication between the end user and the SANDI/FAST Online is encrypted. All confidential information is encrypted in transit and at rest.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Language Tree Online

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Language Tree Online offers an online English Language development curriculum program for high school English learners. PII is needed to make individual student user accounts and to track student language assessment results and progress in their English language development studies.  PII Is also used to allow teachers and administrators to gain insight into students’ language gaps, monitor student progress and struggles in the program, and see growth and where students still need additional instructional support to master language skills.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS Infrastructure and Moodle platform.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • User Authentication: Language Tree Online will not generate, issue, or store passwords on its system but will authenticate teacher and student users through an identity management/SSO solution such as Clever.
  • Employee/Admin Access: Language Tree Online follows the principle of least privilege access, allowing system access to student data only to platform administrators.  In addition to MFA for AWS account root users and IAM users, admin access is also limited by source IP.
  • Physical Security and Operational Safeguards: Language Tree Online employees work remotely from home offices. In addition to required annual security awareness training, all employees must follow company policies that include protecting and scan computers for viruses using provided anti-malware tools (Windows Defender, Windows Firewall, Malwarebytes), only accessing work systems on secured networks or through a VPN, and adhering to the confidentiality of third-party data as outlined by their Employment Contract. Admins furthermore do not use smartphones or tablets for logging into systems and are home offices with video surveillance. 
  • Firewall and Security Monitoring: Language Tree Online uses a combination of firewalls and AWS security groups to protect against unauthorized access. We use tools in the AWS Security Hub for continuous security monitoring and alerting.
  • Security Protocols: Language Tree Online uses industry best practices in the transfer/ transmission of student data and maintains all student data obtained, generated, and stored in encrypted and password-protected databases (See Section on Security Technologies). Student data will not be copied, reproduced, or transmitted except as necessary to fulfill the purpose of data requests of the subscribing institution or for backup purposes.
  • Encryption Technologies: Data-in-transit is encrypted using Transport Layer Security (TLS) 1.2 or above. Data-at-rest is encrypted using an industry-standard AES-256 encryption algorithm.
  • Application Hosting: Language Tree Online hosts services on SOC-compliant Amazon Web Services data centers located in the U.S.
  • Backup Copies: Language Tree Online maintains backup copies, backed up nightly, of student data in the event of a system failure or unforeseen event that may result in the loss of student data. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Laurus Grant Writing & Evaluation Services

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: 7/1/2022 – 6/30/2027.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Laurus is the contracted evaluator of the 21st Century Community Learning Centers programs operating in NYC DOE Community School Districts. As required by the United States Department of Education, Office of Elementary and Secondary Education, the evaluator must provide information in response to the 21st Century Community Learning Centers Government Performance and Results Act (GPRA) Measure Indicators which include in-depth data on the previous year’s program and school day attendance, student academic performance, student behavior and teacher perception of student functioning. However, such data will only be obtained in the aggregate, with no student names or identifying information attached.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

PII Safeguards: Laurus has in place safeguards and practices that maintain confidentiality and security of PII in a manner that complies with federal, New York State, and local laws, regulations, and policies. The Laurus Operations Manager oversees the administrative safeguards, including: implementing and enforcing policies on staff training; incident reporting; assessment of the necessary level access granted for each staff position; organizational risk analysis; continuous review of updates to applicable laws and best practices; review of data destruction practices; development of contingency plans to ensure security of PII; and conducting internal Systems Audit annually to review these items, identify areas for improvement, and implement necessary changes. Laurus’ operational safeguards include the usage of program- and cohort-specific permission sets for access to electronic data and the usage of secure, locked storage to store physical copies of PII. Staff with access to PII are provided secure workstations that include physical safeguards to ensure no accidental disclosure. Staff are required by Laurus policy to log out of their computer and the database anytime they are not actively accessing PII, the database automatically logs users out after a period of time, and all staff will be properly trained in reporting incidents of breaches. Laurus password protection policies require complex, unrepeated passwords, bar staff from keeping passwords written down, and include the mandatory change of passwords every 90 days. Laurus will only disclose PII to staff members who are assessed as in-need of specific PII measures in order to provide the Contract services.

Technological safeguards are implemented within the EZReports database system (which is mandated by the New York State Education Department), where 100% of electronic PII data is stored. PII policy bars any staff from including PIIs in email messages. EZReports uses unique usernames and passwords with set permissions to prevent unauthorized access and to restrict user access within the application. All data is automatically encrypted while in transit and in storage. User-based permissions and audit trails further enable secure access to data within the system.

Mitigation of Risk: PII data is reported to and stored in the EZReports database that uses usernames and passwords to prevent unauthorized access and to restrict user access within the application. Each unique user account is assigned access to programs and permission sets to restrict access to data and features in the system. Data is stored using redundant Amazon Web Services hardware technologies and SSG fault tolerant software and journaling file systems. All data is automatically encrypted while in transit and in storage. User-based permissions and audit trails further enable secure access to data within the system. To prevent breaches EZReports conducts continuous vulnerability scanning, integrated security code scanning, and penetration testing. In the event systems are affected by a breach, it is their policy to notify without undue delay, and in no case greater than 48 hours, from the confirmation of a data breach. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

LAZEL (also called Learning A-Z)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/1/2023 – 1/31/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

  • Foundations A‐Z, Grade Level K‐5; Foundations A‐Z (NYC) (1 educator–12‐month license). Built on the Science of Reading, Foundations A‐Z is an online, K‐5 literacy program that empowers educators to teach foundational skills and inspires students with fun, purposeful practice.
  • Raz‐Plus, Grade Level K‐5; Raz‐Plus (NYC) (1 educator–12‐month license) combines the power of Reading A‐Z and Raz‐Kids to delivers a vast collection of flexible ELA instructional resources, assessment, and engaging student reading practice to support differentiated instruction.
  • Reading A‐Z, Grade Level PreK‐5; Reading A‐Z (NYC) (1 educator–12‐month license) includes a vast collection of printable and presentable reading resources, including grade‐level texts, lesson plans, and teaching materials, for whole‐class, small‐group, and one‐to‐one instruction.
  • Raz‐Kids, Grade Level PreK‐5; Raz‐Kids (NYC) (1 educator–12‐month license) supports independent reading practice with a library of differentiated, interactive digital books and eQuizzes across grades K‐5.
  • Raz‐Plus ELL, Grade Level K‐5; Raz‐Plus ELL (NYC) (1 educator–12‐month license) expands Raz‐Plus with a deep library of specialized literacy resources to support speaking, listening, writing, and reading for English language learners. Purchase of Raz‐Plus is required. (Requires Raz‐Plus.)
  • Raz‐Plus Español, Grade Level K‐5; Raz‐Plus Español (NYC) (1 educator–12‐month license) is an add‐on component to Raz‐Plus that supports Spanish literacy with hundreds of authentic Spanish texts and transadapted instructional resources. Purchase of Raz‐Plus is required. (Requires Raz‐Plus.)
  • Raz‐Plus Connected Classroom, Grade Level K‐5; Raz‐Plus Connected Classroom (NYC) (1 educator–12‐month license) expands Raz‐Plus with tools and resources designed to help educators create personalized, student centered learning paths for students in Grades K‐5. Purchase of Raz‐Plus is required. (Requires Raz‐Plus.)
  • Vocabulary A–Z, Grade Level K‐5; Vocabulary A–Z (NYC) (1 educator–12‐month license) personalizes vocabulary instruction with an expansive online word bank used to create explicit vocabulary lessons and game‐based online practice.
  • Science A‐Z, Grade Level K‐6; Science A‐Z (NYC) (1 educator–12‐month license) blends science and literacy into a captivating K‐6 curriculum. The program delivers thousands of resources including a library of English and Spanish text, science experiments, and hands‐on activities.
  • Writing A‐Z, Grade Level K‐6; Writing A‐Z (NYC) (1 educator–12‐month license) is a supplemental writing solution that develops fluent, enthusiastic writers with explicit writing instruction, a fun online writing platform, and game‐based practice, for grades K‐5.
  • Online Professional Development Webinar ‐ 1 hour: This online training session helps educators leverage the resources and tools available in each Learning A‐Z solution.
  • Online Professional Development Workshop ‐ 6 hours: This online workshop, which is tailored to meet each school’s unique needs, helps teachers dig deeper into Learning A‐Z.

Learning A‐Z provides e-learning tools and resources. Our resources include lesson plans, classroom activities, and assessments, as well as thousands of grade‐level text and materials, and professional learning services. All content is delivered online in printable, projectable, and interactive digital formats, supporting whole‐class, small‐group, one-to‐one, and independent learning environments.

Only the data provided by the DOE is collected. DOE entered data is then available for the use of DOE educators and administrators as permissioned.

Certain activities on certain services allow children to create or manipulate content and save it on our services. Some of these activities do not require children to provide any personal information. If a service requests or allows a child to provide personal information in their created content, we will seek prior verifiable parental consent to collect that information. Examples of created content that constitute or may include Personal Information include the following:

  • Student voice recordings: Children may record themselves reading texts, they may play the recordings back, and they may send the recordings to their teachers.
  • Open‐text fields: Children may draft and submit written responses to various prompts
  • Message sent to students by parents or teachers

Additional educational information is collected as the child progresses through the service, such as amount of time logged in, reading rate, and assessment scores. This information allows the service to adapt to the child and inform the teacher on the child’s progress.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We maintain administrative, technical and physical safeguards designed to secure student data, as provided by NYC DOE, both during transmission and while in our custody. These safeguards include technical and operational measures, such as firewalls, routers, encryption (at rest and in‐transit), passwords, and vulnerability testing, as well as training, policies and procedures to limit access to NYC DOE provided data to authorized staff, contractors and agents that have a legitimate need to access such data for purposes of enabling us to deliver and support our products and services to the NYC DOE, and that are under appropriate contractual obligations of confidentiality, data protection and security.

No student PII is ever public. Our applications are designed to keep this information private and secure. It is never discoverable by the public.

  • The Company has a formal onboarding and off‐boarding procedure where access to database assets are formally granted and revoked respectively; access is only granted to employees who need access to support the online products as we ascribe to the principle of least privilege.
  • The Company provides student data privacy training to all employees and contractors who access our network.

The Company employs a 3rd party company to conduct both COPPA and FERPA compliance audits.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

LE RU Multi Service Agency

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/7/2022 – 6/30/2024, extended to 6/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LERU is a consultant agency providing multiple services to students and staff in schools in the NYCDOE. For the purpose of this document, LERU will be working with staff providing professional development, charting, and progress monitoring. To achieve these goals, our consultants will have to access and share personal information concerning staff members.

Secondly, we will be providing academic support for students and will need to access baseline data to track progress, assessment and historical charting.

In reference to Attendance Intervention, Counseling and Wrap around services to Students and parent, PII data (Name, phone numbers, address, student OSIS numbers, academic scores ) is also used in order to make contact with family members or to assess student academic, behavioral and performance data.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Iden2fiable Teacher or Principal Annual Professional Performance Review Data)

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The En2ty will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Pursuant the safety protocols, LE RU will do the following:

  • All data will be accessed by individuals cleared by LE RU and the participating school team.
  • All initializing access passwords will be securely stored.
  • No computer will be left running unsupervised beyond school hours.
  • All data collected or used, will be hosted on our servers.
  • All access protocols are stated below:
    • Server will be located in a safe room on site within a DOE building.
    • Server will have multiple log on password for access
    • To access PII files, LERU’s personnel will be internally cleared before they proceed to access PII files.
    • An additional access code will be needed to save, edit or manipulate saved data.
    • The idle component enabled will be 60 seconds to black screen.
    • All accessing personnel will be internally documented to maintain a tracking record of users and no document will be held on personal computers or carried on personal flashdrives.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

The Leadership Program

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Leadership Program (TLP) will partner with schools to create and implement a Community School Plan that provides academic enrichment and support, youth development, staff development, family engagement, and connects families to community resources. This partnership will work to create a welcoming supportive environment that helps students navigate barriers and build on strengths so that every student can thrive academically, socially and emotionally.

In providing Student Support Services TLP will use Student PII to enroll students in specific services such as after school clubs, expanded learning, wellness, and integrated student support. Student PII is used to keep track of attendance and to communicate with parents and students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • Implementation of Data Security and Privacy Contract Requirements
    • The Director of Operations will keep abreast of current Data Privacy and Security regulations, policies, and procedures, will adapt organization policies as appropriate to adhere to those standards, and in collaboration with the Director of Programming will train organization employees on procedures to ensure data privacy and security.
    • All employees are provided with the standards of data privacy and security required by law and are required to understand and comply with the applicable policies and procedures. Employees with access to Student PII are trained in data privacy and security upon hiring and on an ongoing basis.
  • Administrative, Operational and Technical Safeguards and Practices
    • Employee agreements require that employees align with the security requirements of any projects undertaken.
    • Access to PII permissions and authorizations are managed: only persons with a direct need-to-know will be given access to PII information and only while it is needed.
    • User identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
    • Once documents have been used for their intended purpose they will be securely deleted or returned to the NYCDOE as required.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Learn by Doing (also called Albert or Albert.io)

Type of Entity: Commercial Enterprise

Contract/Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Albert.io offers curriculum supplements for grades 5-12. It focuses on interactive learning. Specifically, expertly created practice questions with explanations for core curriculum classes and test prep.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google Cloud and Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Albert.io is committed to maintaining the security and confidentiality of Student Information. It has designated a Security Compliance Officer (SCO), who is responsible for: (a) ensuring that the Company’s servers are protected against unauthorized access to the greatest degree possible; (b) limiting employee access to Student Information to whatever extent is required for them to perform their job functions; and (c) regularly training employees in data security procedures to further ensure compliance with company data security policies.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."

LearnerPal

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LearnerPal provides teachers and students with out of the box content in the form of questions, answers, and videos to create and assign learning activities, or assessments. Teachers can add to the content library, or simply select from premade activities to assign to their students to engage, enhance or assess their daily classroom learning. PII is needed for creating student logins and assigning tasks.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. LearnerPal maintains an audit trail of all data that is sent to the system. All user access and events are tracked and no resource has access to the data storage in order to preserve the integrity of the data. All information is stored in AWS and is encrypted at rest and in transit. The data never leaves AWS and is not accessible to anyone in LearnerPal or outside the school users. All users have to authenticate into the system and based on their access privileges, can access only the data for their school.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

The Learning Internet (also called Learning.com)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Learning.com collects the minimum student data required in order to connect teachers and students with our K-12 digital skills online curriculum. This includes providing teacher facilitation tools to support instruction and practice of those digital skills. Specific fields we collect and how we use them are detailed in our publicly posted Subscriber Privacy Policy at https://www.learning.com/subscriber-privacy-policy/.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The security of your data is of utmost importance to us. We employ industry best practices with respect to personnel and technology to minimize risks of unauthorized access or misuse of PII. We conduct background checks during our recruiting and hiring process to ensure good stewardship of your data. All personnel must complete annual security training that includes guidance on safe handling of data and a review of responsibilities under applicable laws and contracts. We limit access to PII to those who require it in service of our educational purpose. We secure your data by various technologic means, such as firewalls, monitoring, and vulnerability scans to minimize the changes of a breach. Our servers are all physically located within the United States using secure AWS cloud services. All data transmitted between your devise and our servers uses industry standard SSL encryption. All data in our custody is stored using FIPS compliant encryption. We employ an independent firm to conduct penetration testing of our systems, keep up to date with all security patches and software versions, and are vigilant about mitigating any newly discovered vulnerabilities. Our comprehensive security program implements a security in depth methodology by addressing security on every level to ensure information is protected in the event any one layer is compromised. Internal policies and procedures are aligned with NIST 800-53 and all stored data is encrypted.

User accounts are required to access our services and use role-based access to ensure only authorized data can be accessed. You are the only person who can log in with your account and access your data. Learning.com will never ask you for your password and you should never give it to anyone. Ultimately, you are responsible for maintaining the secrecy of your password. Also remember to sign out properly and close your browser window when you have finished using our service. This helps ensure your information remains secure in the event the computer you used is physically accessible to others. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Learning Through an Expanded Arts Program

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Learning through an Expanded Arts Program, Inc. (“LEAP”) provides arts in education programs and is committed to ensuring the privacy, confidentiality, and safety of collected personally identifiable information (PII). The arts in education programs entails expanding creative thinking and supporting positive behavior through student-centered art making and social skill-building activities integrated into classroom academics. We co-teach with classroom teachers and empower them to use the arts in their everyday classrooms. LEAP requires PII in order to provide the service - as it collects and maintains data digitally and on paper in completing around agreed upon services, service delivery, and education purposes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive, E-Z Reports.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. LEAP is committed to implementing all state, Federal, and local data security and privacy requirements over the life of the agreement. LEAP will continue to monitor and address applicable laws and regulations and stay up to date with regulatory changes to enhance our Data Security measures. LEAP has subscribed to several platforms and online cyber security communities.

LEAP will provide specialized training for all staff dedicated to cybersecurity. Cybersecurity experts and industry leaders provide resources and tools to LEAP that allows LEAP to manage and quell vulnerabilities by monitoring our work consistently.

Digital PII

  • We store PII on cloud-based, password-protected platforms managed by government agencies or approved external platforms. All records received while working as an agent of DOE are considered “educational records” covered under FERPA standards and the NIST Cybersecurity Framework; PII is not stored on local devices or hard drives.
  • We access PII on secure networks, managed by either the DOE or LEAP’s external IT provider.
  • We limit access to PII to LEAP Employees who need it in their role to provide contracted services.
  • We train LEAP Employees to use the platforms and methods outlined above, in the form of: online trainings on Zoom covering PII best practices and regulations; onboarding 1:1 trainings in-person around our use of Google Drive, Salesforce, and funder portals, and; asynchronous phishing tests sent to all employees several times per fiscal year.
  • We review practices, safeguards, and secure disposal of PII with our external IT provider on an annual basis.
  • On an annual basis, we permanently delete PII files once they are no longer needed for the purpose of the program, or once the contract has ended and the required storage duration has passed. The Program Operations department facilitates the schedule and confirmation of digital clean-up.
  • We carry cybersecurity insurance.

Paper PII

  • We collect PII directly from Guardians or from School Employees.
  • We store PII in locked cabinets, accessible only to authorized LEAP Employees or School Employees, for a duration designated by appropriate government regulations, after which we transfer PII to a locked storage facility.
  • We access PII within designated rooms within DOE school buildings, at a locked and secured LEAP office space, or at the locked storage facility.
  • We permanently and securely shred PII data after the storage duration has exceeded government regulations, through an external vendor and with a certificate of destruction. The Program Operations department conducts annual site visits to our school-located programs and to our main office to review stored paper files and arrange for shredding services.
  • We limit access to PII to LEAP Employees who need it in their role to provide contracted services.
  • We provide in-person, virtual, and online trainings to LEAP Employees to use the platforms and methods outlined above. The training topics include types of data & required protections, How to label data, Data sharing protocols, Data deletion and disposal, Records management, Data backup and Federal & state laws governing confidentiality; FERPA and NY Ed law.
  • We review practices, safeguards, and secure disposal of PII internally by conducting audits with our Program Operations department with recommendations for updated data privacy and security policies located on the DOE website: https://www.schools.nyc.gov/about-us/policies/dataprivacy-and-security-policies
  • We carry liability insurance for all locations listed above.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

LearningTimes

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/1/2023 – 6/30/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LearningTimes produces a variety of interactive online events for the NYCDOE. These include the monthly PEP & Contracts meeting; Joint Public Hearings for the Office of District Planning; CEC Chancellor Town Halls; and annual hearings for schools in receivership.

LearningTimes utilizes 1 vendor for the webcasts we provide. Zoom is a platform for meetings/webinars and is widely used by the DOE. LearningTimes has 28 Zoom licenses that are used to support DOE events. We do not exchange DOE data with Zoom, participants login directly. Storage of data and encryption is provided by Zoom.

The only PII we require is First Name, Last Name and email address. The purposes for this data is to send confirmation and reminder emails, identify participants in live events that may wish to offer public comment, and collect registration & attendance information for the NYCDOE.

Type of PII that the Entity will receive/access: Required PII is first name, last name and email address of event registrants.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and

written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “LearningTimes utilizes 1 vendor for the webcasts we provide. Zoom is a platform for meetings/webinars and is widely used by the DOE. LearningTimes has 28 Zoom licenses that are used to support DOE events. We do not exchange DOE data with Zoom, participants login directly. Storage of data and encryption is provided by Zoom.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Storage of the limited data collected and encryption is provided by Zoom. There are only two LearningTimes administrators with access to the data which requires multiple step authentication, regular password changes on dedicated company desktop machines running approved security protection software.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Legal Interpreting Services, Inc. (also called LIS Solutions)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 11/1/2022 – 6/30/2024.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LIS Solutions schedules and provides interpretation services to students and/or parents at the request of the NYCDOE. Services include onsite and virtual interpretation. PII may be required to schedule appointments, and accurate identify and contact persons receiving service.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, the entity agreed that “data can be destroyed at the NYC DOE’s request prior to contract expiration or termination.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Office 365. The entity also states that “while Processor utilizes a third-party vendor, Schedule Interpreter, they do not have access to any PII.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Processor has implemented the following safeguards to this environment:

  • Firewalls-ability to block unauthorized access while permitting outbound communications. inspection of in/out traffic. utilization of security rules identifies and block threats.
  • Intrusion Prevention Systems (IPS)- network security tool, continually monitors the network for malicious activity and prevention management.
  • Data Encryption-security method, information is encoded and can only be accessed or decrypted by user with the correct encryption key.
  • Access Control Systems-security solution used in computer networks to ensure that only authorized and compliant devices and users can access network resources. Systems are designed to enforce security policies and protect against unauthorized or non-compliant access to a network.
  • Secure Authentication-Authentication is the process that an individual, application, or service goes through to prove their identity before gaining access to digital systems. i.e. Password, MFA, RSA token Biometrics.
  • Data Loss Prevention (DLP)- security that identifies and helps prevent unsafe or inappropriate sharing, transfer, or use of sensitive data. in use, in motion and at rest. i.e. Malware Phishing, Ransomware, insider threats.
  • Data received from NYC DOE store on separate SharePoint Sites with limited access (only Process Program Management Staff supporting NYC DOE have access)
  • Data classification and handling/training of Processor Staff
  • Security incident response-processes and procedures developed in accordance with NIST 800-171 (and the Federal Government’s Cybersecurity Maturation Model Certification, CMMC) to minimize the impact of the incident, contain the threat, and restore normal operations as quickly as possible. i.e. unauthorizes access to, or use of, systems, software, and or data.
  • Complex password requirements and MFA authentication for Processor users who are allowed access to the environment. Note: Interpreters do not have access to this environment nor does Schedule Interpreter.
  • Systematic application of management policies, procedures, and practices to the task of establishing the context, identifying, analyzing, evaluating, treating, monitoring, and communicating information security risks. i.e. Malware Phishing, Ransomware, all external/ internal threats.
  • Use of SOC 2 TYPE 2 certified facilities only 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

LES Global

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LES GLOBAL, LLC (L.E.S) provides crisis prevention services to underserved families, over aged & under credited students experiencing social and emotional hardships and at- risk of not graduating high school. We support Schools and Communities and their scholars who struggle to meet NYC educational requirements, for schools’ promotion and or graduation by utilizing our ROADS Logic Model: Removing Obstacles Achieving Dreams. The ROADS Program handholds students struggling to complete work or get to school on time while communicating with teachers to ensure work is complete, we initiate transfers to more suitable schools in the best interest of the student and we also locate missing students who don’t come to school in hopes of getting them back into an educational setting.

Our trained staff, advocates and social workers must access PII information in order to comply with transferring of students for the R2A program. Students’ records, grades, IEP information, parent contact information, attendance reports and Record for Graduation Certification of Students (RGCS) Report in order to create an individual educational plan for each student. The student’s information and graduation reports are used to identify the number of credits they currently have, how long it took them to get them, how many they need to graduate, if they will age out of high school before classes are complete, to determine a suitable alternative educational solution, to understand the students struggles and be able to advocate on their behalf and to their parents and to compare it to their transcripts. All DOE transfer schools require students’ records be printed and provided before students can be accepted into their schools. Student records such as Immunizations must be provided to the schools by the students’ parents but are also required for acceptance into programs. Some students in the ROADS program can retake classes and receive tutoring which leads to graduation while others require transfer to alternative schools more suitable and then we have displaced students we find across the country that we enter into a new educational program. Students and families have access to our social workers as well, in order for social and emotional support to be successful, these professionals must access records in order to properly assist these families. Ultimately, we do whatever is necessary to assist the underserved students to be successful too and through high school.

All PII data requested is a requirement of the DOE transfer process or is necessary to make an alternate & individualized plan for a student to promote the best graduation outcome. Data/reports required as follows:

Transcripts/grades: Used in all LES ROADS to determine a students alternative learning approach and approach to graduation success. Transcripts shows the types and levels of classes a student took from grades 9 through 12 and also shows how many pass/fail classes a student took and may include any courses a student dropped or failed to complete.

Individualized Education Program (IEP): An IEP lays out the special education instruction, supports, and services a student needs to thrive in school. This information is used for students with IEPs only to ensure a student is receiving full accommodations necessary.

Parent/Guardian Contact Information: LES uses this contact information to gain permission for students under 18 to get services from LES. This information is also used to locate missing students and make house calls as part of the ROADS Road to Dropout Prevention Program. This is used in ALL ROADS Programs as parents must remain apart of the students individualized plan.

Attendance Reports: Reviewing these reports allows staff to determine the type of school suitable for a student. Due to various personal needs some students require a school setting in the evening, or one with job/school combos or even online schools. This allows individualized plans based on family needs. Used in all ROADS Programs.

Record for Graduation Certification of Students Report (RGCS): This report sums up a students ability to graduate, if they are about to age out of school and tracks their high schools success and failures. Used in all ROADS Programs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. LES considers security of PII to be of utmost importance. We safeguard PII through a combination of policies, procedures, training, segregation of duties and robust systems, security and technology. We mitigate data privacy and security risks by following and adhering to industry protocols, standards and practices, employing up to date technology, training and segregation of duties and user access controls. We also perform background checks on our employees, encryption of confidential information in transit and at rest, and limiting user access to confidential information based on role.

  • LES uses Google workspace: A cloud-first, browser-based approach that is constantly updated – no need for local devices, native apps, or email attachments. It has built in controls, encryption, and verification with a Zero Trust approach that enables employees to work from anywhere and eliminates the need for VPNs.
  • Email: PII information is never shared via email. We use the workspace to share information within the organization only.
  • Computers: Are password protected and remain at DOE schools.
  • Data Security Training: All staff must take yearly training on Data Security
  • Staff: Access to PII information can be eliminated at any time with the click of a button by management for any reason.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Lessonbee

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Lessonbee Inc. is a health education content provider and digital platform. We will be providing health education content to NYC schools. The purpose of receiving or accessing PII is for the use of onboarding students to the platform or providing SSO access through integrations such as Clever so that teachers can assign content to students. The PII that will be accessed includes first name, last name, and email address.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The security of your Personal Data is important to us, and we strive to implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the information we store (e.g., encryption), in order to protect it from unauthorized access, destruction, use, modification, or disclosure. In general, we only store children’s Personal Data in pseudonymized and encrypted databases with access control. Lessonbee adheres to N.Y. education law 2-d and federal laws to protect the confidentiality of PII, and provide industry standard and best practices safeguards, including but not limited to, encryption, firewalls, and password protection, when data are stored or transferred.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Level All

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Level All is a web-based application that is accessible via the internet through a web browser. The application surfaces useful content to students, guardians, and educators on their academic, career, and collegiate journeys while also providing measurable activities to mark progress. Level All will collect some student PII such as name, email address, graduation year, and birth date. Level All does not share student confidential information, and only collects it to properly set up the accounts and curate the journey based on the student’s graduation year.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud SQL, Segment, MixPanel, Customer.io.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is encrypted both in transit and at rest. All PII is stored on servers in the US and is only accessible by select Level All employees within the US. All Level All source code is automatically scanned multiple times per day to check for security vulnerabilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Lexia Learning Systems

The exclusive purposes for which Protected Information will be used: The provision of literacy learning services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Lexia flows down all data privacy and security requirements to sub-contractors working on services provided to NYC DOE (if any). Employees undergo training and abide by the Data and Security Plan (attached above and in accompanying documents).

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: After 30 days of expiration of the agreement, or upon NYC DOE request, Protected Information is (at NYC DOE’s option) returned or destroyed. 

[NYC DOE comment: The current agreement became effective starting on July 1, 2020 and terminates when all NYC DOE schools and/or offices cease using Lexia Learning Systems LLC products/services. The terms of the agreement remain effective through the period during which Lexia Learning Systems LLC possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information is only stored within the United States.
 

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted in transit and at rest in accordance with then current best practices with regards to data security and cryptography. For more information, please see attached documents.

Lexia Voyager Sopris (formerly Voyager Sopris Learning)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 5/01/2021 – 6/30/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Lexia Voyager Sopris Inc. provides online and print professional development, assessment and educational curricula for students including the following programs:

  • Vmath: This program is a targeted math intervention program for struggling students in grades 2–8 that provides additional opportunities to master critical math concepts and skills.
  • Vmath Live: This program empowers students in grades K–8 to master math content at their own pace in a motivating online environment.
  • LANGUAGE! Live: This program provides foundational and advanced reading intervention including peer-to-peer instruction; for Grades 5–12.
  • eSolution: This supplemental program extends timed, paired readings to include complete online vocabulary expansion and comprehension lessons.
  • TransMath: This program is a comprehensive math intervention curriculum that targets middle and high school students who lack the foundational skills necessary for entry into algebra and/or who are two or more years below grade level in math.
  • REWARDS: This program provides blended reading and comprehension intervention for Grades 4-12 with goals to increase fluency rates, deepen comprehension of informational and content-area texts, and increase precision in sentence writing.
  • Step Up to Writing: This comprehensive K-12 program offers multisensory writing strategies that develop ability to create thoughtful, well-written compositions across all content areas.
  • LETRS: The LETRS® (Language Essentials for Teachers of Reading and Spelling) Suite is professional learning that provides educators and administrators with deep knowledge to be literacy and language experts in the science of reading. LETRS teaches the skills needed to master the fundamentals of reading instruction—phonological awareness, phonics, fluency, vocabulary, comprehension, writing, and language.
  • Voyager Passport: This program provides blended literacy intervention for Grades K-5.
  • Reading Rangers: This program provides online reading practice for Grades K-5.
  • Only a minimum amount of personally identifiable student data required for the setup of the system is requested. We require student first name, student last name, and student identification number.

Additional data, not specific to the student, is also required to complete system setup, including the teacher first and last name, class name, grade level, and school name. Student demographic data, for the purposes of optional disaggregated reporting, is requested separately from the initial setup data and is obtained only with written permission from your district. This information is not shared and is used to track student progress and achievement within the proposed solution.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted-solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We maintain administrative, technical and physical safeguards designed to secure student data, as provided by NYC DOE, both during transmission and while in our custody. These safeguards include technical and operational measures, such as firewalls, routers, encryption (at rest and in‐transit), passwords, and vulnerability testing, as well as training, policies and procedures to limit access to NYC DOE provided data to authorized staff, contractors and agents that have a legitimate need to access such data for purposes of enabling us to deliver and support our products and services to the NYC DOE, and that are under appropriate contractual obligations of confidentiality, data protection and security.

No student PII is ever public. Our applications are designed to keep this information private and secure. It is never discoverable by the public.

  • Voyager Sopris is ISO-27001 certified.
  • The Company has a formal onboarding and off-boarding procedure where access to database assets are formally granted and revoked respectively; access is only granted to employees who need access to support the online products as we ascribe to the principle of least privilege.
  • The Company provides student data privacy training to all employees and contractors who access our network.
  • The Company employs a 3rd party company to conduct both COPPA and FERPA compliance audits.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

LibraryPass

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To enable authentication of a student and to provide access to the Comics Plus service.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Library Pass takes security measures very seriously. Security is broken up into two separate sections.

Policies and Procedures - LibraryPass currently has security policies and procedures for each of the following areas:

  • Access Control
  • Audi and Event Logging
  • Cloud and Network Security
  • Data Backup and Restoration
  • Data Protection and Encryption
  • Incident Response
  • Password Management
  • Software Development
  • Website and Software

These policies allow LibraryPass to monitor and manage all users with internal access as well as update security access as needed.

Technical

  • Network Security
    • User Access
      • IAM Access Keys are used with specific IAM roles defined to limit access to different AWS resources
      • Password are rotated every 90 days
      • VPC and Security Groups
      • Server access is limited to security group access even to each other and DB
      • All servers are on different VPC networks depending on functionality.
    • Firewall
      • Web Application Firewall for AWS to have firewall and bot detection
      • IP2 Location
      • IP2 Location services for routing of traffic to specific security protocols.
  • Content Security
    • Streaming
      • We use end to end encryption when transmitting any data to/from the client and our servers in the form of SHA256 RSA encryption and validated with an SSL certificate.
      • Users are authenticated using different authentication methods set up per the institution's specific requirements. Passwords stored in our database are hashed using a strong one-way hashing algorithm with a random salt per user.
      • All API communication uses a combination public and private key for validating access to protected data. The keys are encrypted along with unique user information and encrypted with SHA256. Keys are rotated every 6 months and kept in private environment files on the servers only.
      • URLs and API calls for the pages data is tied to the logged in user with secure keys and server side sessions. API calls are also time based so they expire after a short period of time.
      • The data for pages (URL or Image Data) is never added into the HTML DOM so users are not able to just view the source or easily grab the list of URLs for the images/pages that are displayed.
      • Once Image files are loaded into the browser’s memory, they are drawn into an HTML5 canvas which eliminates the ability for users to simply copy the image from the context menu (right-click).
    • Download for offline reading
      • We use end to end encryption when transmitting any data to/from the client and our servers in the form of SHA256 RSA encryption and validated with an SSL certificate.
      • We have a proprietary file format named CB files.
      • Our CB files implore an unpublished file/data format that contains image data, indexing information and other metadata.
      • The content in the file is secured with a unique hash that needs to be validated before content can be read. The unique hash is a combination of file metadata and user information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

LightSail

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To fulfill the services requested by NYC DOE. Specifically to provide to schools LightSail’s Online literacy platform providing initial and ongoing Lexile and standards aligned assessment, full book/novel reading experience, accommodations for struggling readers and data and reporting on reading performance and engagement. The platform comprises a patented educational e-reader and an adaptive e-book library.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. Microsoft Azure Cloud.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Here is a summary of controls in place:

  • Information Security Governance
    • A comprehensive set of Information Security Policies
    • A governance structure with defined roles and responsibilities
    • Periodic security assessments (internal/ external)
  • Operational Security
    • Role-based access controls following the least privileged principal
    • Strict password controls with multi-factor authentication
    • Incident management for responding to and containing incidents
    • Backups and disaster recovery plans for resilience
    • Physical security for accessing corporate assets/ facilities
    • Comprehensive vulnerability management program with automated assessments
    • Secure system development approach with OWASP compliance
    • Centralized logging and monitoring with automated alerts
    • Network segmentation with firewall protection
  • Data Security
    • Data classification scheme
    • Data encryption at rest with AES256bit or higher keys and in transit using TLS 1.2or higher
    • Data retention schedules
  • People Security
    • Background checks and code of conduct acceptance before employment
    • Continuous security awareness training
    • Employment termination/ change of responsibilities processes

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Lilo Consulting (also called Sync Grades)

Type of Entity: Commercial Enterprise

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Sync Grades is a software service, providing schools with a dynamic platform to track student attendance and other related and approved data over different periods in time.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • The Sync Grades platform is hosted by Amazon Web Services (AWS). AWS facilities are guarded by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit.
  • Access to Sync Grades servers and hosting services is controlled by a two-factor authentication, and only accessible using a secure VPN.
  • Sync Grades requires passwords to have a minimum 8 characters, must contain alpha, numeric and punctuation. Active monitoring will deny access after multiple failed attempts (firewall and account suspension).
  • Sync Grades operational access requires 2-factor authentication (ssh-keypair and generated PIN from restricted VPN and IP points).
  • Sync Grades utilizes a centralized secure management system of all users and access levels.
  • Each system monitors all data transports, which are encrypted either via SSL/TLS or SSH within a VPN based environment. The primary service request are signed with an HMAC-SHA1 signature, which measures, monitors, and calculates from the request and the user’s privacy key.
  • The system will log all inboard and outboard requests, which are executed at the network, application, and persistence layers. This encompasses, but is not limited to os syslog, application logs, HIDS, and database calls both within and outside the Sync Grades VPN.
  • The Sync Grades configuration build and system provisioning is executed through version control and a centralized build configuration management tool. The system requires authentication and records the audit log of all infrastructure changes including but not limited to:
    • VM provisioning
    • package versions, identification and installation
    • input and configuration settings
    • application version deployment
    • network segment deployment

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Limosys

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2023 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Payment Accounts for Rideshare Services where we will provide ground transportation services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Will follow NYCDOE instructions. We can do both [securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII].” In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All personally identifiable information (PII) collected will reside in an Amazon secured data structure, encrypted and/or tokenized. PII is separated into components that can only be put back together by our system interface. Logging into the system interface requires a unique user and password. Users are set with a need-to-know access level that matches their operational role.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Lingualinx Language Solutions

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To perform written translations of transcripts and Individualized Education Plans (IEPs). Some of the documents translated as part of this service may contain student PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure Private Cloud – Fully Encrypted.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The safety and security of PII attained by:

  • Regularly conduct risk assessments to identify potential vulnerabilities and threats to PII. This helps in proactively addressing security risks.
  • Only allowing the transfer of PII to occur over an encrypted connection.
  • The storage of PII is fully encrypted and located in a Soc 2 Type II datacenter.
  • Conducting monthly internal\external vulnerability scans.
  • Conducting Bi-Annual penetration tests, performed by a neutral 3rd party.
  • Ensuring all employees undergo bi-annual PII\InfoSec training and ensure that staff members are aware of their roles and responsibilities in safeguarding PII.
  • Secure physical devices (e.g., laptops, servers, mobile devices) that handle PII. This includes measures such as device encryption, password protection, and tracking and remote wiping capabilities for lost or stolen devices.
  • Regularly back up PII and ensure that a robust data recovery plan is in place to minimize data loss in case of a security incident.
  • Strong access controls to ensure that only authorized personnel have access to PII. This includes user authentication, role-based access controls, and encryption. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Literably

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 8/1/2022 – 7//31/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Literably is an online elementary reading assessment. We receive PII in order to provide and improve our services to schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII is stored on a password protected encrypted database located on a remote server. Literably conducts routine security audits and employs the use of monitoring software to track security risks within the dependencies that are used to build the product. Further, our employees and contractors are required to protect personal information in a manner consistent with our Privacy Policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Literacy Resources (for myHeggerty)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/ 2022 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Literacy Resources, LLC, through the NYC DOE’s “Core Curriculum” program and purchasing agreement, is providing the NYC DOE teachers and staff with access to the online resource program, “myHeggerty”. myHeggerty provides teachers and staff with tools and resources necessary to implement the Heggerty Phonemic Awareness curriculum with fidelity. myHeggerty includes access to the use of an online assessment tool, where teachers and staff may voluntarily enter student assessment scores and observational data for analysis purposes.

Type of PII that the Entity will receive/access: Student PII and NYC DOE staff basic demographic data (First name, Last name, Email address).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or to a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.  Student and teacher data is encrypted, all communication is encrypted, malware scans are performed daily, web application firewall is in place, secure daily offsite backups with 90-day history are performed. Literacy Resources, LLC administrator access is restricted to approved IP addresses. All data is stored in a MySQL database powered by Google Cloud SQL. The security of this data will be ensured by encryption while in motion by using TLS 1.2 or greater and at rest by Google Cloud SQL Encryption with keys managed by Google.

Processor maintains compliance with federal and state laws regarding data privacy and security, and is in compliance with PCI DSS Security Standards with regards to the processing and handling of sensitive data.

Processor employs a series of protection measures to protect both internal infrastructure and cloud-based data processing resources, and regularly conducts tests to ensure the security, including regular penetration tests, vulnerability scans, etc.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Literacy Trust

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Literacy Trust provides intervention services to many schools across NYC, either through directly contracting with schools or through the generous donations of various funders. Schools who partner with us select some of their staff to work as reading tutors. These staff receive training, materials, and coaching from a Literacy Trust Program Manager so that they can easily provide high-quality instruction to individual students or small groups of students who need extra help with reading.

Tutors enter attendance information in our online platform. They also enter information about the lessons they teach, as well as entering their students’ assessment results every 2-3 weeks. PII is necessary to help tutors make decisions about how best to meet students’ needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity h