Vendors I-Q

IBM (for Decision Action Item Tracking System, Impartial Hearing Financials, and Impartial Hearing Management System)

Type of Entity: Commercial Enterprise

• DAITS and IHF Contract / Agreement Term: Approximately 8/1/2024 -7/31/2026 (based on contract approval).
• IHMS Phase 2 Contract / Agreement Term: Approximately 3/1/25 – 10/31/2025 (based on contract approval).

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

DAITS and IHF – The objective of the project is to support the LV Order dated July 19, 2023, is intended to meet three high level goals:

• Stabilize the applications Decision Action Item Tracking System (DAITS) and Impartial Hearing Financials (IHF).
• Implement enhancements to the IHF application.
• Implement enhancements to the DAITS application.

The above high-level goals are in support of LV Order directive 24. The student PII will be used on as needed basis to troubleshoot issues for the specific student, to ensure data correctness as per incident ticket. PII may also be accessed for customer service purposes to verify and validate the identity of the student as needed.

IHMS Phase 2 –  IHMS Phase 2 aims to enhance its capabilities by integrating Special Education Legal Processes and Financial Transactions. This includes creating a parent experience through the New York City Schools Account (NYCSA) portal, allowing parents to access legal documentation and processes in the context of their relationship with the Department of Education. Furthermore, it expands support for processing Court Appeals and Request for Review filings from State courts, streamlining the Office of General Counsel's operations. Financial functionalities will also be improved, reducing the need for manual Pay Memo submissions and enhancing Impartial Hearing Office (IHO) accounting for invoicing, particularly in handling Liquidated Damages. Lastly, IHMS will be integrated with the Extensions Reporting Application to receive information entered by Hearing Officers from the NYSED system, ensuring smoother data flow and coordination.

In connection with IHMS Phase 2, IBM may process NYC-DOE’s client’s Personal Data on behalf of the NYC-DOE solely based on the NYC-DOE’s instructions and/or to address the requirements as mentioned in the RFP which in turn will help DOE to have up-to-date information in the new system.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII will be stored or hosted by Entity, only accessed.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: No PII will be stored or hosted by Entity, only accessed.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access to DOE systems is provided to authorized staff. PII is not directly available to any user through a database, etc. Access to data is provided by DOE after background checks and onboarding processes are completed. Any staff have access to data through a need based/Role Based setup done and administered by DOE.

(IBM) conducts pre- and post- employment checks for all staff including, Pre-employment background checks Technical skills assessments, Security training and awareness programs, and Social engineering testing.

Additionally, to protect data privacy, IBM has several data privacy and security policies staff are meant to abide by including:

• Policies for handling Personal Information appropriately and establishing the principles behind their practices.
• organizational responsibilities on privacy and the ethical development and application of technology.
• instructions on data governance and ensures that personal information is handled securely and responsibly.
• policy to help to prevent unauthorized access.
• IT security policies and procedures to safeguard against threats and vulnerabilities.

IBM also provides resources like the Privacy@IBM Knowledge Base, AI Ethics@IBM Knowledge Base, and Using Data@IBM Knowledge Base to help IBMers understand and comply with data privacy regulations and best practices. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

iChineseEdu (for iChinese Reader)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII is used to set up accounts for teachers and students, and connecting with SSO. 

Type of PII that the Entity will receive/access: Student PII and Other (teacher’s information, class assignment, and students’ class assignment)

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. “All PII data is stored in the AWS database, which can’t be access directly. Customers need accounts to use the app. The APIs relative to PII data need to be called with authtoken, which can be got by login successfully. SchoolAdmin account can access teachers and students PII data in the school, teacher account can access teacher and students PII data in the class, student account can access his/her PII data, parent account can access his/her children’s PII data.”

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Idiom Publishing Co

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Idiom Publishing Co., Inc. is offering Digital Yearbooks to the students of NYC. The only PII Idiom needs is a student’s NAME and EMAIL address, which is necessary to create a login credential to allow students to access their Digital Yearbook.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. “Idiom may retain PII beyond the term of the agreement for Subject Students who have provided duly executed express written consent.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All student Personal Information will be protected with multiple programs both within the company as well as programs provided by the company (AWS) that hosts the servers that contain the digital yearbook. Information will be restricted to authorized personnel only. Cyber incidents will be addressed immediately and the DOE will be notified within 24 hours. Students PII will be protected using all industry standards such as encryption, firewalls, and password protection and there will be regular training on data privacy. Additionally, data will be encrypted both at rest and in transit. As data will be stored with AWS, they will use secure physical access to data centers, server rooms and other facilities where PII is stored.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Illuminate Education

The exclusive purposes for which PISI will be used: The provision, implementation, administration, and/or maintenance of K-12 education technology products and services related thereto.

How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Any and all subcontractors or other authorized persons or entities that Illuminate shares data with will be required to enter into strict confidentiality provisions in accordance with similar terms contained herein, and Illuminate retains the right to demand certification of compliance to said terms.

When the agreement expires and what happens to PISI upon expiration of the agreement: There is no one set term for the non-disclosure agreement, as individual schools may purchase Illuminate’s products or services at different times and for different periods. Within thirty (30) days of the termination of any license or data sharing agreement, Illuminate destroys all PISI. The data privacy and security terms of Illuminate’s agreement with NYC DOE will remain in effect for as long as Illuminate is in possession of NYC DOE confidential information. [NYC DOE additional information: The current agreement became effective starting on January 24, 2020 and remains effective through the period during which Illuminate Education, Inc. possesses or otherwise is in control of covered protected information, which varies depending on the services a given school purchased from Illuminate Education, Inc.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. Challenges should be emailed to studentprivacy@schools.nyc.gov or mailed to the attention of the Chief Privacy Officer Rm 308, NYC Department of Education, 52 Chambers Street, New York, NY 10007. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: All PISI data is hosted primarily with Amazon Web Services, and there are select products hosted with Google Cloud Platform, which are being migrated to AWS. AWS hosts the data in the United States. Either provider’s SOC2 report is available upon request or can be accessed by contacting AWS or GCP directly.

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at both rest and in transfer in accordance with NIST Cybersecurity Framework requirements.

ImageWork Technologies

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/01/2023 – 2/28/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our IT consultants are providing IT Services for NYC DOE's OPE division, under the DOE's MWBE contract # P0030. Under this contract, ImageWork is serving DOE as a staffing service provider, placing one Senior Project Manager/BA, one Full Stack Developer, one Data Developers one UX/UI Designer /Developer, one Senior QA Analyst and one Document Writer in the team towards staff augmentation. We understand that our consultants might have access to PII data during their services under this project. But no data of any kind of PII or otherwise, will be removed from DOE systems and none will be shared with our company or anyone outside. It is important to note that this is not a project managed by lmageWork, but it will be managed by the DOE managers at the DOE office. Further, our consultants will not be storing, collecting, or otherwise using PII on anywhere else but DOE-owned or controlled networks, data systems, devices, or applications, and so there will be no PII in its custody or control for it to delete or destroy. Our Access Control Mechanism will manage and govern access within the DOE Compliance Systems Modernization Project. This will have clear definitions as to accounts that can access DOE Compliance Systems Modernization and in what capacity and extent these accounts can access DOE Compliance Systems Modernization Project. We will create hierarchal role-based access control, that uses a Least privilege policy (LP2). We will implement our access control using Claims Based Identity Management for providing DOE’ users with an SSO (Single Sign-On) Experience while accessing DOE Compliance Systems Modernization Project. Our Authentication and Authorization mechanisms will elaborate in detail our proposed access control mechanisms. Team IMAGEWORK will implement a custom authorization manager for defining and identifying roles within DOE Compliance Systems Modernization Project. We will store roles in a Roles database and will have user map identifying the roles for each user. We will implement roles manager using “Principal” interfaces from ASP.NET framework. “Principal” Interface will allow for interoperability for roles management across all layers within DOE Compliance Systems Modernization Project. As part of our role management process, we will ensure that roles can be managed through a configuration editor. We will set up roles in a hierarchical manner that will identify various access levels for DOE, and respective modules. We will use windows Identity Foundation to extract and process claims form the authentication and authorization processes. Claims are set of properties, identifying who the user is and what roles they have. Claims are a globally accepted source for authentication exchanges, provided the claim originates from a trusted identity provider. The advantage of using Windows Identity Foundation for claims-based authentication is to enable the integration of the DOE Compliance Systems Modernization application with External Authentication providers or OAuth providers. This will be useful when DOE is ready to expose DOE Compliance Systems Modernization on Internet to offer True SSO.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We understand that our consultants might have access to PII data during their services under this project. We ensure that the data will be controlled and secured as per the DOE Guidelines and will not be harmed by our consultants. Further, our consultants will not be storing, collecting, or otherwise using PII on anywhere else but within DOE-owned or controlled networks, data systems, devices, or applications, and so there will be no PII in its custody or control for it to delete or destroy. ImageWork will limit access to Confidential Information by the following methods:

• Not use Confidential Information for any other purposes than those authorized in our contract.
• Confidential information will never be disclosed to anybody except fully authorized personnel but in special needs and provisions for advance reporting or critical updates to be communicated for time sensitive scenarios. Proper approval process will be followed and agreed by both lmageWork Technologies Corporation and DOE
• Maintain reasonable technical, administrative, and physical safeguards to protect Covered Confidential Information. Below listed are few highlighted action steps:
  • Proper encryption of data
  • Assess the Data to Encrypt
  • Formulate Industry standard Security Strategy
  • Establish Secure and Key Management
• Not sell covered Confidential Information, nor use Confidential Information for any commercial settings.
• Provide training on laws governing confidentiality to our officers, employees, and assignees with access to such Confidential Information.
• Notify the DOE of any security breach resulting in an unauthorized release of Confidential Information, and promptly reimburse DOE for the full notification cost.
• Below is high level procedure followed for reporting and handling security breaches.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Imagine Learning LLC

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Imagine Learning provides digital K-12 core, supplemental and intervention courses for each grade level. Our innovative teaching solutions use insights from real-time data to meet each student where they are and enable their success in class today and for a lifetime of learning. Users must create an account to access the product site. We use PII to create these accounts for students and teachers. Products include:

Core

• Imagine EL- A comprehensive, content-based K-8 core language arts program that utilizes real-world compelling texts to engage and excite learners.
• Illustrative Math- Offers the highest quality core math curricula for grades K–12, powered by a best-in-class integrated learning experience.

Supplemental

• Edge (Courseware)- Dynamic courses help students in grades 6–12 maximize their potential. Initial credit and credit recovery courses adapt to each student's unique learning journey.
• Purpose Prep- A CASEL-aligned social and emotional learning program for your primary and secondary students, as well as for your faculty and staff.
• Imagine Galileo-A forward-thinking ELA, SLA, math, science, and College Prep benchmark and formative assessment system for K–12 that offers a powerful blend of convenience and flexibility.
• Imagine Espanol- A rigorous and personalized program for Spanish language and literacy development in grades K–2, building the foundational skills of bilingualism, biliteracy, and cultural competency.
• Imagine Language & Literacy- Accelerate reading and language development in PreK-6 with our personalized learning solution designed to complement any core literacy program.
• Imagine Lectura- Empower bilingual students in grades 3–5 to unlock comprehension of authentic Spanish texts and succeed with grade-level learning tasks.
• Imagine Math- A supplemental math program that builds students' aptitude to solve problems and justify reasoning both inside the classroom and in day-to-day life, ultimately moving them beyond computation to real comprehension.
• Imagine Math Facts- With award-winning gamification, make practicing fluency in addition, subtraction, multiplication, and division fun, fast, and effective for elementary students.
• Imagine Reading- Scaffold learning for students in grade 3–8 using a library of exemplary genre texts to pique interest and deepen comprehension and conversation.

Intervention

• MyPath- An intervention solution for math that delivers targeted, age-appropriate learning paths for all students, and targets achievement gaps using our intuitive Smart Sequencer™ technology.
• Pathblazer- Is a personalized intervention program for K–6 designed to accelerate struggling learners in math and reading toward grade-level achievement using data-driven learning paths.

Instructional Services

• Imagine Learning virtual instructors are highly qualified, certified teachers who prioritize student success in K–12. They work across time zones and devices to provide students with the personalized instruction and the support they need to learn, grow, and reach their full academic potential.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Other: Upon the earliest of any of the following (i) whenever requested by the BOE, (ii) whenever the Processor no longer needs the Confidential Information to provide the Services to the BOE, (iii) whenever a BOE school or office ceases use of a product or service of the Processor, with respect to the Confidential Information Processed for the school or office with respect to that product or service, or (iv) no later than upon termination of this Agreement, the Processor shall promptly (a) with respect to physical copies of Confidential Information, surrender, or if surrender is not practicable, securely delete or otherwise destroy Confidential Information and (b) with respect to digital and electronic Confidential Information, securely delete or otherwise destroy Confidential Information remaining in the possession of the Processor and its Authorized Users, including all hard copies, archived copies, electronic versions or electronic imaging of hard copies of such data.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS and Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In addition to the protections afforded by our cloud hosting providers, practices employed at Imagine Learning to protect personal data include, but are not limited to:

• Data encryption. Data is encrypted in transit and at rest.
• Access. Access to personal information is restricted to a limited number of Imagine Learning employees who need such access to perform their job.
• Data Systems Monitoring. Imagine Learning employs several third-party services that continuously monitor and scan our online services for vulnerabilities and misconfigurations. Employees dedicated to operating our services monitor these services and receive automated alerts when performance falls outside of prescribed norms.
• Incident Response Plan. Imagine Learning regularly reviews and maintains an incident response plan.
• File Transfer Protocol. Data is securely transferred to Imagine Learning using File Transfer Protocol (FTP) over secure (SSL/TLS) cryptographic protocol.
• Firewalls. Anti-virus software and firewalls are installed and configured to scan our systems. The firewall is periodically updated and configured so that users cannot disable the scans.
• Security audits. Imagine Learning conducts security audits and code reviews, both by outside providers and by executive summary.
• Secure programming practices. Imagine Learning software developers are aware of secure programming practices and strive to avoid introducing errors in our applications (such as those identified by OWASP and SANS) that could lead to security breaches.
• Account protection. Each user of Imagine Learning is required to create an account with a unique account name and password. Single Sign-On (SSO) users are authenticated with secure tokens.
• Facility security. Imagine Learning is located inside the continental United States. Physical access is protected by electronic access devices, with monitored security and fire/smoke alarm systems.
• Security Breach. In the event of a security breach that results in unauthorized release of personal data, Imagine Learning will notify affected customers of such breach, will investigate, and will restore the integrity of its data systems as soon as possible. We will fully cooperate and assist with required notices to those individuals affected by such breach.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Impacter Education Corporation

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. IMPACTER PATHWAY is a comprehensive web-based Social-Emotional Learning (SEL) platform designed to foster personal growth and character development in students. This innovative platform is utilized within schools to provide students and educators with a suite of online tools and resources aimed at promoting self-awareness, empathy, resilience, and responsible decision-making.

IMPACTER PATHWAY requires access to Personally Identifiable Information (PII) for the primary purpose of providing teachers and administrators with targeted analytics and data-driven insights regarding student growth and performance in Social-Emotional Learning (SEL). Specifically, PII is necessary to enable the following:

• Track individual student progress and growth in SEL competencies over time.
• Analyze and visualize grade-level trends and comparisons in SEL development.
• Provide detailed reports on class/section-level SEL performance to inform instructional strategies.
• Compare SEL growth and achievement across relevant cohorts
• Deliver targeted recommendations and interventions based on individual student needs.

By accessing key PII elements such as student names, identification numbers, grade levels, and demographic information, IMPACTER PATHWAY can generate comprehensive analytics dashboards and reports. These data-driven insights empower educators to monitor student progress, identify areas for improvement, and tailor SEL instruction to meet the diverse needs of their student populations effectively.

Ultimately, the purpose of receiving and processing PII is to enhance the educational experience by providing educators with the tools and information necessary to support the holistic development of students' social-emotional skills, a critical component of their overall success and well-being.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. “The Processor will securely delete and destroy all Personally Identifiable Information (PII) upon termination of the Agreement or when no longer required to provide the agreed-upon services. No data, including de-identified or aggregate data, will be retained beyond the termination or expiration of the Agreement.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Impacter Pathway is committed to data privacy and mitigating security risks. To this end, we employ the following administrative, technical, and physical safeguards:

• Administrative Safeguards
  • Comprehensive Data Security Policies and Procedures: IMPACTER PATHWAY has implemented robust data security policies and procedures that govern all aspects of PII handling, from collection and storage to access and disposal. These policies are regularly reviewed and updated to ensure compliance with industry best practices and regulatory requirements.
  • Access Controls and Least Privilege: Access to PII is strictly controlled and granted based on the principles of least privilege and need-to-know. Employees and authorized personnel are granted access only to the specific data and systems necessary to perform their job functions, minimizing the risk of unauthorized access or misuse.
  • Role-Based Access Management: IMPACTER PATHWAY employs a role-based access control system, where access privileges are assigned based on job roles and responsibilities. This approach ensures that individuals have access only to the information and resources required for their specific roles, further enhancing data security.
  • Regular Access Reviews: Periodic reviews of access privileges are conducted to ensure that access levels remain appropriate and aligned with the principles of least privilege. Any changes in job roles or responsibilities are promptly reflected in access rights, preventing unauthorized access to PII.
  • Employee Training and Awareness: All employees and authorized personnel undergo mandatory data security and privacy training to ensure they understand their responsibilities in handling and protecting PII. Regular awareness campaigns and refresher training sessions are conducted to reinforce best practices and maintain a culture of data security.
• Technical Safeguards:
  • Encryption in Transit and at Rest: IMPACTER PATHWAY employs industry-standard encryption technologies to protect PII both in transit and at rest. Data transmitted over networks is encrypted using secure protocols such as HTTPS and TLS, while data stored in databases and backups is encrypted using strong encryption algorithms like AES-256.
  • Secure Data Centers: IMPACTER PATHWAY's data is hosted in secure, state-of-the-art data centers operated by industry-leading cloud providers like Amazon Web Services (AWS). These data centers employ robust physical and environmental controls, including biometric access controls, video surveillance, and redundant power and cooling systems.
  • Vulnerability Management: IMPACTER PATHWAY has implemented a comprehensive vulnerability management program that includes regular vulnerability scanning, patch management, and prompt remediation of identified vulnerabilities. This proactive approach helps to minimize the risk of exploitation and ensure the ongoing security of systems and data.
  • Incident Response and Disaster Recovery: IMPACTER PATHWAY maintains a detailed Incident Response Plan and Disaster Recovery Plan to ensure prompt and effective response to security incidents and data breaches. These plans outline procedures for containment, forensic analysis, notification, remediation, and recovery, minimizing the impact of incidents on data security and operations.
• Physical Safeguards:
  • Secure Facilities: IMPACTER PATHWAY's corporate offices and facilities are protected by physical security measures, including access controls, video surveillance, and alarm systems. Access to sensitive areas is restricted to authorized personnel only, further safeguarding PII and system components.
  • Environmental Controls: IMPACTER PATHWAY's facilities are equipped with appropriate environmental controls, such as temperature and humidity monitoring, fire suppression systems, and power redundancy, to protect against environmental threats and ensure the continued availability and integrity of data and systems.
  • Media and Device Security: IMPACTER PATHWAY enforces strict policies and procedures for the secure handling, storage, and disposal of physical media and devices containing PII. These measures include secure storage, data sanitization, and destruction protocols to prevent unauthorized access or data leakage.

By implementing these comprehensive administrative, technical, and physical safeguards, IMPACTER PATHWAY ensures the protection of PII and mitigates data privacy and security risks throughout the data lifecycle, from collection to disposal. Additionally, regular risk assessments and continuous improvement efforts are undertaken to identify and address potential vulnerabilities, ensuring the effectiveness of the security measures in place.   

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Improve LLC and EdTechLive LLC (also called LessonLoop)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Improve and LessonLoop provide comprehensive professional development and advisory services to educators, with a focus on use of instructional technology to support student achievement. Our professional development workshops are customized to district and personnel needs and evolve based on participant needs and feedback. We use an evidence-based approach to recommend instructional technologies and strategies using peer-reviewed quality research to support our work. LessonLoop also provides a web-based professional learning platform that translates anonymous student voice survey data on their learning experience into instant insight and personalized evidence-based teaching strategies to create more engaging and effective class lessons. By collecting real-time learner engagement analytics with an anonymous survey at the end of a class lesson, LessonLoop empowers teachers to quickly and systematically identify students’ learning experience catalysts and barriers to make immediate instructional adjustments on a continuous basis. Based on the lowest scoring questions and the class lesson, teachers received personalized research-based instructional recommendations.

PII is to make administrator, teacher and student user accounts, and ensure equity in survey responses..

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

NYCDOE Data Security Measures.

We prioritize the protection of Personally Identifiable Information (PII). All PII is stored securely online, with access restricted to necessary personnel only. Our operations are virtual, with four levels of data security protection including 1) Password and virus-protection on work devices. 2) Firewall access activated through device operating systems, 3) Protections build into home or office router's OS that prevent navigating to unsafe sites. 4) File password protection.

Staff Training and Policies

All employees and subcontractors undergo initial and annual refresher training on our administrative, operational, and technical safeguards. These include:

• Prohibiting the sharing of NYCDOEPII outside NYCDOE authorized contexts.
• Managing our Data Protection and Security Plan (DPSP) by the Chief Technology Officer.
• Implementing best practices for physical and digital security.
• Regularly reviewing and updating our DPSP.

Operational and Technical Safeguards

• We ensure electronic records and servers are secured and access-controlled:
• All data is encrypted in transit and at rest.
• Stored on AWS servers, with role-based access limiting exposure to sensitive information.
• Transcribed audio recordings are securely destroyed after use. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

In Class Today

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. In Class Today will receive PII for the exclusive purpose of implementing an attendance support program. The program includes the analysis of student attendance data to select students most likely to benefit from the program, and the delivery of mailed attendance letters to the parents and guardians of selected students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services, Moonlight BPO, Box.com, Files.com, and Twilio.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All Protected Information is encrypted to a minimum 256-bit encryption standard, both in transit and at rest.

Only those In Class Today personnel and subcontractors who need to access Protected Information to perform the services outlined in the contract will be administratively, operationally, and technically authorized to access that information.

Access to Protected Information is password-protected, and strong passwords are enforced and stored only in encrypted vaults.

All systems that are used to store, access, transmit, or otherwise use Protected Information enforce a one user, one account policy. Within all systems used to store, access, transmit, or otherwise use Protected Information, each individual’s access will be limited to the Protected Information they need to access in order to perform the service.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Inspiring Minds (for Community Schools services)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/22/2022 – 7/21/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Inspiring Minds will provide a holistic community school model which will provide leadership development during the day, sports enrichment activities, extra-curricular afterschool programs, professional development workshops for teachers and serve as a thought partner to the school admins to serve the children of the campus. Inspiring Minds, at times, may data logs PII (Personal Identifiable Information) on all program participants. PII is used to make user accounts and track student progress within our programs. We employ strict safeguards and a PII protection policy to keep this data private and to ensure the integrity of the data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Confidential data requires additional security controls in order to ensure its integrity. The company requires that the following guidelines are followed:

• Strong Encryption. Strong encryption must be used for confidential data transmitted external to the company. If confidential data is stored on laptops or other mobile devices, it must be stored in encrypted form.
• Network Segmentation. Separating confidential data by network segmentation is strongly encouraged.
• Authentication. Strong passwords must be used for access to confidential data.
• Physical Security. Systems that contain confidential data should be reasonably secured.
• Printing. When printing confidential data the user should use best efforts to ensure that the information is not viewed by others. Printers that are used for confidential data must be located in secured areas.
• Faxing. When faxing confidential data, users must use cover sheets that inform the recipient that the information is confidential. Faxes should be set to print a confirmation page after a fax is sent; and the user should attach this page to the confidential data if it is to be stored. Fax machines that are regularly used for sending and/or receiving confidential data must be located in secured areas.
• Emailing. Confidential data must not be emailed outside the company without the use of strong encryption.
• Mailing. If confidential information is sent outside the company, the user must use a service that requires a signature for receipt of that information.
• Discussion. When confidential information is discussed it should be done in non-public places, and where the discussion cannot be overheard.
• Confidential data must be removed from documents unless its inclusion is absolutely necessary.
• Confidential data must never be stored on non-company-provided machines (i.e., home computers).
• If confidential data is written on a whiteboard or other physical presentation tool, the data must be erased after the meeting is concluded.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Inspiring Minds (for Project Pivot)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Inspiring Minds will be developing leadership skills though basketball, martial arts and a youth conference for approximately 75 middle school students. We will need access to names, addresses, phone numbers and email addresses of the students participating in our program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. Information will be collected and stored through a google survey application that transfers all data to an excel document.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information will be stored on an encrypted excel document. Confidential data must not be 1) transmitted outside the company network without the use of strong encryption, 2) left on voicemail systems, either inside or outside the company's network.

• Confidential data requires additional security controls in order to ensure its integrity. The company requires that the following guidelines are followed:
• Strong Encryption. Strong encryption must be used for confidential data transmitted external to the company. If confidential data is stored on laptops or other mobile devices, it must be stored in encrypted form.
• Network Segmentation. Separating confidential data by network segmentation is strongly encouraged.
• Authentication. Strong passwords must be used for access to confidential data.
• Physical Security. Systems that contain confidential data should be reasonably secured.
• Printing. When printing confidential data the user should use best efforts to ensure that the information is not viewed by others. Printers that are used for confidential data must be located in secured areas.
• Faxing. When faxing confidential data, users must use cover sheets that inform the recipient that the information is confidential. Faxes should be set to print a confirmation page after a fax is sent; and the user should attach this page to the confidential data if it is to be stored. Fax machines that are regularly used for sending and/or receiving confidential data must be located in secured areas.
• Emailing. Confidential data must not be emailed outside the company without the use of strong encryption.
• Mailing. If confidential information is sent outside the company, the user must use a service that requires a signature for receipt of that information.
• Discussion. When confidential information is discussed it should be done in non-public places, and where the discussion cannot be overheard.
• Confidential data must be removed from documents unless its inclusion is absolutely necessary.
• Confidential data must never be stored on non-company-provided machines (i.e., home computers).
• If confidential data is written on a whiteboard or other physical presentation tool, the data must be erased after the meeting is concluded

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Instructure (for Canvas)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Instructure is providing Canvas LMS which is a software-as-a-service learning management system used by K-12 schools. Canvas LMS is used by learning institutions, educators, and students (collectively “end-users”) to access and manage online course learning materials and communicate about skill development and learning achievement. Canvas LMS includes a variety of customizable course creation and management tools, course and user analytics and statistics, and internal communication tools.

Instructure is receiving and accessing PII via Canvas LMS to (a) provide secure end-user access to Canvas LMS, (b) provide teaching and learning services (such as classes, quizzes, assignments), (c) facilitate communication between educators and students about courses and related work, (d) permit uploads of educator and student content related to their courses, and (e) provide course related analytics the learning institution.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Instructure maintains administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal information processed by Canvas LMS, as follows:

• Security policies are reviewed and approved by the executive leadership of Instructure on an annual basis.
• Canvas LMS is regularly assessed and tested by security staff and third parties.
• Use of Canvas LMS and network access policies are required in order to control and limit access to internal systems.
• Physical access to systems containing pesronal information is restricted.
• Access to Canvas LMS is based on the principle of least privilege, separation of duties, and is regularly reviewed.
• Applicable and necessary security patches are kept up-to-date.
• Use of default system passwords is prohibited and the use of a public/private key exchange is mandated on all systems including Canvas LMS.
• An employee information security policy is maintained that addresses employee responsibilities, including protection of confidential information.
• Employees receive annual security awareness training and must sign confidentiality agreements as a condition of employment.
• Remote access by employees to internal control and management systems is restricted and requires two-factor authentication.

Access Limitations

• Instructure restricts access to personal information only to those employees who have a need to know or otherwise access personal information to enable Instructure to perform its obligations under the Agreement; provided that (a) a background check has been conducted of its employees, and (b) such employees are bound in writing by obligations of confidentiality sufficient to protect personal information in accordance with requirements herein.

Personal Data Transmission

• All access into Canvas LMS utilizes secure protocol HTTPS; All clear text HTTP connections are disabled by default.
• Copying of personal information outside of Canvas LMS operations environment by any employee of Instructure is restricted by policy and only permitted for legitimate business needs.
• Personal information is transmitted into and out of Canvas LMS via secure TLS exclusively; SSL is disabled by default.

Data Storage, Retention and Availability

• Data retention timelines are defined for all elements of Canvas LMS.
• Instructure will ensure back up of Canvas LMS on a daily basis onto an electronic storage medium and shall store all such backups in separate geographic locations. Personal information contained in Canvas LMS is transmitted using secure protocols, on dedicated link, and stored in a secured facility for backup.

Security Breach Response

• Instructure maintains a security incident response plan and a team of personnel trained to identify, investigate, and respond to security issues.
• In the event of a security breach impacting personal information, Instructure will:
  • take immediate steps to remedy the breach;
  • notify the customer as soon as is practicable; and
  • take any other prompt actions towards prevention of any additional security breach.
• In any notification to the customer, Instructure shall, at a minimum:
  • provide a description of the incident, the personal information accessed, the identity of affected third parties, if any, and such other relevant information determined by Instructure, and
  • designate a single individual as a point of contact for the customer.

Third Party Testing

• Instructure contracts annually with a reputable third party security firm to conduct a comprehensive security audit (penetration test and web application vulnerability tests) of Canvas LMS.

Compliance

• Data center providers for the Canvas LMS operations environment maintain an AICPA SOC2 Type 2 report or a successor standard.
• Instructure maintains and follows change management processes. All changes to the Canvas LMS production environment are risk-assessed, logged, and approved. Releases to the Canvas LMS production environment are promoted through a pre-production test environment.
• The Canvas LMS operations environment is separate from the Canvas LMS development and staging environments.
• The Canvas LMS environments are separate from Instructure’s corporate IT environment.
• Logical access to the Canvas LMS infrastructure is restricted using the principles of least privilege and need-to-know.
• Access to all Instructure networks and systems are controlled by an authentication method involving a minimum of a unique user ID/password combination. Privileged users and administrators must use strong authentication.
• Remote network access to Canvas LMS is secured by an authenticated VPN.
• Canvas LMS is hosted in a Tier 3 SOC 2 Type II certified computing facility equipped with fully redundant power backup and fire suppression systems, 24/7 security guards, mantraps, controlled access, biometric authentication, and video surveillance.
• Security relevant events, including login failures, use of privileged accounts, changes to access models or file permissions, modification to installed software, or operating systems, changes to user permissions or privileges or use of any privileged system function, are logged on all systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Instructure (for Mastery Connect)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: Multiple dates depending upon the relevant Services Agreement(s).

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Instructure is providing MasteryConnect which is a software-as-a-service K-12 digital assessment management system. We limit our collection and use of personal information only to those elements required to operate our Products. Please note that if we process your personal information for a purpose other than the purpose for which it was collected, we will provide you with notice in advance of the new processing and obtain consent if required. We do not engage in automatic decision making, advertising to students, or profiling. We use the information described above to provide, analyze, and improve our products, including to:

• Create and maintain your account
• Identify you as a user
• Notate and assign support tickets
• Provide, operate, maintain, and improve our Products
• Personalize and improve your experience
• Contact you and communicate with you, including to respond to your comments or inquiries
• Provide customer support
• Solicit feedback about our Products, including by asking you to respond to surveys or questionnaires (with your permission)

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Instructure takes student privacy seriously. Instructure’s Mastery Connect SaaS product has robust administrative and technical controls to make sure that their information stays private. We've built our operations around international standards such as ISO 27001 and are audited by third parties to make sure that we're actually doing what we say we're doing. We use Amazon Web Services to host our software and they have technical and physical controls designed (and audited) to store everything from students’ homework to top secret documents at the FBI. We take security and privacy seriously and you can learn more at https://www.instructure.com/products/canvas/security

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Intellispark

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Intellispark provides a technology platform for improving student support. Key features include the ability to identify and assess student support issues, share relevant student information with designated teachers and other authorized members of a student’s support team, communication tools to enable team-based communication and collaboration, customizable libraries of available student supports, customizable workflows to notify responsible parties of issues to be addressed, and reporting of support interactions and outcomes. Intellispark will use PII provided by the district solely to enable district users to track and address student support issues as described above.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All client data are stored in an Amazon Web Services (AWS) Relational Database Service instance that is secured using AWS recommended best practices such as encryption at rest, encryption in motion, automated password rotation, and limitation of access. Access control limits access to client data to users authorized by the client and to Intellispark staff who have signed confidentiality agreements and who have a need to access those data to support client users.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

IntelliVOL

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. IntelliVOL provides access to x2VOL. a program that allows students to track and report community service hours, service learning hours, work based learning or CTE hours and experiences. PII is used to create user accounts for students and admins. PII is used to allow users (students) to record their volunteer hours. PII is used to allow users (admins) to view and approve volunteer hours.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option

and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Physical Safeguards
  • Alarm systems and intrusion detection are used to protect electronic information systems and building equipment from unauthorized intrusions.
• Administrative Safeguards
  • Designated security officers are assigned to be operationally responsible for assuring compliance to security policies.
  • Security risk management used to identify and implement security measures to reduce risk to a reasonable and appropriate level based on the covered circumstances.
  • Security incident response used to respond to an incident preserving evidence; mitigating, to the extent possible, the situation that caused the incident; documenting the incident and the outcome; and evaluating security incidents as part of ongoing risk management.
  • Password policies used to safeguard information. All users are given guidelines for creating passwords and changing them during periodic change cycles.
• Technical Safeguards
  • Server Firewalls used to guard against unauthorized access to electronic data.
  • Data Encryption used to convert PII into encoded data
  • Secure Authentication used to ensure that a person is who he or she claims to be before being allowed access to x2VOL website.
  • Data Loss Prevention implemented using daily rolling backups used to prevent the loss qt any user data

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Internationals Network for Public Schools

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 - 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Internationals Network for Public Schools provides contracted professional development and support services to the 15 NYC-based International High Schools and 1 Middle school that fall under the NYC Department of Education. All services focus on academic success of English Language learners who are enrolled in those schools. Services include workshops, professional development one-on-one and in small groups, curriculum development, working groups, professional learning communities and leadership development and support. Data compiled by Internationals Network for Public Schools are used exclusively for program improvement and support of individual NYC public schools. Internationals Network for Public School does this through the analysis of student enrollment, student attendance, overall GPA, credit accumulation, grade advancement, test scores, graduation rates and discharge rates data. This analysis supports school leaders and educators in the implementation of educational procedures and processes that help advance curricular and instructional goals within our network of schools in NYC with services listed below:

• Professional development with teachers, school leaders, counselors, instructional coaches and parent coordinators
• Strategic data check-ins and inquiry sessions with school leaders.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data is kept in password-protected files accessible only by authorized staff members who have been vetted and fingerprinted by the NYCDOE and our organization. At no time will any data be bought, sold or transmitted to vendors for commercial purposes.

Several administrative, technical and physical procedures are used to ensure that Student PII data is protected. For one, the use of data with student identifiers is restricted to staff working directly with that school to support individual students, and whenever possible, aggregated data are preferred to student level data when sharing program data internally. Internationals Network accesses data from NYCDOE ATS/STARS system. Internationals Network stores this data in Google Drive to fulfill the programmatic services. Google Drive is only used to store this data. Data stored is password and access restriction protected. No confidential data may be shared with any personal account. Outside of explicitly utilizing Google Drive for storage, we do not grant access to restricted folders containing student PII, with Google employees. Data stored is password and access restriction protected. No confidential data may be shared with any personal account. Student PII are never shared via email attachments nor via “public to the web" sharing methods. Other physical safeguards are taken regarding Student PII data access by ensuring data is never saved to a personal machine or unauthorized storage device. Furthermore, Virtual Private Networks (VPNs), are used as an additional layer of security if and when needing to access student PII data remotely via a non-INPS and/or Staff secured internet connection. When needed, authorized storage devices are obtained from the technology team. Furthermore, where printouts are made with student PII they are shredded immediately after use.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Intervene K-12

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Intervene K-12 provides high-dosage tutoring using Software-as-a-Service (SaaS) suite tailored for educational intervention. Our platform offers a range of features, encompassing pre and post assessments, progress monitoring, data reporting, bilingual support, career exploration/readiness, and social-emotional learning assistance. We specialize in delivering targeted online tutoring support in key academic subjects such as reading, math, science, and social studies, catering to students across grades K-12.

PII is used to provide individualized coursework to users of the Intervene platform, enabling tailored instruction based on the unique needs of each participant. During platform use, PPI allows for strategic grouping of students and connection to appropriate support structures. PII will also be used to provide tutors with detailed insights into individual learning needs, enabling them to tailor interventions, allocate resources efficiently, monitor progress, and make informed decisions for continuous improvement.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS, Microsoft Sharepoint.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Ensuring the utmost protection of student privacy is a paramount commitment at Intervene K-12. We prioritize this responsibility by implementing robust safeguards to thwart security incidents, including unauthorized disclosure and phishing attempts. All education data stakeholders and users are expected to uphold the same level of diligence in safeguarding sensitive information.

Intervene K-12 employs a multi-layered approach to secure Personally Identifiable Information (PII), stored in a dedicated Microsoft Sharepoint site exclusively designated for student PPI. Access to this site is strictly controlled, limited only to authorized personnel. Our staff undergoes a thorough authorization process before gaining access.

Furthermore, stringent controls are in place for the AWS administrative console, back-end  infrastructure, servers, and databases. Least permissive principles guide the implementation of security policies on login accounts, ensuring only essential access is granted. Network access is restricted to necessary ports, and backend servers are housed on a private subnet. Industry-standard encryption algorithms are utilized to encrypt data both at-rest and in transit.

To combat vulnerabilities, regional restrictions, and potential denial-of-service attacks, a Firewall is deployed. Server access is exclusively granted to technical administrative staff. Role Based Access Control (RBAC) is implemented in administrative sections of the platform, restricting access based on roles, such as Intervene staff, teachers, district administrators, and students. Audit logs and Quality Assurance processes rigorously validate the effectiveness of these restrictions, ensuring they function as intended.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Intrado (for SchoolMessenger)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Data is stored in School Messenger databases for the express purpose of allowing school and district administrators to contact parents / guardians with helpful information about their student. Lntrado makes no use of the data internally.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. lntrado's instance of AWS is used to house SchoolMessenger Communicate and lntrado's instances of Microsoft Azure are used to house SchoolMessenger Presence and SchoolMessenger CustomApp.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All SchoolMessenger solutions are built to adhere to industry and security best practices. All session information (including data exchanges between school/district systems and the Schoo Messenger service) is protected by 256-bit SSL encryption (TLS 1.2). All data is encrypted at rest (using an AES cipher). Further, direct access to the hosts is protected by SSL and SSH and no clear channel connections are allowed. Further, SchoolMessenger separates all customer data into separate logical secure database partitions. Database access requires authorization via a separate authentication server.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Irvin Simon Photographers

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. School portraits, yearbook publishing services. In preparation for Picture Day, Irvin Simon requires certain roster information (i.e. name, grade, class, email address) from your school. This data is used to produce and deliver portrait-based products and services needed for schools’ administrative purposes and/or for use in the school yearbook (the “School Service Items”), to deliver Picture Day notices on behalf of schools, and to provide parents of students photographed opportunities to purchase portraits.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Irvin Simon uses a variety of safeguards to protect School Data. Irvin Simon has implemented a variety of physical, technical, and organizational security measures to help protect School Data from unauthorized access and use.

Facilities: Irvin Simon data, including School Data, is maintained in cloud-based storage or in our on-premises data center that meet or exceed industry standards for cybersecurity. All facilities and systems are protected by strong physical security controls such as restricted role-based access, ID cards, and video monitoring. We have a secure backup process and utilize high availability systems and equipment to maintain availability.

Networks: Devices storing or providing access School Data are protected with the same multi-layered security strategies that we use to protect Irvin Simon’s sensitive and confidential business records. Image databases supporting our photo processing labs and websites are separated from associated data files containing identifiable information, all databases are protected by firewalls, monitoring, vulnerability scanning, and authentication procedures. We apply instruction prevention methods and perform regular network penetration testing and code scanning on a periodic basis using both internal and authorized third party testing services and our systems enable secure transmission of School Data from and to the Irvin Simon network with encryption technologies. School Data is segregated from other databases in our systems and is securely disposed of when no longer needed. Devices or media containing or accessing School Data are password protected and encrypted and stored in secure, locked areas when not in use. Laptops and tables used by our field are also protected by software that, in the event of theft, notifies Irvin Simon immediately if the device is connected to any network and allows Irvin Simon to remotely erase the device.

Personnel: Irvin Simon’s policy is to collect, use, and disclose personal information only in ways that are consistent with our respect for an individual’s privacy. We require Irvin Simon employees to sign confidentiality agreements as a condition of employment, and we provide training on the appropriate use and handling of School Data. Access to School Data is limited to those who need it to perform their jobs. We also take appropriate measures to enforce these policies.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

ISingapore Match

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2024 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The purpose of the E-Singapore Math web application (https://esingaporemath.com) is to facilitate personalized learning, enabling students to master mathematical concepts in K-5 at their own pace. By leveraging the Singapore Math approach, known for its effectiveness in developing critical thinking and problem-solving skills, E-Singapore Math helps bridge learning gaps, making it an ideal resource for remediation and enrichment. E-Singapore Math provides teachers with data-driven insights and detailed analyses of student performance, allowing for targeted intervention and improved educational outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Namecheap Inc.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ISM implements several administrative and technical measures to protect Personally Identifiable Information (PII) and mitigate data privacy and security risks. Subcontractors are trained on state, federal, and local regulations, including New York State Education Law 2-d, and are required to sign Non-Disclosure Agreements (NDAs) before accessing PII. All data is encrypted both in transit and at rest, and system access is restricted through role-based access controls. Continuous monitoring is in place to detect suspicious activity, while accounts are secured with strong password protection, including automatic lockouts after six failed login attempts. Data is backed up daily on Amazon Web Services (AWS) to ensure recovery in case of data loss. 

ISM’s incident response plan allows for the prompt identification, containment, and reporting of breaches, while its data deletion policy ensures that all data is permanently erased upon contract termination.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

IXL Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• Wyzant: As the largest and most widely used tutoring service in the United States, Wyzant helps learners and administrators get results that matter. Founded in 2005, Wyzant has a community of over 65,000 educators and professionals offering students personalized high-dosage tutoring in more than 300 subjects, including math, English, and science. The Importance of PII for Wyzant is that Student basic information (Name, Grade Level, and/or Class) is needed so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
• IXL Math: NYS Next Generation P-12 Learning Standards aligned. On IXL, students receive the support they need to reach any math milestone. While learning, immediate feedback and step-by-step answer explanations help them quickly understand and correct their mistakes. When students are ready to tackle something new, IXL Recommendations offers personalized skill suggestions that help them strive for mastery, address trouble spots, and more. With IXL, students become active and engaged learners, equipped with the tools they need to excel. The Importance of PII for IXL Math is that individual student Math assignment data collected is under their basic information (Name, Grade Level, and/or Class) so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
• IXL Language Arts: IXL Language Arts is NYS Next Generation P-12 Learning Standards aligned bringing the fundamentals of writing to life in a personalized, engaging environment that features interactive questions, fun visuals, and playful content. Students encounter rigorous questions adapted to their abilities, allowing them to engage with reading comprehension, grammar, word choice, and composition in new and exciting ways. Whether you are teaching students the basics of phonics or helping them understand complex ideas like writing style and tone, IXL supports you. Crucial skills are broken down into adaptive building blocks to ensure understanding and reinforce critical thinking outside of reading instruction. Your students will learn to weigh the subtleties of any text, as well as develop the language mechanics to express their own unique voices. The Importance of PII for IXL Language Arts is that individual student Language Arts assignment data collected is under their basic information (Name, Grade Level, and/or Class) so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
• IXL Science: IXL's in-depth content covers hundreds of skills and is aligned to the Next Generation Science Standards and NYS standards, providing support to teachers for any science curriculum. With compelling, interactive skills, IXL drives mastery of:
  • Physical science: properties of matter, force and motion, energy and heat, atoms and molecules, electricity and magnetism, chemical reactions, waves.
  • Life science: plant and animal systems, genetics, life cycles, ecosystems, traits and adaptations, cells, natural selection, conservation.
  • Earth science: fossils, weather and climate, rocks and minerals, plate tectonics, astronomy, natural resources.
  • Plus science literacy, experimental design, engineering practices, units and measurement, and much, much more! The Importance of PII for IXL Science is that individual student Science assignment data collected is under their basic information (Name, Grade Level, and/or Class) so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
• IXL Social Studies: NYS Next Generation 2-8 Learning Standards aligned. IXL offers crucial tools for understanding history-including primary sources, maps, and data sets-in a fresh, expansive format that ignites students' enthusiasm for social studies. Topics include:
  • Geography: oceans and continents, countries and regions, U.S. states and capitals, letter-number grids, latitude and longitude
  • U.S. history: colonial period, Revolutionary War, Civil War, the Great Depression
  • World history: ancient civilizations, Greece and Rome, Middle Ages, Renaissance, Early Americas, Age of Exploration
  • Civics: the three branches of government, checks and balances, state and local government
  • Economics: natural resources, costs and benefits, supply and demand, trade and specialization
  • Plus economics, historical figures, holidays and cultural celebrations, and much, much more! The Importance of PII for IXL Social Studies is that individual student social studies assignment data collected is under their basic information (Name, Grade Level, and/or Class) so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
• IXL Analytics: IXL's reports are flexible, helping you uncover student data at every level. Get a full overview of school-wide trends, or drill down into grade or classroom level data - and teacher-level insights to assess progress and growth for individual learners. No matter what data you need, IXL's reports enable you to make meaningful decisions in every situation. IXL Analytics are a series of reports educators can run to analyze the progress students are making within IXL as they are working through the subject skill questions that have been assigned to them. These reports aggregate student data showing progress towards grade level standards in Math, ELA, Science, Social Studies and Spanish. Educators can then use this information for targeted instruction, small-group instruction, or one-on-one work with students. What is more, IXL Analytics allows teachers to monitor students' work on a given skill in real time, thus making this formative component an ideal tool for both differentiated instruction. The Importance of PII for IXL Analytics is that Student basic information (Name, Grade Level, and/or Class) is needed so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
• IXL Spanish: With IXL, students build Spanish fluency in a supportive environment that allows them to learn at their own pace. Our skills focus on making learning both purposeful and relevant. Students apply grammar and vocabulary to real-world scenarios and interact with more than 1,000 words in dozens of different contexts. Topics like verb conjugation and prepositions get a fresh spin with interactive question types, fun visuals, and intriguing narratives. We put the joy of learning a new language front and center as students discover a whole new way to communicate. The Importance of PII for Spanish is that individual student Spanish assignment data collected is under their basic information (Name, Grade Level, and/or Class) so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.
• Real Time Diagnostic: IXL's Real-Time Diagnostic quickly assesses students' grade-level proficiency, and provides you and your teachers with insights that help you 1) Get data you would normally receive from NYS assessments, 2) Determine student placement in programs, 3) Meet each student's needs with personalized learning plans. IXL Real-Time Diagnostic assesses students across concepts in the K-12 curriculum and delivers up-to-the minute insights on their grade-level proficiency in math and English language arts (ELA). Using these insights, IXL creates personalized action plans that guide every learner to the exact skills that will help them grow. To measure a student's knowledge levels, the Real-Time Diagnostic applies item response theory (IRT) models to estimate the numeric scores for a set of strands (i.e., a broad category of skills). For math, the strands include (a) Numbers & Operations, (b) Algebra & Algebraic Thinking, (c) Fractions, (d) Geometry, (e) Measurement, and (f) Data, Statistics, & Probability. For ELA, the stands include (a) Vocabulary, (b) Grammar & Mechanics, (c) Reading Strategies, and (d) Writing Strategies. The overall diagnostic scores for math and ELA are weighted averages of the strand scores. The Importance of PII for Real Time Diagnostic is that Student basic information (Name, Grade Level, and/or Class) is needed so that educators can identify specific student data for the purposes of knowing how best to support the student's educational needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services (AWS} (a cloud hosting and data analytics provide), Century Link (used for telecommunications), Google G Suite (a cloud computing, productivity and collaboration tool} and Salesforce Inc. (a Customer Relationship Management (CRM) Solution); and using an entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have implemented a variety of physical, administrative and technological safeguards designed to preserve the integrity and security of the personal information we collect and to protect against unauthorized access to data. These include internal reviews of our data collection, storage, and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data. We restrict access to personal information to IXL employees, contractors, and agents who need to know that information in order to operate, develop, or improve our services. Details are further outlined in our Data Processing Addendum. IXL provides encryption for customer data as follows:

• Network connections to IXL' s production environment utilize Transport Layer Security (TLS) or Secure Shell (SSH);
• All data stored in IXL' s production environment is encrypted at rest using AES-256 bit encryption; and
• All data stored on IXL-owned laptops is encrypted at rest. IXL employs automated log collection and audit trails for production systems.
• Connections originating from untrusted networks segments will be governed by firewall rules and other security safeguards that grant the minimal access required to access the intended service provided by the company.
• System passwords and access keys are stored in a privileged location accessible only to IXL security administrators, and all credentials are changed from factory default settings.
• Production systems receive regular maintenance to apply security patches; and
• Physical access to systems requires security RFID badges and biometric authentication, and is limited to IT staff performing physical maintenance.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

I’RAISE Girls & Boys International Corporation

Type of Entity: Community-Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. I’RAISE Mental Health Program provides clinical therapy and mental health services to students in grades K-12. Licensed clinicians and therapists need to have access to student academic records and psychological records (if applicable) in order to provide therapeutic treatment and mental health services to students.

It is necessary for I’RAISE to receive and access student PII for the purposes of conducting counseling services. This type of service requires clinicians to effectively assess and treat participants of the program.

As part of I’RAISE process, our clinicians/therapists collect the following information:

• Student academic records
• Student psychological records maintained by the DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Cloud; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The agency maintains and stores all student PII information in a manner consistent with the New York Child Data Privacy and Protection Act, S9563. The agency stores all student electronic and physical records in a manner consistent with the Health Insurance Portability and Accountability Act of 1996 (HIPPA).

Physical Safeguards – I’RAISE stores student PII in a locked file cabinet on each school site; this includes student academic, counseling, and psychological records. Only I’RAISE personnel authorized to access student PII has access to these secured filed cabinets onsite.

Technical Safeguards – I’RAISE therapists upload electronic copies of student PII into the company cloud owned by the agency. The cloud is password protected and only authorized personnel (therapists treating students) have access to the student’s PII. The agency has an active business associate agreement with Amazon cloud service which ensures the safe and secure storage of our students PII.

Administrative Safeguards – I’RAISE Clinical Deputy Director is responsible for overseeing and ensuring the safe and secure storage of student records and student PII. The Clinical Deputy Director conducts monthly audits of student PII to ensure all safeguards are in place and to mitigate any potential data privacy and security risks. To mitigate data privacy and security risks, the Clinical Deputy Director trains and manages the authorized personnel (therapists and social workers). Additionally, I’RAISE IT Director conducts monthly security checks of the agency and checks for any potential security and privacy risks. The IT Director works alongside the Clinical Deputy Director to ensure the agency is in compliance with the safe and secure storage of students’ PII in a manner that aligns with the New York City Department of Education.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Jewish Child Care Association of New York (JCCA)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2024.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. JCCA provides comprehensive care to thousands of children, young people and families who come from New York’s diverse communities. Since 1822, we have embraced those who need us most — abused, neglected and traumatized young people who are struggling with poverty, developmental disabilities and complex mental illness.

The Learn to Work (“LTW”) program is dedicated to providing academic and socioemotional support, pre-employment skills, and opportunities to NYC youth enrolled in Transfer High Schools or YABC’s. In order to provide the services in the LTW program, it is necessary to access PII to register youth, determine student needs and goals, monitor progress and provide ongoing related services for the duration of the LTW student enrollment.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Anti-virus software is installed on all JCCA computers and servers. Virus update patterns are updated daily on the JCCA servers and workstations. Virus update engines and data files are monitored by appropriate administrative staff that is responsible for keeping all virus patterns up to date. Procedures are defined for implementation of anti-virus tools. JCCA utilizes appropriate network-based and host-based intrusion detection systems.

User IDs and passwords are required in order to gain access to all JCCA networks and workstations. All passwords are restricted by a corporate-wide password policy. Passwords shall not be shared with any party, must be kept confidential, and may not be written down on paper. Passwords are masked or suppressed on all online screens, and are never printed or included in reports or logs. Passwords are stored in an encrypted format.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Jigsaw Learning (for TeachTown)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TeachTown provides standards-based core curriculum for students with moderate to severe disabilities. The student emails and names are needed in order to make them individual accounts to track progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS in the US.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TeachTown is committed to maintain strong privacy and security protections. The privacy and security of this information is a significant responsibility, and we value the trust of our students, parents, and staff. TeachTown secured a Chief Information Security Officer (CISO) and Chief Data Privacy Officer in 2021. TeachTown’s Privacy Program is responsible for creating, maintaining, communicating, and enforcing a comprehensive privacy control environment to ensure the company meets its legal, contractual and other organizational requirements for Processing Personal Information. TeachTown complies with its responsibilities under all applicable state and federal laws and regulations that protect the confidentiality of personally identifiable information and Student Data, including the Federal Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 12329(g); Children’s Online Privacy Protection Act (COPPA), 15 U.S.C 6501-6502; Protection of Pupil Rights Amendment (PPRA), 20 U.S.C 1232; and applicable State laws governing the protection of personally identifiable information from students’ educational records (“Student Data”), including New York Education Law Section 2-d and Part 121 of the Commissioner’s Regulation.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Jostens

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Jostens prints and publishes the yearbook that the school/students create and assists the school with sales of that same yearbook. Data is received from the schools on a yearly basis coincidental with the beginning of a new school year), with that data only being used for that respective school year. All communications sent by Jostens regarding sales are preauthorized and preapproved by the school before being sent and are only sent to the parents (using data obtained by the school) of the students attending that school who would be interested in buying their student(s)’ yearbook for that year.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Information is only accessible by those necessary to perform per the Agreement. Onboarding and annual training for anyone with access to PII includes training on privacy/proper handling of PII. Per Jostens Cybersecurity Compliance Program:

• Jostens will protect the confidentiality, integrity, and availability of data and systems, regardless of how the data is created, distributed or stored. Jostens security controls are tailored accordingly so that controls can be applied commensurate with the risk and sensitivity of the data and system, in accordance with all legal obligations.
• Jostens establishes responsibility for managing information privacy and data security controls for handling sensitive Personally Identifiable Information (PII). Jostens ensures PII is collected, used, stored, transferred, and destroyed according to privacy requirements.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

JumpRope

Type of Entity: Commercial Enterprise

Contract/Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. JumpRope collects and processes Protected Information input by NYC DOE teachers and administrators for the exclusive purpose of providing the NYC DOE with the services and support to which NYC DOE has subscribed via the Agreement. NYC DOE determines the type and scope of Protected Information it houses on JumpRope and how such Protected Information is used on JumpRope. JumpRope does not collect any Protected Information directly from the end user. School administrators and teachers may input Protected Information into JumpRope about themselves or about students enrolled with NYC DOE. Examples of Protected Information NYC DOE might input on JumpRope includes student name, birthdate, grade level, home address, and parent or guardian contact information, attendance-related information, student grades, and student-related comments that are associated with grades. NYC DOE may house and process Protected Information on JumpRope in a variety of ways to achieve NYC DOE’s gradebook, curriculum and development goals.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. As part of JumpRope’s Information Security Program, JumpRope protects data using a series of industry-standard encryption and data security safeguards. Company policy requires the use of only proven, standard algorithms as the basis for encryption technologies. All keys used for encryption and decryption must meet complexity requirements described under Password Security. The company reviews algorithms, key length, and complexity annually and upgrades as technology allows. Users accessing JumpRope’s information systems must be properly authenticated with a strong encryption method invoked prior to their password being requested. Company policy requires that passwords are never stored online without encryption. All mobile devices containing stored data must use an approved method of encryption to protect data at rest. Laptops must employ full disk encryption with an approved software encryption package. No Protected Information may exist on a laptop in cleartext. Depending on the method of transmission and recipient of the data, Protected Information will be encrypted using appropriate protection methods such as Rights Management Services (RMS) or password protected using strong password methodology and transmitted only via JumpRope devices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.

Jupiter Ed

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Jupiter Ed is an online Gradebook, Learning Management System (LMS) and Student Information System (SIS). Our LMS includes our gradebook, remote learning features, online assignments and tests, including an online essay grader. There are messages (email and text) and discussion forums for teacher/parent and student communication. The student information system module also includes report cards, transcripts, attendance, discipline records and scheduling. Schools can also select online enrollment and online payment modules. Our products can be used with students from pre-school through high school levels. We also offer both in-person and online teacher and administrator trainings. Schools have the option to enter PII into Jupiter but it is not required. See a detailed list of each module here: https://jupitered.com/modules.php.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Jupiter stores PII on dedicated servers, not shared infrastructure.
• Jupiter encrypts PII in transit using industry standard SSL technology.
• Jupiter encrypts data at rest using industry standard HDD encryption.
• Jupiter employs intrusion detection software to safeguard critical infrastructure.
• Employee access to Jupiter servers is managed via VPN.
• PII is transmitted across infrastructure using encrypted channels, never via “thumb drive”, email, or other insecure method.
• Jupiter uses automated systems to destroy PII when a customer has not renewed their contract. No manual action by staff is required.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Justice Innovation (also called Center for Justice Innovation)

Type of Entity: Community Based Organization

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Center for Justice Innovation is a non-profit dedicated to justice reform. We design, implement, and run programs within and alongside communities emphasizing local leadership, community empowerment, prevention, equity, and safety. Our Restorative Practices team plans to support schools to implement restorative justice practices aiming to positively shift school culture and climate. As schools seek to move away from punitive responses, we will support schools interested in using restorative approaches as an alternative. Additionally, we will lead professional development sessions and work alongside staff who wish to use restorative approaches in their classes or student clubs to establish and sustain a positive school culture and climate. We do not require access to PII, however it is possible that while interacting with teachers and students throughout the program we may receive access to protected PII such as student names. Our staff will adhere to all legal requirements to protect student PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Center’s policies are designed to ensure that client information is protected. All client files are maintained in a secure database and only staff with specific permissions can have access to information in the database. Any electronic datasets are stored on a secure password protected network drive accessible only to project staff. Mandatory training is provided to all staff on the requirements and importance of the agency’s confidentiality policy. Client information, records, and data are not disclosed by the Center to any person, organization, agency, or other entity except as authorized by law. Our database management systems support the creation of user accounts, roles, user group security and permissions based on programs’ protocols. We maintain clients’ data confidentiality by creating the specific workgroups and security organizations in database systems. We practice Universal Precautions/Standard Protocol & Procedures and comply with any and all Federal, State, City and the Center’s confidentiality, privacy, and security laws, specifically including, but not limited to, HIPPA. We use appropriate safeguards to prevent use or disclosure of the PII and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentially, integrity, and availability of the electronic PII.   

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

K Systems Solutions

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/23/2023 – 10/22/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. KSS will provide a consultant who will be working on The NYC School Transportation Modernization Project as part of OPT operations’ Planning and Innovation team. This project will solve problems for caregivers, students, school administrators, drivers (external stakeholders) and OPT staff (Internal stakeholders). This is an extensive business process reengineering initiative involving change in business processes, use of new products and replacing of old applications.

The consultant will provide deliverables including but not limited to: Managing, monitoring, tracking milestones. Additionally, the consultant will be collecting, maintaining, and revising requirements. Lastly, the consultant will be testing, training, and releasing projects. PII will be obtained and maintained during the requirements gathering process. Also, PII will be accessed during testing and training initiatives. The consultant will also potentially be exposed to PII during various project meetings.

Type of PII that the Entity will receive/access: Student PII. “It’s possible that the Staffing Consultant will also have access to the PII for the following groups: caregivers, students, school administrators, drivers (external stakeholders) and OPT staff (Internal stakeholders).”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “The on-site consultant represented by K Systems Solutions will only be accessing data.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• In our policy, we have reiterated that the employees must read and understand the data privacy and procedure in safeguarding all sensitive information in compliance with the US law (see the Information security policy).
• Regular Auditing and Monitoring: Monitor systems and networks for unusual activities or unauthorized access. Regularly review access logs, audit trails, and security alerts to detect and respond to threats.
• All employees undergo mandatory data privacy and security training upon onboarding and annually thereafter. Making data privacy and security training a mandatory component of the onboarding process is crucial to ensure that all employees are equipped with the knowledge and awareness needed to protect sensitive information.
  • All employees must be trained in the following key data privacy regulations: FERPA and NY Education Law 2-d, etc.
  • Employees will be provided with a comprehensive training module that covers key topics such as data classification, access controls, encryption, incident reporting, and compliance with relevant regulations.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “The on-site consultant represented by K Systems Solutions will only be accessing PII.”

K-5 Math Teaching Resources

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. K-5 Math Teaching Resources LLC (K-5MTR) provides math consulting and professional development focused on increasing teachers’ and administrators’ pedagogical and conceptual understanding of the teaching and learning of mathematics. Our work is deeply rooted in current educational theory and practice, and in the principle that high quality teaching begins with the teacher's own deep subject matter knowledge. K-5 MTR consultants use a variety of research-based and evidence-validated professional development methodologies designed to deepen content knowledge and refine teaching practices, with an expectation that reasoning and making sense will be priorities of both teaching and learning. As part of this work, K-5MTR consultants may view individual, class and school-wide assessment data while leading math professional development in schools with teachers and administrators. Reviewing this information is necessary in order to study patterns in data, plan next steps and ensure that instruction is differentiated in response to student needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “No PII is stored by K-5MTR consultants.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. K-5MTR consultants may view individual, class and school-wide assessment data assessment data while leading math professional development in schools with teachers and administrators. PII assessment data is accessed by Principals, Assistant Principals and teachers using their @schools.nyc.gov accounts and does not leave NYCDOE servers. K-5MTR consultants may view this data on DOE machines while visiting schools but do not directly access or store student data as they do not have @schools.nyc.gov accounts. NO data is removed or stored away from DOE systems. Safeguards to keep this data safe (e.g. data encryption, physical servers) are controlled by the NYCDOE. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Kahoot!

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kahoot! is a game-based learning platform for schools, organizations and families that  makes it easy to create, share and play fun learning games in minutes. Kahoot! will process PII (including: teacher account data, such as names, email addresses, username, organization, picture/avatar, and title) as required to deliver the service to the customer. We use such information only to provide the services, such as to permit the host (teachers) to interact with players (students) and track their progress over time. A host may permit students/players to share information with others, such as with other players/students in the same organization or group.

The data is submitted by the customer/users directly into the Kahoot! service or collected automatically. The data is used only for the purposes of delivering the Kahoot! service to the customer. For Kahoot!’s processing of personal data as a controller, please refer to our Privacy Policy.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. [Email studentprivacy@schools.nyc.gov for information about the specific cloud providers]

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Security is one of our top priorities as a business. For more information regarding our technical safeguards and practices, please see below:

• Controls, Policies & Procedures. Appropriate technical and administrative controls, and organizational policies and procedures.
• Named person in the role as a dedicated Chief information security officer (CISO) with focus on security in all areas of the Kahoot! business.
• Access Authorization. Access controls for provisioning users, which shall include providing Customers mechanism to view Customer users and their access privileges for licensed users.
• Logging. System and application logging where technically possible. Kahoot! retains logs for a maximum one (1) month, verify such logs periodically for completeness.
• Malicious code and/or software. Malware prevention software (e.g. antivirus) is implemented on infrastructure where applicable. Using Kahoot! does not demand any Customer hardware installment. Users can choose to install App on mobile devices.
• System Security. System and IT security controls at Kahoot! follows industry best practices, including: (i) A high-level diagram, which will be provided to Customers upon request; (ii) Kahoot! use a mix of industry standard cloud and software firewalls to dynamically limit external and internal traffic between our services; (iii) A program for evaluating security  patches and implementing patches using a formal change process within defined time limits; (iv) Kahoot! Runs continuous penetration testing by an independent third party, with a detailed written report issued annually by such third party and provided to Customers upon request; (v) Documentation of identified vulnerabilities ranked based on risk severity, and corrective action according to such rank.
• Asset Management. An asset management policy is kept current, including asset classification (e.g., information, software, hardware).
• Kahoot! runs regularly cross company Risk Assessments to ensure potential risks are identified and managed.
• A Password policy and controls are implemented to protect data, including complexity requirements and multi factor authentication where available.
• Kahoot! uses sub-processors to strengthen the scalability. All subprocessors hold the highest level of security and have current certifications for, among others, ISO27001 and SOC2 Type 2.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Kaplan K-12 Learning Services (for DREAM program)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/1/2022 – 12/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kaplan works with the NYC DOE Office of Equity and Access to support the DREAM program, and its students and teachers. For the SHSAT prep program beginning early July 2022, Kaplan will SHSAT prep books, Kaplan SHSAT Practice Test kits and assessment reporting. PII (i.e. OSIS number) will be used for reporting assessment results.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor: Amazon (AWS)

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Kaplan will maintain compliance with all state, federal, and local data security and privacy requirements through implementation of security controls governed by an Information Security Management System (ISMS) that is based on ISO 27001 requirements.
• The following security controls, governed by the ISMS, are in place to protect the Pl it will receive under the contract:
  • Strong access controls, including utilization of unique usernames (in this case, the student number), strong password requirements, and requirements for heightened privileges (which are reviewed on a regular basis) to access the backend system for in-scope activities;
  • Protection of data at rest within the AWS environment using best practices encryption standards and algorithms in compliance with ISO 27001 standards. Such data encryption includes use of 2048-bit RSA encryption, utilization of AWS KMS for key management (creation, management, and destruction), and protection of key exchange standard integrity through the use of security certificates created and maintained within the AWS environment using AWS's CMS;
  • Protection of data in transit using similar industry-recognized best practice encryption standards and algorithms in compliance with ISO 27001 standards. This includes strict usage of TLS 1.2 or better with HTTPS. Data that is in transit within Kaplan's environment (e.g., from the AWS instance to Kaplan employees) is protected through use of an encrypted-tunnel VPN;
  • Protection of network and other communication channels through a zero-trust network design with micro-segmentation principles; such design is created through utilization of Zscaler's zero trust network technologies, implementation of advanced firewalls (including web application firewalls and NGFWs), and creation and use of DMZs (using Zscaler's proxying technologies coupled with installed firewalls); Kaplan also requires use of an encrypted-tunnel VPN (AES-256 encrypted P2P tunnel) with MFA for remote access;
  • Physical and environmental controls managed by AWS that are in compliance with ISO 27001, SSAE 18 SOC 2 Type 1 and Type 2, and other industry standard requirements; and
  • Constant vigilance over its systems through use of in-depth logging and monitoring practices, utilities, and software. Kaplan's assets, networks, and users are monitored through collection and analysis of log data in Alertlogic SIEM and other utilities, including Orea, Qualys, and Crowdstrike. Kaplan also uses AlertLogic, Orea, Qualys, and Crowdstrike socs to monitor Kaplan's environment and alert Kaplan's information security teams to potential malicious activity. Alerts from these organizations are reviewed by Kaplan's SecOps team immediately; logs collected are reviewed on a daily basis as well.
• Kaplan's ISMS serves as the framework for implementing security controls that ensures compliance with New York State Education Law§ 2-D and the NYC DOE's Parents' Bill of Rights for Data Privacy and Security. In general, maintaining a data security and information privacy program that is based on ISO 27001 controls ensures that Kaplan maintains compliance with all major international, national, state, and local laws, regulations, and standards. More particularly, the ISMS and associated security controls listed above as well as the further security controls placed on Kaplan's systems, networks, and data ensure that the rights prescribed in the Parents' Bill of Rights for Data Privacy and Security are protected and provided to NYC DOE. Beyond the security controls listed above, Kaplan also maintains a data privacy mailbox through which data access requests can be made. Kaplan privacy officers will review the requests against what is allowed by the Parents' Bill of Rights for Data Privacy and Security as well as what is allowed by New York state law, US federal law, and international law, and provide access, allow for changes and/or deletion, and other activities permitted by these legal and regulatory sources.
• Kaplan's use of AWS and the security controls in place as governed by Kaplan's ISMS allows for continual data backups placed in hot standby for immediate availability within the AWS environment. Snapshots of Kaplan's applications and data are taken throughout the day and stored concurrently in multiple secondary/fallback AWS data center locations. Confidentiality, integrity, and availability are therefore ensured through this backup and immediate availability scheme taken together with Kaplan's access controls, encryption protocols, and other security measures.
• Kaplan requires extensive training for its personnel who will be interacting with or handling in­ scope data or systems. Such training covers, inter alia, the following topics: proper data labeling and handling; proper use of Kaplan assets (including use of Kaplan workstations, remote access to Kaplan's systems, and general acceptable use policies); maintaining compliance with applicable international, national, and local information security, data privacy, and other laws, regulations, industry standards, and contractual obligations. Such training is provided in general form during the onboarding process and thereafter throughout the year in more particular form per subject/topic area, culminating in requirements to retake the general course at the two year mark.
• Kaplan maintains strong access controls on all aspects of its environment and ensures such controls are implemented through a vigorous and well maintained user rights management program. The user rights management program is managed, reviewed, updated, and overseen by an internal Identity and Access Management (1AM) team; the 1AM team is in turn responsible for access provisioning and deprovisioning (implemented through AD/Azure AD), privilege reviews (performed through Archer URM software), and ensuring compliance with Kaplan's strict password requirements, amongst other responsibilities. Of particular note, access to in-scope systems that host client data is tightly controlled by Kaplan's 1AM team, with any provision of access privileges reviewed on at least a quarterly basis for heightened privileges and twice a year for all other access.
• Only a select few organizations, third-party contractors, and subcontractors have access to the in­ scope data. The primary subcontractors that will be used in this relationship are used for hosting purposes and legitimate business, legal, and technical activities within Kaplan's environment. They are contractually restricted from accessing the data without explicit authorization from Kaplan.
• Subcontractors for the in-scope relationship are limited to those used to host Kaplan services (e.g., AWS) and those required for internal critical business functions (e.g., legal, business, and technical activities). They are all contractually restricted from accessing in-scope data without explicit written permission from Kaplan.
• In the event of a data security incident, Kaplan follows an incident management procedure that is part of its ISMS. This procedure includes steps for internal alerts, investigations, remediation, and, importantly, communicating information concerning the breach to affected third parties. Such external communications will be performed at the direction of the Vice President of Information Security and Privacy, or as applicable, the NYC DOE, within the time periods required by applicable laws and regulations.
• Kaplan's systems, ISMS policies and procedures, and security controls are tested multiple times throughout the year through external audits, internal audits, penetration tests, and vulnerability assessments. This includes external audits for ISO 27001 purposes; internal audits for purposes of ISO 27001 certification, PCI and SOX compliance, and sound risk management practices; and penetration tests and vulnerability assessments to identify vulnerabilities in Kaplan's systems and remediate those vulnerabilities immediately.
• Data will either be returned to NYC DOE or permanently deleted in accordance with the Agreement.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Kelvin Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kelvin will allow schools to administer and report on the NewSchools Venture Fund Staff and Student surveys.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Heroku Cloud Application Platform and Google Cloud Platform.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Kelvin Education, Inc utilizes processes, procedures, and policies that are in accordance with SOC 2: Type 2 framework. Kelvin framework is supported internally with compliance specialists Secureframe and is audited by Modern Assurance. Please review our included Attachment B – Processor Data and Security Plan as well as Terms of Service and Privacy & Student Data Security Policy for more detailed information. If you have further questions or concerns, please contact Kelvin Security Team at security@kelvin.education.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Khan Academy

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: Contract Start Date coincides with the start date of the contract entered into by the DOE (or school within the NYC DOE school system) for Khan Academy Districts service and contract expires at the end of the school/school district’s subscription to the Khan Academy Districts service.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Khan Academy is a non-profit organization that provides access to a free website located at http://khanacademy.org and related mobile applications (together “Website”), through which it provides educational services, including, but not limited to, educational content, products, and services (together, the "Services"). The Services include a wide range of content and learning activities, including instructional content and exercises aligned to core curriculum, test practice courses, a personalized learning dashboard, and other learning activities and education programs. Access to the Website and educational content is made available for free. Standard features, including account creation and the ability to assign lessons to and monitor learning progress, are also available for free. Content can be viewed without creating an account; however, for most school use, individual user accounts are created for each individual student, teacher, or other user. The accounts may be used for work in the classroom or for at-home learning.

In addition to free standard features, Khan Academy offers supplemental services to school districts and educational agencies to facilitate implementation by the district or agency, under paid subscriptions. These supplemental services include MAP Accelerator, which uses scores from a standardized assessment (known as MAP Growth scores) and the Khan Academy personalized learning system to give each student custom learning paths, while educators get real-time data to inform instruction. In order to provide MAP Accelerator each student is registered with an individual user account on the Website. In addition to providing personalized learning plans specific to the MAP Accelerator, user accounts provide access to all of Khan Academy's content and standard features.

Khan Academy’s use of personally identifiable information may vary based on the services or programs selected, but generally includes use (i) to provide students with individual Website accounts; (ii) to provide adaptive and/or customized learning features of the Service and educational programs offered through the Service; (iii) to allow teachers and other school personnel, and parents and coaches associated with students, to review and evaluate student educational achievement and progress on the Service; (iv) to provide school personnel with insights regarding student learning and (v) to communicate with users regarding use of the Service and provide information regarding educational and enrichment programs.

Parents may learn more about Khan Academy’s services by viewing our terms of service and privacy policy, each of which are available on the Website. Parents are able to establish parent accounts on the Website and to associate the parent account with their child’s account in order to view their child's progress and assist them with at-home learning.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Khan Academy has established technical and administrative safeguards designed to help protect personally identifiable information from unauthorized access, disclosure, use or acquisition by an unauthorized person, including when transmitting and storing such information. A summary of Khan Academy’s security safeguards are set forth below:

Technical Safeguards

• Khan Academy knows that encryption is key to protecting data. We use industry standard encryption technology to protect data transmitted over the internet. The Khan Academy website is hosted on the Google Cloud Platform, and we rely on Google for server and datacenter security. All data on the Google Cloud Platform is encrypted at rest in accordance with Google’s security practices.
• We limit access to data on a need-to-know basis. Khan Academy uses role-based permissions to limit access to sensitive data and systems to our personnel who need it for a legitimate business purpose.
• We follow industry best standard practices in developing our software.
• Laptops provided to our employees for work purposes are managed to ensure that they are properly configured, regularly updated, and tracked. Our default configuration includes full-disk encryption of hard drives, on-device threat detection and reporting capabilities, and lock when idle for a specified amount of time. All laptops are securely wiped before we re-issue or dispose of them.

Administrative Safeguards

• All personnel are required to follow our Information Security Policy, which specifies how we protect data and comply with our security commitments.
• We employ a variety of methods to assess and manage risk, including policies, procedures, and use of industry standard tools to monitor and protect data and systems.
• Khan Academy has established a vendor management program which includes review of the security controls, privacy and data protection policies, and contract terms of our service providers upon initial engagement and periodically thereafter.
• Khan Academy has an incident response plan in place to identify and address any potential data or security incident.

Personnel

• Our employees are required to complete information security awareness training upon hire and periodically thereafter. Personnel are required to acknowledge and agree to our written information security policy and our employee handbook which, among other things, highlights our commitment to keep Student Education Records and confidential information secure.
• Employees that have access to Student Education Records receive training on applicable federal and state privacy laws.
• Khan Academy employees are screened with background checks prior to their employment with us.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Kiddom

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kiddom, Inc. is providing a cloud-based software service which enables teachers to instruct students with customizable curriculum served from the Kiddom platform. We receive PII in the form of names and emails during initial setup of class and school rosters, as well as optional guardian/parental names and emails. Our platform also allows students to upload digital files as a part of their school assignments.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We are signatories of the Student Privacy Pledge, and our processes are subject to our privacy policy . PII is scrubbed from any dataset which is used for internal analysis. All disks are encrypted at rest (AES-256, keys are rotated yearly). All data is encrypted in transit (AES-128, certificates are rotated yearly) and at rest. Files are stored encrypted and are protected by permissioning, accessible only to authorized individuals. We follow the NIST Cybersecurity Framework Version 1.1 best practices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Kids Discover

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kids Discover Online is a web-based application that offers educators and students access to a growing library of over 2,000 engaging science, social studies, and nonfiction articles, at 3 Lexile ® Reading Levels. Educator and Student PII is only needed/used to authenticate access to certain services that Kids Discover Online provides, such as a virtual Classroom, Gradebook, and Individual assigned Reading Levels. Through Kids Discover Online’s Library Media Plan, no Student or Educator PII is collected nor required in order to use or authenticate the services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Kids Discover Online requires a minimal amount of student data or teacher or principal data. In some instances, Kids Discover Online may not require the collection of any student data or teacher or principal data whatsoever.
  • Collecting a minimal amount of student data or teacher or principal data is the first step in mitigating cybersecurity risk. This in turn simplifies Kids Discover’s management and protection of such data, and requires less Kids Discover personnel that have (and need) access to such data.
• The Personally Identifiable Information that Kids Discover Online may collect is limited to the following student data or teacher or principal data:
  • Student Data PII
    • First Name and Last Name
  • Teacher or Principal PII
    • First Name and Last Name
    • Email Address
    • Job Title or Role
    • School Building Name and Address, including Zip Code
    • Kids Discover Online explicitly prohibits the collection of any other personally identifiable information for any Teacher or Principal that uses the service.
• Student data or teacher or principal data that is collected by Kids Discover Online and used to provide the services are protected in the following ways:
  • Access to any and all student data or teacher or principal data is limited to authorized Kids Discover personnel, and requires company issued credentials that are updated every 3 months. The number of Kids Discover personnel with authorization is limited to individuals that have received proper training, and fully understand their roles and responsibilities.
    • All authorized personnel have received training from IT professionals and senior executives at Kids Discover.
  • Student data or teacher or principal data that is collected by Kids Discover Online is stored in a cloud managed, enterprise grade Microsoft Azure SQL Server Database. The database utilizes the SHA1 hashing algorithm, with a hash sequence of 160 bits in length.
    • Data is automatically backed up every 24 hours.
    • Database capacity is 250GB, more than double the capacity needed to effectively store and run its contents.
    • Kids Discover Online utilizes three different development environments, including a local environment, staged environment, and production environment for both the database and general code base of the platform. This ensures that any testing, enhancements, bug fixes, data handling and/or data conversions are executed in two different test environments before being executed in a production environment (with live data).
    • Data that has been dormant for 12 months is automatically deleted from the database.
      • Data can be deleted within 24 to 48 hours by written request from any School, School District, Educational Agency, or Customer.
      • Data can be provided and delivered to any School, School District, Educational Agency, or Customer within 24 to 48 hours by written request.
  • Kids Discover Online’s database is virtually managed. Updates and upgrades are performed through Kids Discover’s Microsoft Azure account, utilizing Microsoft Azure’s market leading infrastructure and resources.
• Kids Discover utilizes a suite of tools afforded by Microsoft Azure to monitor, detect, and in turn alert Kids Discover personnel of any anomalous activity.
  • Kids Discover personnel are alerted in real-time to anomalous activity based on predetermined thresholds and triggers. Depending on the nature of the anomalous activity and subsequent alert, Kids Discover personnel are clear in their roles and responsibilities in terms of response time and prioritization.
• Once an anomaly is detected, authorized Kids Discover personnel will conduct an investigation.
• Information is then shared to the appropriate Kids Discover personnel, including Kids Discover Management, to determine the depth and magnitude of any further investigations and potential data recovery procedures needing to be conducted.
• If it is determined that an incident such as a data breach has occurred, and that any data may have been effectively altered or compromised from the resulting incident, Kids Discover personnel will then notify any customers, Schools, or Educational Agencies as defined in this document of the nature of the incident, whose data may have been affected.
  • It is important to note that Kids Discover views all customers as partners and will work diligently to communicate transparently to all stakeholders of any issues or incidents that have arisen.
  • Kids Discover will continue to communicate with any customers, Schools, or Educational Agencies until the issue has been resolved and rectified, and both parties agree about the best possible path forward.

Kids Discover will then work to restore, retrieve, correct, and improve any and all affected data, along with the systems, software, hardware, and general processes that resulted in the situation.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Kinvolved (KiNVO)

The exclusive purposes for which Protected Information will be used: KiNVO is an app that is used by educators and administrators to inform parents of a student’s attendance. Educators and administrators can also send contacts information relevant to a student’s education, such as homework assignments, school event, and so forth.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:  Kinvolved requires subcontractors or other authorized persons or entities to sign non-disclosure agreements and abide by company-driven privacy and security protocols.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI is permanently deleted from Kinvoled’s database, Kinvolved does not maintain a record of PISI. Note: Data may exist in backups for a period of 35 days after the data is deleted from the database. [NYC DOE comment: The current agreement became effective starting on August 22, 2019 and terminates when all NYC DOE schools and/or offices cease using Kinvolved, Inc.’s products/services. The terms of the agreement remain effective through the period during which Kinvolved, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data and the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI is stored in the United States.

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted in transit and at rest.

KittyHawk Digital

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 6/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. At KittyHawk, we specialize in custom software solutions for schools. Our primary focus is to support these schools with their educational needs by providing a Learning Management System (LMS) and a user-friendly communication tool.

This LMS is designed to optimize a personalized learning experience for students. It offers a secure and intuitive platform where students can access course materials, assignments, and grades. Teachers can utilize the system to create and manage their courses, track student progress, and deliver engaging content personalized to the student’s learning needs. Additionally, parents have the opportunity to stay informed about their child's educational journey by receiving updates and communication channels within the LMS.

Personal Identifiable Information (PII) is utilized for the purpose of establishing user accounts and monitoring the academic advancement of students enrolled. PII is further employed to facilitate effective communication between teachers and parents concerning the educational progress of students. Additionally, PII is employed to oversee and assess student progress, thereby guiding them towards appropriate subsequent courses of study.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS for Application, Database, and File Storage.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have implemented the following safeguards to ensure the protection of Student Information and to mitigate data privacy and security risks. These safeguards include but not limited to:

• Administrative:
  • Access Controls: We have established strict access controls to ensure that only authorized personnel can access student information. This includes user authentication, security groups, role-based access, 90-day key rotation, and regular review of access privileges.
  • Policies and Procedures: We have implemented corporate policies and procedures that govern the collection, storage, use, and sharing of PII. These policies are regularly reviewed and updated to align with industry standards and legal requirements.
  • Incident Response Plan: In the event of a data breach or privacy incident, we have a response plan in place. We have system alerts and monitoring in place and this allows us to respond swiftly and effectively, minimizing any impact on student data.
• Technical:
  • Encryption: We utilize the latest encryption techniques to protect student PII both during system communication and while stored in our systems. This ensures that the data remains secure even in the event of unauthorized access.
  • Data Backup and Recovery: Daily backups are stored on private storage accounts (S3). This ensures the availability and integrity of student information. Recovery mechanisms are also in place to maintain system availability in case of any unforeseen incidents.
  • System Monitoring: We employ monitoring tools and Intrusion Detection systems that continuously track and analyze our infrastructure for any suspicious activities or potential  security breaches.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."

KiwiWrite Software (for KiwiWrite Math)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. KiwiWrite Software, LLC provides a web-based application named KiwiWrite Math, which provides to select students with specific need an online platform to act as an alternate means of entering and completing math or math-containing classwork or assessments. Minimal PII will be accessed that is needed to create and maintain student accounts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Physical safeguards are provided by AWS, our cloud provider. We do not store PII in any location except in our encrypted database on the cloud. Administrative safeguards to protect data include limiting access to a minimal number of authorized personnel who have a legitimate need for such access, and requiring confidentiality agreements for any personnel with access. Test environments do not use student data and have separate security keys. Technical safeguards include encryption of data in transit and storage, access controls, and implementing regular and encrypted backups.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Klett World Languages

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The KWL is an app from Klett World Languages, Inc. We are a publisher of world language materials. Students engage with our interactive books and assignment workflow on the platform. There is a lot of student generated content, which includes audio recordings, writing samples, etc. This is for standards mastery of the NYS LOTE standards. Our platform needs PII data because student names, usernames are used to relate student responses/generated work with users. Teachers need to send assignments to specific students or groups of students. PII is needed to identify students and groups. Moreover, District Admins can export these reports for standards mastery and this is why PII is needed.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Various methods are used to protect Personally Identifiable Information (PII). In transit, TLS/SSL is used when transferring user information and our AWS servers. Amazon RDS and Amazon S3 that support encryption at rest.

Database-level access controls are implemented to restrict users' access to specific tables or fields containing PII. All development is done on a private internal server, and this ensures that code is not compromised. AWS DevOps tools are used to ensure secure coding practices and automate deployment pipelines.

Logging and Monitoring tools are used by our Developers: Amazon CloudWatch has been implemented for logging and monitoring the AWS resources to detect and respond to security incidents. AWS CloudTrail is used to monitor and log AWS API calls for auditing and compliance.

Regularly backup PII data and have robust disaster recovery plans in place to ensure data availability in case of accidental deletion, corruption, or other unforeseen events.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

KneoWorld, Inc.

Kognity USA

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kognity is a digital web browser accessible teaching and learning platform primarily used by International Baccalaureate (IB), IGCSE and NGSS. It offers interactive textbooks, quizzes, videos, and other resources, allowing teachers and students to engage with curriculum-aligned content in a dynamic way. Kognity's platform aims to enhance student understanding, retention, and application of knowledge while providing teachers with tools to monitor and support student progress. Kognity receives Student Data in two ways: (i) from our School Customers to implement the use of our Products (including allowing for access to the Products by Authorized Users); and (ii) from Authorized Users.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Heroku/AWS Customer Application Isolation, which provides an isolated cloud environment within Heroku, and cannot interact with other applications or areas of the system.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We take a comprehensive approach to safeguarding sensitive educational information. It covers governance frameworks, incident management, hosting and data storage, access controls, encryption, vulnerability assessments, staff and subcontractor compliance, and risk assessments, all in compliance with relevant laws and standards.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

KPMG LLP 

Kweller Prep Tutoring and Educational Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/1/2023 – 5/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As a tutoring business, it is necessary for our Entity to receive and access Personally Identifiable Information (PII) of students to conduct its services. Our Entity needs this information to provide personalized and effective tutoring services to students. This information may include the student's name, age, grade level, academic performance, learning style, and any relevant medical or behavioral information.

Our Entity may also collect contact information such as email addresses, phone numbers, and addresses to communicate with students and their parents or guardians regarding tutoring sessions and scheduling.

It is essential for our Entity to maintain the confidentiality and security of the PII it collects, uses, and discloses. The Entity must comply with applicable data privacy laws and regulations governing the collection, use, and disclosure of PII, such as the Family Educational Rights and Privacy Act (FERPA) in the United States.

Our Entity will also implement appropriate safeguards to protect the confidentiality, integrity, and availability of the PII, such as secure storage, access controls, and encryption. Our Entity will also provide training to its tutors and employees on the proper handling of PII to prevent data breaches and maintain the privacy and security of its students' information.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Kweller Prep will ensure that only individuals who will be working on a project that needs PII information will be allowed to use a PII machine.

• Machines accessing PII information will be allocated strictly for the use of accessing PII data.
• Information is protected by strong passwords, which include characters or more and a combination of numbers, uppercase and lowercase letters, and special symbols.
• A screen lock will be implemented on dedicated PII machines. The screen lock will be set to turn on within 5 minutes of inactivity.
• Breaches will be immediately brought to the attention of Kweller Prep’s Executive Director and technology security specialist. Our technology security specialist will then immediately evaluate and determine the extent and severity of the breach. Upon summarizing findings (no later than 1 day upon learning of the incident), we will report the incident to the appropriate NYC DOE department.
• PII will not be stored on personal computers.
• PII will not be stored on public computers.
• Kweller Prep will make every attempt possible to only store PII data on encrypted servers and not on locally encrypted computers.
• PII data will only be used, seen, or shared with people to fulfill the duties associated with the particular PII.
• PII data will not be left open on a screen when it’s not in use.
• Physical PII data (papers) will not be left unattended.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

L&G Research and Evaluation Consulting

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: 3/1/2023 – 2/28/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. L&G Research and Evaluation Consulting, Inc. (L&G) is contracted to conduct an implementation and outcome evaluation of the 21^st Century Community Learning Centers grant awarded to the New York City Department of Education from July 1, 2022 until June 30, 2027. Our L&G team will support efforts to gain a better understanding of the value of grant-funded activities in meeting the needs of students and their families. This program, funded through a five-year federal grant administered by the NY State Education Department, is intended to offer much needed enrichment and educational supports to target students. In full compliance with the Request for Proposal (RFP) stipulations, L&G developed a meaningful and cohesive evaluation plan that can move the work forward towards meaningful, aligned results in the future.

Our implementation and outcome evaluation plan includes a mixed method qualitative and quantitative research design. We offer assistance with ensuring clients adhere to all state and federal reporting requirements. This typically involves the following: 1) development of program logic models; 2) assessment of program evaluability (Year 1 only); 3) site visits and program observations; 4) development and administration of surveys in fall and spring; 5) attendance and observation of advisory board meetings; 6) EZReports data management and generation of weekly data compliance repots, mid-year and final reporting, and 7) State monitoring visit support as needed. We offer ongoing quality control and technical assistance for all data collection, storage, monitoring and reporting. We work very closely with our schools to provide services that are research-based and support the program goals/objectives as determined by the core leaders.

All student, parent, and teacher data collected during the five years will be used exclusively to assess grant performance, improve program implementation, and support the NYC DOE with the meeting of grant goals and objectives. No other data other than what is required by NYSED and stipulated in the RFP will be collected during the life of the grant.

Type of PII that the Entity will receive/access: Student PII, APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data), and Parent and Family Member PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. L&G’s data storage plan addresses what gets stored, the location, when storage activities occur, who is responsible for management, how much data an organization stores, what it retains and destroys, and how storage takes place. Our plan ensures both the security and availability of the data.

Data storage can be electronic or nonelectronic formats (such as paper surveys), including data files and databases. Nonelectronic data is stored in locked cabinets at the L&G main office located at 55 Broadway, Suit 416, New York, NY 10006. The locker combination is only stored with tram members involved in entering the survey data into the computer. For electronic data storage, L&G uses password protected computers. The password is changed every 30 days and is only accessible to L&G staff members responsible for analyzing the data. Data storage requirements are thoroughly discussed with L&G staff both during onboarding of new staff and ongoing during annual retreats to ensure compliance with our internal data storage plan that protects confidentiality and safety of PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Labster

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Labster Services Description: Labster is a company dedicated to developing fully interactive advanced lab simulations based on mathematical algorithms that support open-ended investigations. We combine these with gamification elements such as an immersive 3D universe, storytelling and a scoring system which stimulates students natural curiosity and highlights the connection between science and the real world.

PII includes name and email of assigned students/teachers, to provision access to the Labster simulation platform and live support services to NYC DOE assigned students/teachers.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. “According to FERPA, Labster must allow students/guardians at least 45 days after contract ends to dispute Labster quizzes scores/reports. Labster will delete DOE data according to retention schedules and applicable contractual obligations.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS in Virigina, USA.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Labster leverages AWS Cloud Services Provider data center in Virginia, USA. This data center is ISO27001 certified.

Labster does implement logical and technical measures to protect NYC DOE Student PII. Those are included but not limited to: Least privilege, need to know, Vulnerability Management, Access Control (RBAC), Security Testings, Security Awareness Training, etc.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Lakeshore Learning Materials (for SANDI/FAST)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 08/2022 – 07/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The SANDI/FAST is an online assessment designed to assess and monitor students with moderate to severe cognitive and low incidence disabilities. It is aligned with Common Core Learning Standards and includes subtests in English Language Arts, Math, Science, Social Emotional/Behavioral, Vocational/Transition-Education/Employment, and Vocational/Transition-Community. The SANDI-FAST also assesses student skills in Fine Motor, Gross Motor and Adaptive Daily Living. The SANDI-FAST is a performance based, periodic assessment aligned to grade-level Common Core State Standards (CCSS). The SANDI provides summative assessment data and measures academic growth over time. The FAST is a short-cycle benchmark assessment administered two times throughout the school year to target four essential standards at three levels. The SANDI provides a summative assessment that goes deeper than other tools into student learning and maintains a focus on individual student need, not just proficiency levels. Formative assessment (FAST) is based on the SANDI and administered as a part of the continuous progress monitoring of the pre/post and interim assessment opportunities built into the system. Student need areas are assessed and then aligned to grade level content standards, giving all students access to a rigorous and relevant education.

Type of PII that the Entity will receive/access: Student PII and Other: For each user (teacher, service provider, administrator) we collect their name and email address, and they are connected through the SANDI/FAST system to their assigned school and class, if applicable.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All access to the SANDI/FAST for NYCDOE personnel is managed directly by NYCDOE. This includes both provisioning user accounts with the appropriate role and authenticating accounts into the system. All outside access to the SANDI/FAST system is restricted to necessary personnel for the sole purpose of supporting the SANDI/FAST system and NYCDOE users. Multi‐factor authentication is implemented for all of the accounts used by the necessary personnel All application servers and workstations have anti‐virus and anti‐malware software for detecting malicious threats. A threat detection service is utilized to continuously monitor for malicious activity and deliver detailed security findings for visibility and remediation. All communication between the end user and the SANDI/FAST Online is encrypted. All confidential information is encrypted in transit and at rest.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Language Line Services

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2024 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Language Line provides on-demand remote interpretation services via phone. We will not capture or store any of your data, however personally identifiable or other confidential information may be spoken during the interpretation sessions.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor states “We have individual non-employee linguists that we use for our workforce generally. They are not hired specifically for any one customer or project, and we do not consider them to be subcontractors. All are bound by written confidentiality obligations no less protective than the obligations imposed in this Agreement. Linguists have no access to customer data once a call has ended.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: We will not maintain or store any PII.

Challenges to Data Accuracy. The Entity notes “We will not maintain or store any PII.”

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have administrative and technical safeguards in place including a strict Code of Conduct which includes confidentiality and non-disclosure, Clean Desk, Information Security and annual compliance training as well as following the highest industry standards for information security based on NIST and COBIT, and ongoing monitoring. All data is encrypted when traveling within our proprietary secure systems. Only specific Language Line personnel have access to data. We conduct background checks, annual confidentiality and privacy training for regulations such as HIPAA, FWA, and GLB, and we have a thorough set of policies and processes that enforce security of information, data, and locations. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Language Tree Online

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Language Tree Online offers an online English Language development curriculum program for high school English learners. PII is needed to make individual student user accounts and to track student language assessment results and progress in their English language development studies.  PII Is also used to allow teachers and administrators to gain insight into students’ language gaps, monitor student progress and struggles in the program, and see growth and where students still need additional instructional support to master language skills.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS Infrastructure and Moodle platform.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• User Authentication: Language Tree Online will not generate, issue, or store passwords on its system but will authenticate teacher and student users through an identity management/SSO solution such as Clever.
• Employee/Admin Access: Language Tree Online follows the principle of least privilege access, allowing system access to student data only to platform administrators.  In addition to MFA for AWS account root users and IAM users, admin access is also limited by source IP.
• Physical Security and Operational Safeguards: Language Tree Online employees work remotely from home offices. In addition to required annual security awareness training, all employees must follow company policies that include protecting and scan computers for viruses using provided anti-malware tools (Windows Defender, Windows Firewall, Malwarebytes), only accessing work systems on secured networks or through a VPN, and adhering to the confidentiality of third-party data as outlined by their Employment Contract. Admins furthermore do not use smartphones or tablets for logging into systems and are home offices with video surveillance. 
• Firewall and Security Monitoring: Language Tree Online uses a combination of firewalls and AWS security groups to protect against unauthorized access. We use tools in the AWS Security Hub for continuous security monitoring and alerting.
• Security Protocols: Language Tree Online uses industry best practices in the transfer/ transmission of student data and maintains all student data obtained, generated, and stored in encrypted and password-protected databases (See Section on Security Technologies). Student data will not be copied, reproduced, or transmitted except as necessary to fulfill the purpose of data requests of the subscribing institution or for backup purposes.
• Encryption Technologies: Data-in-transit is encrypted using Transport Layer Security (TLS) 1.2 or above. Data-at-rest is encrypted using an industry-standard AES-256 encryption algorithm.
• Application Hosting: Language Tree Online hosts services on SOC-compliant Amazon Web Services data centers located in the U.S.
• Backup Copies: Language Tree Online maintains backup copies, backed up nightly, of student data in the event of a system failure or unforeseen event that may result in the loss of student data. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Laurus Grant Writing & Evaluation Services

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: 7/1/2022 – 6/30/2027.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Laurus is the contracted evaluator of the 21st Century Community Learning Centers programs operating in NYC DOE Community School Districts. As required by the United States Department of Education, Office of Elementary and Secondary Education, the evaluator must provide information in response to the 21st Century Community Learning Centers Government Performance and Results Act (GPRA) Measure Indicators which include in-depth data on the previous year’s program and school day attendance, student academic performance, student behavior and teacher perception of student functioning. However, such data will only be obtained in the aggregate, with no student names or identifying information attached.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

PII Safeguards: Laurus has in place safeguards and practices that maintain confidentiality and security of PII in a manner that complies with federal, New York State, and local laws, regulations, and policies. The Laurus Operations Manager oversees the administrative safeguards, including: implementing and enforcing policies on staff training; incident reporting; assessment of the necessary level access granted for each staff position; organizational risk analysis; continuous review of updates to applicable laws and best practices; review of data destruction practices; development of contingency plans to ensure security of PII; and conducting internal Systems Audit annually to review these items, identify areas for improvement, and implement necessary changes. Laurus’ operational safeguards include the usage of program- and cohort-specific permission sets for access to electronic data and the usage of secure, locked storage to store physical copies of PII. Staff with access to PII are provided secure workstations that include physical safeguards to ensure no accidental disclosure. Staff are required by Laurus policy to log out of their computer and the database anytime they are not actively accessing PII, the database automatically logs users out after a period of time, and all staff will be properly trained in reporting incidents of breaches. Laurus password protection policies require complex, unrepeated passwords, bar staff from keeping passwords written down, and include the mandatory change of passwords every 90 days. Laurus will only disclose PII to staff members who are assessed as in-need of specific PII measures in order to provide the Contract services.

Technological safeguards are implemented within the EZReports database system (which is mandated by the New York State Education Department), where 100% of electronic PII data is stored. PII policy bars any staff from including PIIs in email messages. EZReports uses unique usernames and passwords with set permissions to prevent unauthorized access and to restrict user access within the application. All data is automatically encrypted while in transit and in storage. User-based permissions and audit trails further enable secure access to data within the system.

Mitigation of Risk: PII data is reported to and stored in the EZReports database that uses usernames and passwords to prevent unauthorized access and to restrict user access within the application. Each unique user account is assigned access to programs and permission sets to restrict access to data and features in the system. Data is stored using redundant Amazon Web Services hardware technologies and SSG fault tolerant software and journaling file systems. All data is automatically encrypted while in transit and in storage. User-based permissions and audit trails further enable secure access to data within the system. To prevent breaches EZReports conducts continuous vulnerability scanning, integrated security code scanning, and penetration testing. In the event systems are affected by a breach, it is their policy to notify without undue delay, and in no case greater than 48 hours, from the confirmation of a data breach. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

LAZEL (also called Learning A-Z)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/1/2023 – 1/31/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• Foundations A‐Z, Grade Level K‐5; Foundations A‐Z (NYC) (1 educator–12‐month license). Built on the Science of Reading, Foundations A‐Z is an online, K‐5 literacy program that empowers educators to teach foundational skills and inspires students with fun, purposeful practice.
• Raz‐Plus, Grade Level K‐5; Raz‐Plus (NYC) (1 educator–12‐month license) combines the power of Reading A‐Z and Raz‐Kids to delivers a vast collection of flexible ELA instructional resources, assessment, and engaging student reading practice to support differentiated instruction.
• Reading A‐Z, Grade Level PreK‐5; Reading A‐Z (NYC) (1 educator–12‐month license) includes a vast collection of printable and presentable reading resources, including grade‐level texts, lesson plans, and teaching materials, for whole‐class, small‐group, and one‐to‐one instruction.
• Raz‐Kids, Grade Level PreK‐5; Raz‐Kids (NYC) (1 educator–12‐month license) supports independent reading practice with a library of differentiated, interactive digital books and eQuizzes across grades K‐5.
• Raz‐Plus ELL, Grade Level K‐5; Raz‐Plus ELL (NYC) (1 educator–12‐month license) expands Raz‐Plus with a deep library of specialized literacy resources to support speaking, listening, writing, and reading for English language learners. Purchase of Raz‐Plus is required. (Requires Raz‐Plus.)
• Raz‐Plus Español, Grade Level K‐5; Raz‐Plus Español (NYC) (1 educator–12‐month license) is an add‐on component to Raz‐Plus that supports Spanish literacy with hundreds of authentic Spanish texts and transadapted instructional resources. Purchase of Raz‐Plus is required. (Requires Raz‐Plus.)
• Raz‐Plus Connected Classroom, Grade Level K‐5; Raz‐Plus Connected Classroom (NYC) (1 educator–12‐month license) expands Raz‐Plus with tools and resources designed to help educators create personalized, student centered learning paths for students in Grades K‐5. Purchase of Raz‐Plus is required. (Requires Raz‐Plus.)
• Vocabulary A–Z, Grade Level K‐5; Vocabulary A–Z (NYC) (1 educator–12‐month license) personalizes vocabulary instruction with an expansive online word bank used to create explicit vocabulary lessons and game‐based online practice.
• Science A‐Z, Grade Level K‐6; Science A‐Z (NYC) (1 educator–12‐month license) blends science and literacy into a captivating K‐6 curriculum. The program delivers thousands of resources including a library of English and Spanish text, science experiments, and hands‐on activities.
• Writing A‐Z, Grade Level K‐6; Writing A‐Z (NYC) (1 educator–12‐month license) is a supplemental writing solution that develops fluent, enthusiastic writers with explicit writing instruction, a fun online writing platform, and game‐based practice, for grades K‐5.
• Online Professional Development Webinar ‐ 1 hour: This online training session helps educators leverage the resources and tools available in each Learning A‐Z solution.
• Online Professional Development Workshop ‐ 6 hours: This online workshop, which is tailored to meet each school’s unique needs, helps teachers dig deeper into Learning A‐Z.

Learning A‐Z provides e-learning tools and resources. Our resources include lesson plans, classroom activities, and assessments, as well as thousands of grade‐level text and materials, and professional learning services. All content is delivered online in printable, projectable, and interactive digital formats, supporting whole‐class, small‐group, one-to‐one, and independent learning environments.

Only the data provided by the DOE is collected. DOE entered data is then available for the use of DOE educators and administrators as permissioned.

Certain activities on certain services allow children to create or manipulate content and save it on our services. Some of these activities do not require children to provide any personal information. If a service requests or allows a child to provide personal information in their created content, we will seek prior verifiable parental consent to collect that information. Examples of created content that constitute or may include Personal Information include the following:

• Student voice recordings: Children may record themselves reading texts, they may play the recordings back, and they may send the recordings to their teachers.
• Open‐text fields: Children may draft and submit written responses to various prompts
• Message sent to students by parents or teachers

Additional educational information is collected as the child progresses through the service, such as amount of time logged in, reading rate, and assessment scores. This information allows the service to adapt to the child and inform the teacher on the child’s progress.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We maintain administrative, technical and physical safeguards designed to secure student data, as provided by NYC DOE, both during transmission and while in our custody. These safeguards include technical and operational measures, such as firewalls, routers, encryption (at rest and in‐transit), passwords, and vulnerability testing, as well as training, policies and procedures to limit access to NYC DOE provided data to authorized staff, contractors and agents that have a legitimate need to access such data for purposes of enabling us to deliver and support our products and services to the NYC DOE, and that are under appropriate contractual obligations of confidentiality, data protection and security.

No student PII is ever public. Our applications are designed to keep this information private and secure. It is never discoverable by the public.

• The Company has a formal onboarding and off‐boarding procedure where access to database assets are formally granted and revoked respectively; access is only granted to employees who need access to support the online products as we ascribe to the principle of least privilege.
• The Company provides student data privacy training to all employees and contractors who access our network.

The Company employs a 3rd party company to conduct both COPPA and FERPA compliance audits.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

LE RU Multi Service Agency

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/7/2022 – 9/30/2028, with an optional extension to 9/30/2031

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LERU is a consultant agency providing multiple services to students and staff in schools in the NYCDOE. For the purpose of this document, LERU will be working with staff providing professional development, charting, and progress monitoring. To achieve these goals, our consultants will have to access and share personal information concerning staff members.

Secondly, we will be providing academic support for students and will need to access baseline data to track progress, assessment and historical charting.

In reference to Attendance Intervention, Counseling and Wrap around services to Students and parent, PII data (Name, phone numbers, address, student OSIS numbers, academic scores ) is also used in order to make contact with family members or to assess student academic, behavioral and performance data.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Iden2fiable Teacher or Principal Annual Professional Performance Review Data)

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The En2ty will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Pursuant the safety protocols, LE RU will do the following:

• All data will be accessed by individuals cleared by LE RU and the participating school team.
• All initializing access passwords will be securely stored.
• No computer will be left running unsupervised beyond school hours.
• All data collected or used, will be hosted on our servers.
• All access protocols are stated below:
  • Server will be located in a safe room on site within a DOE building.
  • Server will have multiple log on password for access
  • To access PII files, LERU’s personnel will be internally cleared before they proceed to access PII files.
  • An additional access code will be needed to save, edit or manipulate saved data.
  • The idle component enabled will be 60 seconds to black screen.
  • All accessing personnel will be internally documented to maintain a tracking record of users and no document will be held on personal computers or carried on personal flashdrives.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

The Leadership Program

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Leadership Program (TLP) will partner with schools to create and implement a Community School Plan that provides academic enrichment and support, youth development, staff development, family engagement, and connects families to community resources. This partnership will work to create a welcoming supportive environment that helps students navigate barriers and build on strengths so that every student can thrive academically, socially and emotionally.

In providing Student Support Services TLP will use Student PII to enroll students in specific services such as after school clubs, expanded learning, wellness, and integrated student support. Student PII is used to keep track of attendance and to communicate with parents and students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Implementation of Data Security and Privacy Contract Requirements
  • The Director of Operations will keep abreast of current Data Privacy and Security regulations, policies, and procedures, will adapt organization policies as appropriate to adhere to those standards, and in collaboration with the Director of Programming will train organization employees on procedures to ensure data privacy and security.
  • All employees are provided with the standards of data privacy and security required by law and are required to understand and comply with the applicable policies and procedures. Employees with access to Student PII are trained in data privacy and security upon hiring and on an ongoing basis.
• Administrative, Operational and Technical Safeguards and Practices
  • Employee agreements require that employees align with the security requirements of any projects undertaken.
  • Access to PII permissions and authorizations are managed: only persons with a direct need-to-know will be given access to PII information and only while it is needed.
  • User identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
  • Once documents have been used for their intended purpose they will be securely deleted or returned to the NYCDOE as required.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Learn by Doing (also called Albert or Albert.io)

Type of Entity: Commercial Enterprise

Contract/Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Albert.io offers curriculum supplements for grades 5-12. It focuses on interactive learning. Specifically, expertly created practice questions with explanations for core curriculum classes and test prep.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google Cloud and Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Albert.io is committed to maintaining the security and confidentiality of Student Information. It has designated a Security Compliance Officer (SCO), who is responsible for: (a) ensuring that the Company’s servers are protected against unauthorized access to the greatest degree possible; (b) limiting employee access to Student Information to whatever extent is required for them to perform their job functions; and (c) regularly training employees in data security procedures to further ensure compliance with company data security policies.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."

LearnerPal

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LearnerPal provides teachers and students with out of the box content in the form of questions, answers, and videos to create and assign learning activities, or assessments. Teachers can add to the content library, or simply select from premade activities to assign to their students to engage, enhance or assess their daily classroom learning. PII is needed for creating student logins and assigning tasks.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. LearnerPal maintains an audit trail of all data that is sent to the system. All user access and events are tracked and no resource has access to the data storage in order to preserve the integrity of the data. All information is stored in AWS and is encrypted at rest and in transit. The data never leaves AWS and is not accessible to anyone in LearnerPal or outside the school users. All users have to authenticate into the system and based on their access privileges, can access only the data for their school.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Learning Explorer (for ScootPad)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ScootPad is an adaptive learning platform that supplements core curriculum, helping teachers (i) identify where students have learning gaps in their understanding of state learning standards (New York Next Generation Learning Standards in the case of New York), (ii) fill those learning gaps in an automated manner with “just in time” lessons and practice for the students, and (iii) direct teachers to the students that have the greatest learning gaps so the teacher can intervene in remediating these learning gaps when they are so great that this can’t be achieved with the automated approach in ScootPad.

ScootPad addresses all topics and concepts in the state learning standards for math and ELA in grades K-8, and generally students from those grade levels will use the platform. Occasionally some high school students may also use the product to fill gaps in their learning from middle school.

This product is used by teachers and their students, so accounts will be created for all teachers and students that are being targeted with the solution. At the teachers’ discretion, they may create parent accounts so that parents can review their students’ progress.

The reasons that ScootPad receives PII are as follows:

• To allow for the creation of unique teacher and student accounts, since teachers and students are the primary users of the system. This can be extended to parent accounts if the teachers choose to provide system access to parents to review their students.
• To allow teachers to great grade, subject and topic specific learning paths for both groups of students and individual students so that ScootPad can identify the learning gaps for each individual student and provide targets instruction and practice to fill these specific learning gaps for each student.
• To allow ScootPad to produce learning progress reports for teachers on a per student basis, so that teachers can monitor student progress toward filling their learning gaps.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Entity has the following internal controls and physical safeguards are in place to ensure PII will be protected:

• Application hardware housing and/or processing PII are in a secured, internal space, accessible only by individuals approved by Entity;
• Commercially reasonable efforts are in place to keep Applications separate from general systems and applications;
• Only authorized individuals may enter the physical site where the Entity’s Applications reside;
• Only individuals approved by Entity may access Applications housing or transmitting PII;
• Protects and secures all PII in transit (collected, copied and moved) and at rest (stored on the physical servers), including during any electronic data transmission or electronic or physical media transfer;
• Maintains all copies or reproductions of PII with the same security it maintains the originals, and at the point in which the PII is no longer useful for its primary or retention purposes, as specified by the NYC DOE, will destroy such PII, making it unusable and unrecoverable; and
• Uses commercially reasonable efforts to secure and defend any System housing PII against third parties who may seek to breach the security thereof, including, but not limited to breaches by unauthorized access or making unauthorized modifications to such System, that will involve at least the following best practice technology approaches:
  • Authentication (i.e., passwords);
  • Encryption;
  • Firewalls – hardware and software. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

The Learning Internet (also called Learning.com)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Learning.com collects the minimum student data required in order to connect teachers and students with our K-12 digital skills online curriculum. This includes providing teacher facilitation tools to support instruction and practice of those digital skills. Specific fields we collect and how we use them are detailed in our publicly posted Subscriber Privacy Policy at https://www.learning.com/subscriber-privacy-policy/.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The security of your data is of utmost importance to us. We employ industry best practices with respect to personnel and technology to minimize risks of unauthorized access or misuse of PII. We conduct background checks during our recruiting and hiring process to ensure good stewardship of your data. All personnel must complete annual security training that includes guidance on safe handling of data and a review of responsibilities under applicable laws and contracts. We limit access to PII to those who require it in service of our educational purpose. We secure your data by various technologic means, such as firewalls, monitoring, and vulnerability scans to minimize the changes of a breach. Our servers are all physically located within the United States using secure AWS cloud services. All data transmitted between your devise and our servers uses industry standard SSL encryption. All data in our custody is stored using FIPS compliant encryption. We employ an independent firm to conduct penetration testing of our systems, keep up to date with all security patches and software versions, and are vigilant about mitigating any newly discovered vulnerabilities. Our comprehensive security program implements a security in depth methodology by addressing security on every level to ensure information is protected in the event any one layer is compromised. Internal policies and procedures are aligned with NIST 800-53 and all stored data is encrypted.

User accounts are required to access our services and use role-based access to ensure only authorized data can be accessed. You are the only person who can log in with your account and access your data. Learning.com will never ask you for your password and you should never give it to anyone. Ultimately, you are responsible for maintaining the secrecy of your password. Also remember to sign out properly and close your browser window when you have finished using our service. This helps ensure your information remains secure in the event the computer you used is physically accessible to others. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Learning Through an Expanded Arts Program

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Learning through an Expanded Arts Program, Inc. (“LEAP”) provides arts in education programs and is committed to ensuring the privacy, confidentiality, and safety of collected personally identifiable information (PII). The arts in education programs entails expanding creative thinking and supporting positive behavior through student-centered art making and social skill-building activities integrated into classroom academics. We co-teach with classroom teachers and empower them to use the arts in their everyday classrooms. LEAP requires PII in order to provide the service - as it collects and maintains data digitally and on paper in completing around agreed upon services, service delivery, and education purposes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive, E-Z Reports.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. LEAP is committed to implementing all state, Federal, and local data security and privacy requirements over the life of the agreement. LEAP will continue to monitor and address applicable laws and regulations and stay up to date with regulatory changes to enhance our Data Security measures. LEAP has subscribed to several platforms and online cyber security communities.

LEAP will provide specialized training for all staff dedicated to cybersecurity. Cybersecurity experts and industry leaders provide resources and tools to LEAP that allows LEAP to manage and quell vulnerabilities by monitoring our work consistently.

Digital PII

• We store PII on cloud-based, password-protected platforms managed by government agencies or approved external platforms. All records received while working as an agent of DOE are considered “educational records” covered under FERPA standards and the NIST Cybersecurity Framework; PII is not stored on local devices or hard drives.
• We access PII on secure networks, managed by either the DOE or LEAP’s external IT provider.
• We limit access to PII to LEAP Employees who need it in their role to provide contracted services.
• We train LEAP Employees to use the platforms and methods outlined above, in the form of: online trainings on Zoom covering PII best practices and regulations; onboarding 1:1 trainings in-person around our use of Google Drive, Salesforce, and funder portals, and; asynchronous phishing tests sent to all employees several times per fiscal year.
• We review practices, safeguards, and secure disposal of PII with our external IT provider on an annual basis.
• On an annual basis, we permanently delete PII files once they are no longer needed for the purpose of the program, or once the contract has ended and the required storage duration has passed. The Program Operations department facilitates the schedule and confirmation of digital clean-up.
• We carry cybersecurity insurance.

Paper PII

• We collect PII directly from Guardians or from School Employees.
• We store PII in locked cabinets, accessible only to authorized LEAP Employees or School Employees, for a duration designated by appropriate government regulations, after which we transfer PII to a locked storage facility.
• We access PII within designated rooms within DOE school buildings, at a locked and secured LEAP office space, or at the locked storage facility.
• We permanently and securely shred PII data after the storage duration has exceeded government regulations, through an external vendor and with a certificate of destruction. The Program Operations department conducts annual site visits to our school-located programs and to our main office to review stored paper files and arrange for shredding services.
• We limit access to PII to LEAP Employees who need it in their role to provide contracted services.
• We provide in-person, virtual, and online trainings to LEAP Employees to use the platforms and methods outlined above. The training topics include types of data & required protections, How to label data, Data sharing protocols, Data deletion and disposal, Records management, Data backup and Federal & state laws governing confidentiality; FERPA and NY Ed law.
• We review practices, safeguards, and secure disposal of PII internally by conducting audits with our Program Operations department with recommendations for updated data privacy and security policies located on the DOE website: https://www.schools.nyc.gov/about-us/policies/dataprivacy-and-security-policies
• We carry liability insurance for all locations listed above.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

LearningTimes

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/1/2023 – 6/30/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LearningTimes produces a variety of interactive online events for the NYCDOE. These include the monthly PEP & Contracts meeting; Joint Public Hearings for the Office of District Planning; CEC Chancellor Town Halls; and annual hearings for schools in receivership.

LearningTimes utilizes 1 vendor for the webcasts we provide. Zoom is a platform for meetings/webinars and is widely used by the DOE. LearningTimes has 28 Zoom licenses that are used to support DOE events. We do not exchange DOE data with Zoom, participants login directly. Storage of data and encryption is provided by Zoom.

The only PII we require is First Name, Last Name and email address. The purposes for this data is to send confirmation and reminder emails, identify participants in live events that may wish to offer public comment, and collect registration & attendance information for the NYCDOE.

Type of PII that the Entity will receive/access: Required PII is first name, last name and email address of event registrants.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and

written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “LearningTimes utilizes 1 vendor for the webcasts we provide. Zoom is a platform for meetings/webinars and is widely used by the DOE. LearningTimes has 28 Zoom licenses that are used to support DOE events. We do not exchange DOE data with Zoom, participants login directly. Storage of data and encryption is provided by Zoom.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Storage of the limited data collected and encryption is provided by Zoom. There are only two LearningTimes administrators with access to the data which requires multiple step authentication, regular password changes on dedicated company desktop machines running approved security protection software.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Legal Interpreting Services, Inc. (also called LIS Solutions)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 11/1/2022 – 6/30/2024.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LIS Solutions schedules and provides interpretation services to students and/or parents at the request of the NYCDOE. Services include onsite and virtual interpretation. PII may be required to schedule appointments, and accurate identify and contact persons receiving service.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, the entity agreed that “data can be destroyed at the NYC DOE’s request prior to contract expiration or termination.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Office 365. The entity also states that “while Processor utilizes a third-party vendor, Schedule Interpreter, they do not have access to any PII.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Processor has implemented the following safeguards to this environment:

• Firewalls-ability to block unauthorized access while permitting outbound communications. inspection of in/out traffic. utilization of security rules identifies and block threats.
• Intrusion Prevention Systems (IPS)- network security tool, continually monitors the network for malicious activity and prevention management.
• Data Encryption-security method, information is encoded and can only be accessed or decrypted by user with the correct encryption key.
• Access Control Systems-security solution used in computer networks to ensure that only authorized and compliant devices and users can access network resources. Systems are designed to enforce security policies and protect against unauthorized or non-compliant access to a network.
• Secure Authentication-Authentication is the process that an individual, application, or service goes through to prove their identity before gaining access to digital systems. i.e. Password, MFA, RSA token Biometrics.
• Data Loss Prevention (DLP)- security that identifies and helps prevent unsafe or inappropriate sharing, transfer, or use of sensitive data. in use, in motion and at rest. i.e. Malware Phishing, Ransomware, insider threats.
• Data received from NYC DOE store on separate SharePoint Sites with limited access (only Process Program Management Staff supporting NYC DOE have access)
• Data classification and handling/training of Processor Staff
• Security incident response-processes and procedures developed in accordance with NIST 800-171 (and the Federal Government’s Cybersecurity Maturation Model Certification, CMMC) to minimize the impact of the incident, contain the threat, and restore normal operations as quickly as possible. i.e. unauthorizes access to, or use of, systems, software, and or data.
• Complex password requirements and MFA authentication for Processor users who are allowed access to the environment. Note: Interpreters do not have access to this environment nor does Schedule Interpreter.
• Systematic application of management policies, procedures, and practices to the task of establishing the context, identifying, analyzing, evaluating, treating, monitoring, and communicating information security risks. i.e. Malware Phishing, Ransomware, all external/ internal threats.
• Use of SOC 2 TYPE 2 certified facilities only 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Legends of Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Educational software designed to assist students in learning and applying critical reading, science, and math skills. Student PII is required as we need unique student identifying information for them to login to their specific avatars and report on their individual game results.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Physical access to servers is controlled by our cloud provider. We maintain passwords for all key systems securely and rotate them regularly. We follow the Principal of Least Privilege, granting the minimum amount of access to employees required for their jobs and regularly tightening access wherever possible. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

LES Global

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LES GLOBAL, LLC (L.E.S) provides crisis prevention services to underserved families, over aged & under credited students experiencing social and emotional hardships and at- risk of not graduating high school. We support Schools and Communities and their scholars who struggle to meet NYC educational requirements, for schools’ promotion and or graduation by utilizing our ROADS Logic Model: Removing Obstacles Achieving Dreams. The ROADS Program handholds students struggling to complete work or get to school on time while communicating with teachers to ensure work is complete, we initiate transfers to more suitable schools in the best interest of the student and we also locate missing students who don’t come to school in hopes of getting them back into an educational setting.

Our trained staff, advocates and social workers must access PII information in order to comply with transferring of students for the R2A program. Students’ records, grades, IEP information, parent contact information, attendance reports and Record for Graduation Certification of Students (RGCS) Report in order to create an individual educational plan for each student. The student’s information and graduation reports are used to identify the number of credits they currently have, how long it took them to get them, how many they need to graduate, if they will age out of high school before classes are complete, to determine a suitable alternative educational solution, to understand the students struggles and be able to advocate on their behalf and to their parents and to compare it to their transcripts. All DOE transfer schools require students’ records be printed and provided before students can be accepted into their schools. Student records such as Immunizations must be provided to the schools by the students’ parents but are also required for acceptance into programs. Some students in the ROADS program can retake classes and receive tutoring which leads to graduation while others require transfer to alternative schools more suitable and then we have displaced students we find across the country that we enter into a new educational program. Students and families have access to our social workers as well, in order for social and emotional support to be successful, these professionals must access records in order to properly assist these families. Ultimately, we do whatever is necessary to assist the underserved students to be successful too and through high school.

All PII data requested is a requirement of the DOE transfer process or is necessary to make an alternate & individualized plan for a student to promote the best graduation outcome. Data/reports required as follows:

Transcripts/grades: Used in all LES ROADS to determine a students alternative learning approach and approach to graduation success. Transcripts shows the types and levels of classes a student took from grades 9 through 12 and also shows how many pass/fail classes a student took and may include any courses a student dropped or failed to complete.

Individualized Education Program (IEP): An IEP lays out the special education instruction, supports, and services a student needs to thrive in school. This information is used for students with IEPs only to ensure a student is receiving full accommodations necessary.

Parent/Guardian Contact Information: LES uses this contact information to gain permission for students under 18 to get services from LES. This information is also used to locate missing students and make house calls as part of the ROADS Road to Dropout Prevention Program. This is used in ALL ROADS Programs as parents must remain apart of the students individualized plan.

Attendance Reports: Reviewing these reports allows staff to determine the type of school suitable for a student. Due to various personal needs some students require a school setting in the evening, or one with job/school combos or even online schools. This allows individualized plans based on family needs. Used in all ROADS Programs.

Record for Graduation Certification of Students Report (RGCS): This report sums up a students ability to graduate, if they are about to age out of school and tracks their high schools success and failures. Used in all ROADS Programs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. LES considers security of PII to be of utmost importance. We safeguard PII through a combination of policies, procedures, training, segregation of duties and robust systems, security and technology. We mitigate data privacy and security risks by following and adhering to industry protocols, standards and practices, employing up to date technology, training and segregation of duties and user access controls. We also perform background checks on our employees, encryption of confidential information in transit and at rest, and limiting user access to confidential information based on role.

• LES uses Google workspace: A cloud-first, browser-based approach that is constantly updated – no need for local devices, native apps, or email attachments. It has built in controls, encryption, and verification with a Zero Trust approach that enables employees to work from anywhere and eliminates the need for VPNs.
• Email: PII information is never shared via email. We use the workspace to share information within the organization only.
• Computers: Are password protected and remain at DOE schools.
• Data Security Training: All staff must take yearly training on Data Security
• Staff: Access to PII information can be eliminated at any time with the click of a button by management for any reason.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Lessonbee

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Lessonbee Inc. is a health education content provider and digital platform. We will be providing health education content to NYC schools. The purpose of receiving or accessing PII is for the use of onboarding students to the platform or providing SSO access through integrations such as Clever so that teachers can assign content to students. The PII that will be accessed includes first name, last name, and email address.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The security of your Personal Data is important to us, and we strive to implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the information we store (e.g., encryption), in order to protect it from unauthorized access, destruction, use, modification, or disclosure. In general, we only store children’s Personal Data in pseudonymized and encrypted databases with access control. Lessonbee adheres to N.Y. education law 2-d and federal laws to protect the confidentiality of PII, and provide industry standard and best practices safeguards, including but not limited to, encryption, firewalls, and password protection, when data are stored or transferred.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Level All

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Level All is a web-based application that is accessible via the internet through a web browser. The application surfaces useful content to students, guardians, and educators on their academic, career, and collegiate journeys while also providing measurable activities to mark progress. Level All will collect some student PII such as name, email address, graduation year, and birth date. Level All does not share student confidential information, and only collects it to properly set up the accounts and curate the journey based on the student’s graduation year.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud SQL, Segment, MixPanel, Customer.io.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is encrypted both in transit and at rest. All PII is stored on servers in the US and is only accessible by select Level All employees within the US. All Level All source code is automatically scanned multiple times per day to check for security vulnerabilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Lexia Learning Systems

Lexia Voyager Sopris (formerly Voyager Sopris Learning)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 5/01/2021 – 6/30/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Lexia Voyager Sopris Inc. provides online and print professional development, assessment and educational curricula for students including the following programs:

• Vmath: This program is a targeted math intervention program for struggling students in grades 2–8 that provides additional opportunities to master critical math concepts and skills.
• Vmath Live: This program empowers students in grades K–8 to master math content at their own pace in a motivating online environment.
• LANGUAGE! Live: This program provides foundational and advanced reading intervention including peer-to-peer instruction; for Grades 5–12.
• eSolution: This supplemental program extends timed, paired readings to include complete online vocabulary expansion and comprehension lessons.
• TransMath: This program is a comprehensive math intervention curriculum that targets middle and high school students who lack the foundational skills necessary for entry into algebra and/or who are two or more years below grade level in math.
• REWARDS: This program provides blended reading and comprehension intervention for Grades 4-12 with goals to increase fluency rates, deepen comprehension of informational and content-area texts, and increase precision in sentence writing.
• Step Up to Writing: This comprehensive K-12 program offers multisensory writing strategies that develop ability to create thoughtful, well-written compositions across all content areas.
• LETRS: The LETRS® (Language Essentials for Teachers of Reading and Spelling) Suite is professional learning that provides educators and administrators with deep knowledge to be literacy and language experts in the science of reading. LETRS teaches the skills needed to master the fundamentals of reading instruction—phonological awareness, phonics, fluency, vocabulary, comprehension, writing, and language.
• Voyager Passport: This program provides blended literacy intervention for Grades K-5.
• Reading Rangers: This program provides online reading practice for Grades K-5.
• Only a minimum amount of personally identifiable student data required for the setup of the system is requested. We require student first name, student last name, and student identification number.

Additional data, not specific to the student, is also required to complete system setup, including the teacher first and last name, class name, grade level, and school name. Student demographic data, for the purposes of optional disaggregated reporting, is requested separately from the initial setup data and is obtained only with written permission from your district. This information is not shared and is used to track student progress and achievement within the proposed solution.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted-solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We maintain administrative, technical and physical safeguards designed to secure student data, as provided by NYC DOE, both during transmission and while in our custody. These safeguards include technical and operational measures, such as firewalls, routers, encryption (at rest and in‐transit), passwords, and vulnerability testing, as well as training, policies and procedures to limit access to NYC DOE provided data to authorized staff, contractors and agents that have a legitimate need to access such data for purposes of enabling us to deliver and support our products and services to the NYC DOE, and that are under appropriate contractual obligations of confidentiality, data protection and security.

No student PII is ever public. Our applications are designed to keep this information private and secure. It is never discoverable by the public.

• Voyager Sopris is ISO-27001 certified.
• The Company has a formal onboarding and off-boarding procedure where access to database assets are formally granted and revoked respectively; access is only granted to employees who need access to support the online products as we ascribe to the principle of least privilege.
• The Company provides student data privacy training to all employees and contractors who access our network.
• The Company employs a 3rd party company to conduct both COPPA and FERPA compliance audits.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

LibraryPass

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To enable authentication of a student and to provide access to the Comics Plus service.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Library Pass takes security measures very seriously. Security is broken up into two separate sections.

Policies and Procedures - LibraryPass currently has security policies and procedures for each of the following areas:

• Access Control
• Audi and Event Logging
• Cloud and Network Security
• Data Backup and Restoration
• Data Protection and Encryption
• Incident Response
• Password Management
• Software Development
• Website and Software

These policies allow LibraryPass to monitor and manage all users with internal access as well as update security access as needed.

Technical

• Network Security
  • User Access
    • IAM Access Keys are used with specific IAM roles defined to limit access to different AWS resources
    • Password are rotated every 90 days
    • VPC and Security Groups
    • Server access is limited to security group access even to each other and DB
    • All servers are on different VPC networks depending on functionality.
  • Firewall
    • Web Application Firewall for AWS to have firewall and bot detection
    • IP2 Location
    • IP2 Location services for routing of traffic to specific security protocols.
• Content Security
  • Streaming
    • We use end to end encryption when transmitting any data to/from the client and our servers in the form of SHA256 RSA encryption and validated with an SSL certificate.
    • Users are authenticated using different authentication methods set up per the institution's specific requirements. Passwords stored in our database are hashed using a strong one-way hashing algorithm with a random salt per user.
    • All API communication uses a combination public and private key for validating access to protected data. The keys are encrypted along with unique user information and encrypted with SHA256. Keys are rotated every 6 months and kept in private environment files on the servers only.
    • URLs and API calls for the pages data is tied to the logged in user with secure keys and server side sessions. API calls are also time based so they expire after a short period of time.
    • The data for pages (URL or Image Data) is never added into the HTML DOM so users are not able to just view the source or easily grab the list of URLs for the images/pages that are displayed.
    • Once Image files are loaded into the browser’s memory, they are drawn into an HTML5 canvas which eliminates the ability for users to simply copy the image from the context menu (right-click).
  • Download for offline reading
    • We use end to end encryption when transmitting any data to/from the client and our servers in the form of SHA256 RSA encryption and validated with an SSL certificate.
    • We have a proprietary file format named CB files.
    • Our CB files implore an unpublished file/data format that contains image data, indexing information and other metadata.
    • The content in the file is secured with a unique hash that needs to be validated before content can be read. The unique hash is a combination of file metadata and user information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

LightSail

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To fulfill the services requested by NYC DOE. Specifically to provide to schools LightSail’s Online literacy platform providing initial and ongoing Lexile and standards aligned assessment, full book/novel reading experience, accommodations for struggling readers and data and reporting on reading performance and engagement. The platform comprises a patented educational e-reader and an adaptive e-book library.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. Microsoft Azure Cloud.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Here is a summary of controls in place:

• Information Security Governance
  • A comprehensive set of Information Security Policies
  • A governance structure with defined roles and responsibilities
  • Periodic security assessments (internal/ external)
• Operational Security
  • Role-based access controls following the least privileged principal
  • Strict password controls with multi-factor authentication
  • Incident management for responding to and containing incidents
  • Backups and disaster recovery plans for resilience
  • Physical security for accessing corporate assets/ facilities
  • Comprehensive vulnerability management program with automated assessments
  • Secure system development approach with OWASP compliance
  • Centralized logging and monitoring with automated alerts
  • Network segmentation with firewall protection
• Data Security
  • Data classification scheme
  • Data encryption at rest with AES256bit or higher keys and in transit using TLS 1.2or higher
  • Data retention schedules
• People Security
  • Background checks and code of conduct acceptance before employment
  • Continuous security awareness training
  • Employment termination/ change of responsibilities processes

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Lilo Consulting (also called Sync Grades)

Type of Entity: Commercial Enterprise

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Sync Grades is a software service, providing schools with a dynamic platform to track student attendance and other related and approved data over different periods in time.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• The Sync Grades platform is hosted by Amazon Web Services (AWS). AWS facilities are guarded by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit.
• Access to Sync Grades servers and hosting services is controlled by a two-factor authentication, and only accessible using a secure VPN.
• Sync Grades requires passwords to have a minimum 8 characters, must contain alpha, numeric and punctuation. Active monitoring will deny access after multiple failed attempts (firewall and account suspension).
• Sync Grades operational access requires 2-factor authentication (ssh-keypair and generated PIN from restricted VPN and IP points).
• Sync Grades utilizes a centralized secure management system of all users and access levels.
• Each system monitors all data transports, which are encrypted either via SSL/TLS or SSH within a VPN based environment. The primary service request are signed with an HMAC-SHA1 signature, which measures, monitors, and calculates from the request and the user’s privacy key.
• The system will log all inboard and outboard requests, which are executed at the network, application, and persistence layers. This encompasses, but is not limited to os syslog, application logs, HIDS, and database calls both within and outside the Sync Grades VPN.
• The Sync Grades configuration build and system provisioning is executed through version control and a centralized build configuration management tool. The system requires authentication and records the audit log of all infrastructure changes including but not limited to:
  • VM provisioning
  • package versions, identification and installation
  • input and configuration settings
  • application version deployment
  • network segment deployment

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Limosys

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2023 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Payment Accounts for Rideshare Services where we will provide ground transportation services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Will follow NYCDOE instructions. We can do both [securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII].” In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All personally identifiable information (PII) collected will reside in an Amazon secured data structure, encrypted and/or tokenized. PII is separated into components that can only be put back together by our system interface. Logging into the system interface requires a unique user and password. Users are set with a need-to-know access level that matches their operational role.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Lingualinx Language Solutions

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To perform written translations of transcripts and Individualized Education Plans (IEPs). Some of the documents translated as part of this service may contain student PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure Private Cloud – Fully Encrypted.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The safety and security of PII attained by:

• Regularly conduct risk assessments to identify potential vulnerabilities and threats to PII. This helps in proactively addressing security risks.
• Only allowing the transfer of PII to occur over an encrypted connection.
• The storage of PII is fully encrypted and located in a Soc 2 Type II datacenter.
• Conducting monthly internal\external vulnerability scans.
• Conducting Bi-Annual penetration tests, performed by a neutral 3rd party.
• Ensuring all employees undergo bi-annual PII\InfoSec training and ensure that staff members are aware of their roles and responsibilities in safeguarding PII.
• Secure physical devices (e.g., laptops, servers, mobile devices) that handle PII. This includes measures such as device encryption, password protection, and tracking and remote wiping capabilities for lost or stolen devices.
• Regularly back up PII and ensure that a robust data recovery plan is in place to minimize data loss in case of a security incident.
• Strong access controls to ensure that only authorized personnel have access to PII. This includes user authentication, role-based access controls, and encryption. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Listen Innovation (also called Listenwise)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Listenwise is a listening skills, literacy, and language development platform for students in grades 2-12. The Listenwise podcast library includes close to 3,000 podcast lessons, which curate real-world audio from sources such as public radio and academic podcasts, and pair them with teacher supports and resources like transcripts, teachers guides, listening comprehension and discussion questions, multiple choice quizzes, and native language supports. Through these resources and teaching supports, teachers can create in-class or asynchronous activities and assignments for their students to work on their listening skills and English language development. PII is necessary to create teacher and student accounts, assign work to students, and track students’ progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Listenwise handles the security of all collected PII with the utmost seriousness and care. Listenwise has a formal protocol in place where all data privacy requirements for new partner districts and schools is reviewed by the leadership team (VP of Product, VP of US Sales, or Director of Account Management) to ensure compliance with all district requirements. All data collected is encrypted to ensure integrity and safety. Upon the ending of a partnership with a district or school, all data is subsequently destroyed in a timely manner.

All Listenwise employees, as well as any third-party contractors with access to PII, are required to complete regular data privacy and security training.

Access to administrative areas within the Listenwise application requires a secure connection through a VPN (requiring 2-factor authentication). 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Literably

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 8/1/2022 – 7//31/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Literably is an online elementary reading assessment. We receive PII in order to provide and improve our services to schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII is stored on a password protected encrypted database located on a remote server. Literably conducts routine security audits and employs the use of monitoring software to track security risks within the dependencies that are used to build the product. Further, our employees and contractors are required to protect personal information in a manner consistent with our Privacy Policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Literacy Resources (for myHeggerty)

Literacy Trust

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Literacy Trust provides intervention services to many schools across NYC, either through directly contracting with schools or through the generous donations of various funders. Schools who partner with us select some of their staff to work as reading tutors. These staff receive training, materials, and coaching from a Literacy Trust Program Manager so that they can easily provide high-quality instruction to individual students or small groups of students who need extra help with reading.

Tutors enter attendance information in our online platform. They also enter information about the lessons they teach, as well as entering their students’ assessment results every 2-3 weeks. PII is necessary to help tutors make decisions about how best to meet students’ needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon AWS EC2 and S3.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Safeguards include information sensitivity/classification, privacy obligations, system configuration standards, data retention, encryption, access control, software development guidelines, security monitoring and testing, awareness and training, employee screening, incident response and business continuity. Policies are shared with new employees as part of onboarding, reviewed as part of ongoing risk assessment and updated according to business/technology changes when appropriate. Logical access control is governed by the principle of least privilege. Specific users are granted the minimum access needed to perform their job functions.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Littera Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Littera’s Academic Support Platform is designed to enable schools and districts to design, deliver, and monitor tutoring programs that are customized to address the needs of their students. Information we receive includes student name, email address and/or unique identifier. This information is used for assigning students to tutoring sessions inside the platform.

Within the platform, an identified staff member can easily assign students to tutoring sessions and monitor their progress by viewing student attendance and tutor feedback. Sessions can either be centrally assigned or classroom teachers can be given the ability to assign their students to tutoring sessions once they identify a need. Once students are receiving tutoring, the platform provides program managers, teachers, administrators, and other stakeholders with access to real-time tutoring delivery data, including attendance, number of sessions completed, student feedback, and tutors’ notes on student progress.

The Littera platform also provides districts with exclusive access to a new literacy tutoring curriculum created specifically for high dosage tutoring models by Columbia Teachers College Reading and Writing Project (TCRWP). This K-6 literacy tutoring curriculum is designed to be delivered through the Littera tutoring management platform, in order to ensure that students receive instruction according to the research-based principles of high dosage tutoring.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Littera Education places the utmost importance on privacy, safety, and security. All transmission of files or data to organization roster systems is done securely via HTTPS, using industry standards. When files are uploaded, they are stored in encrypted, non-publicly accessible databases. Littera uses Amazon Web Services (AWS) as its cloud hosting provider. The database along with all the cloud infrastructure is hosted inside a private virtual cloud (AWS VPC). Only a limited number of personnel have access to this VPC.

Development and staging environments each have their own environment, so they are completely isolated from the production infrastructure. Littera does not copy data from production to staging or development for the purpose of testing. The development environment suits all of developers' needs, so they do not have access to production infrastructure and data.

Our cloud hosting provider, AWS, is responsible for all physical data safeguards. AWS is a reliable and scalable platform that hosts many of the world’s largest companies. From an administrative standpoint, when new employee accounts are created, they are based on the principle of least privilege. Modifications to access must be approved by an authorized employee. All employees are required to undergo information security training and adhere to Littera’s information security policies. Littera has a detailed security policy which can be shared upon request.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

LiveSchool

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LiveSchool uses the data for the sole purpose of using the LiveSchool platform to improve student behavior and contribute to student success.

LiveSchool uses the data to set up sites for the partner schools. These sites organize students by grade and class rosters so administrators and teachers can easily find students and issue points and make comments. All the student feedback is created by administrators and teachers. LiveSchool provides the platform to capture the information and report on key trends for students, classes, grades and across the school.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data in the LiveSchool service is stored using industry best practices and technologies, including:

• A Virtual Private Cloud compartmentalizing all machine-to-machine communication services within the cloud.
• AWS RDS database servers are firewalled from all external machines on the internet.
• Operational intelligence monitoring scripts for proactive monitoring of system service levels.
• Verbose logging of application and database access activity.
• LiveSchool databases are configured to store information encrypted at rest.

All data exchanged between the LiveSchool platform and web/app clients of users is sent via 256-bit Advanced Encryption Standard (AES) Secure Sockets Layer (SSL) technology.

LiveSChool uses security groups to limit inbound and outbound network traffic to or from each Amazon EC2 and RDS instance. Traffic which is not explicitly allowed to or from an instance is automatically denied.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Local Civics

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Local Civics is partnering with schools to help support and assess students’ civic, college, and career learning. This product enables students to access personalized learning experiences based on their school, grade level, and interests. Students and educators have access to an engaging web platform to help aid in their learning goals. Educators and schools can track student learning in real-time and identify interventions for improved learning. PII (names, emails, and school name) is used to help students and educators create individualized user accounts that are personalized to their specific educational needs. Educators can then track, assess, and intervene on an individual student basis and students have access to a repository of their learning experiences.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Local Civics has implemented a variety of physical, administrative, and technological safeguards designed to preserve the integrity and security of the personal information we collect and to protect against unauthorized access to data. Consistent with industry standards, Local Civics employs the following safeguards:

• Infrastructure Security
  • Encryption at Rest and In Transit
  • Access to the Local Civics web application occurs via encrypted connections. Local Civics encrypts Data transmitted between users and the Local Civics application over public networks using TLS 1.2 or higher and data stored on Local Civics’ servers is encrypted.
  • Where a user’s account contains a password for authentication, Local Civics stores the password salted and hashed using an industry-standard password hashing function. Local Civics supports Single Sign On (SSO) integration with a customer identity provider using Security Assertion Markup Language (SAML).
• Network Security
  • Local Civics uses Amazon Web Services (AWS) to host the infrastructure and network access is highly restricted.
  • We limit data access to Local Civics employees and contractors who need access to do their jobs such as engineers, data engineers, product managers, and customer support personnel.
  • All access to our infrastructure is logged.
  • All access to our infrastructure requires the use of strong passwords and multi-factor authentication.
  • AWS uses strict ongoing security assessments from external audit firms to ensure compliance with security standards including ISO 27001, SOC 2, PCI DSS Level 1, and FISMA.
• Physical & Other Security Measures
  • Local Civics requires key card access to prevent unauthorized persons from gaining access to hardware. and data systems.
  • Technical and organizational measures to monitor whether student data have been entered changed or removed from data processing systems, include: Logging and reporting systems; and Audit trails and documentation.
  • Local Civics conducts regular security audits to assess the effectiveness of our safeguards and identify areas for improvement.
  • All officers and employees who have access to protected data receive training on federal and state laws governing the confidentiality of data prior to accessing any protected data.
  • Our Local Civics team is committed to creating and maintaining systems to protect personal information and data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Logikcull

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/1/2023 – 12/31/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Tools like Adobe and Outlook weren’t designed for public records requests. Logikcull lets you eliminate slow, painstaking manual review, so you can work ten times faster with one tenth the resources. Just drag & drop, and let Logikcull automatically organize, OCR, and deduplicate your files. From there, you can quickly review, redact, and produce documents Logikcull surfaces as responsive.

Type of PII that the Entity will receive/access: Other: Logikcull may store DOE records containing student PII, APPR PII, and other personally identifiable information pursuant to the terms of the services.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Subcontractors are used for cloud storage.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Logikcull values customer trust, and has established a culture and control environment dedicated to doing the right thing and protecting the integrity of its customers data. To this end, Logikcull complies with SOC 2 and HIPAA, and is hosted in AWS SOC 2, HIPAA and FedRAMP moderate compliant data centers. Logikcull and its hosting providers together employ administrative, technical and physical safeguards designed to protect customer data including but not limited to:

• Permissions-based user roles to control access to data
• Encryption at rest (AES-256)
• Encryption in transit (TLS 1.2)
• Virus scanning and malware detection applied to every uploaded file
• Multiple availability zones and daily backups to ensure continuous availability
• Vulnerability scanning, pen testing and a continuous bug bounty program
• Annual risk assessments
• Secure change management guided by a secure SDLC and enforced review and testing processes

To learn more about Logikcull's privacy practices please see https://www.logikcull.com/privacy-policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Lumos Learning

Type of Entity: Limited Liability Partnership

Contract / Agreement Term: 2/22/2024 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Lumos Learning offers educational materials that combine online and print media to complement classroom learning. Lumos Learning's programs are designed to support realistic state assessment practice with technology-enhanced questions and workbooks and needs PII for Users within the organization to identify each other.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Administrative Safeguards - Only Executive level employees will have direct access to data.
• Transport Security. Use Transport Layer Security (TLS) for our transmission of all user data to and from our Products.
• Secure Storage. We use industry-standard file encryption for user data wherever applicable and feasible. Where file encryption is not reasonably feasible, we employ other industry standard safeguards, protections, and countermeasures to protect such data, including authentication and access controls within media, applications, operating systems and equipment.  
• To Prevent unauthorized access, maintain data accuracy, and ensure the correct use of Information, Company has put in place commercially reasonable physical, electronic and managerial procedures to safeguard and secure the information Company collects. Company also uses Secure Socket Layer (SSL) protocol on registration and login pages to protect personal information.   

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

MaiaLearning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Student information is added so that school educators and counselors may access and guide them through the college and career planning platform. Students use the SSO to login to the platform and plan for their potential careers, develop their academic plans, research, and build college lists that they plan to apply to. Students ask for recommendation letters from teachers. Teachers write and submit recommendation letters in the platform for students. Counselors will prepare additional documents in support of applications [and] upload their transcripts and send them electronically to colleges where students have applied. Students eventually record their admission decisions which is stored as outcomes data for analysis in the future to guide other students. Parents have access to the platform and can view their child’s progress in read-only mode. Student information is not visible or accessible from any person or entity outside of the school and the parents. Students may opt-in to provide their contact information to colleges where they are interested to apply.

Type of PII that the Entity will receive/access: Student PII and Other: Educators First Name, Last Name, Email.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written director, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Safeguards

• In all aspects, MaiaLearning maintains a least-privilege model of access to data. This applies to administrative, operational and technical safeguards alike. Permission to access systems, whether it is Custom Support, CRM, Systems Administration tools, User Provisioning, or the product internal permissions are controlled and provisioned according to our Application Use Policy and approved by the MaiaLearning CTO or delegated administrator.

Administrative Safeguards

• Access permissions to all systems are approved prior to granting.
• Employee and Contractor Onboarding and Offboarding Policy ensure that granted permissions are documented and ensures that all rights are revoked on offboarding.
• All policies are reviewed annually to ensure they meet the security needs they are designed to protect and to ensure they are in compliance with applicable law and contractual obligations.
• Risk assessments are performed annually on all processes, and as required for new processes and systems.

Operational Safeguards

• MaiaLearning Security staff conduct periodic role appropriate training to all staff. Additionally, staff are required to take annual refresher security training appropriate to their role.
• The Data Transfer Policy governs how protected information is handled by MaiaLearning staff to ensure that due care is taken when transfer data from a customer representative to the system, when usage of automated systems cannot yet be utilized by the customer.
• MaiaLearning System Maintenance Policy governs all production and managed system to require they are upgraded in a timely and appropriate manner. Where an automated update system is available it should be used, unless an exception is documented, i.e. an untimely system outage would result. Automated updates are set on schedules appropriate to our users.
• MaiaLearning Disaster Recovery Procedure covers how we manage a complete failure of our primary systems provider. All configuration that can be, is maintained as infrastructure as code and committed to source code control. Source code control is not with our primary systems infrastructure provider.
• MaiaLearning Backup and Recovery Procedure requires all data to be backed up outside the region of service. For instance, data primarily served from the wester United States is backed up in the eastern United States, in accordance with contractual obligations and data location restrictions.

Technical Safeguards

• Under least access permissions all access to systems requires prior approval. Access to system command line is restricted to individual login and requires VPN access with MFA. Command line access is granted only to operations staff that have a need to access.
• Administrative access to systems is generally managed through web interfaces. These are also least privilege and access controlled to individual users and require MFA. Access to administrative applications is granted by approval of the CTO or delegated administrator.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Make The Road New York

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024, extended to 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide wrap around services to students and families by collaborating with school administrators, school teachers and counseling departments. These services include but are not limited to home visits to re-engage students into school, provide counseling for families or individual students, connect students and families to different service providers that can include services we provide as an organization or other outside referrals. PII is used to track attendance, to contact students and their parents for success-mentoring program, and other attendance intervention that we collaborate on with the schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “We don’t store any PII accessed during the execution of this agreement.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We don’t store PII for this agreement. MRNY has implemented a comprehensive set of administrative, technical and physical safeguards to protect sensitive information including Personal Identifiable Information (PII). In terms of Administrative safeguards, all employees are trained in cybersecurity and awareness. During these trainings, we review the policies and procedures, which align to data privacy laws, to ensure staff does not forget the importance of keeping data safe and secure. From a technical perspective, all laptops assigned to staff are encrypted. Which keeps the data safe if the equipment was to be lost or stolen. we include is a robust antivirus and firewall and we have an Endpoint Detect and Response (EDR). No user has administrative access to MTR owned laptops. On the physical set of safeguards, all Make the Road employees are not allowed to use personal equipment for organizational purposes. This is outlined inside our IT Employee Manual, as well as it is referred to during IT Orientation of new hires and our yearly Cyber security Training.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Other: We don’t store PII for this agreement."

MakeMusic

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We collect information to: (a) provide our Sites and Services; (b) provide information about our products and Services, such as updates and new features; (c) provide information about data security and privacy; (d) learn more about our customer’s preferences; (e) enhance, personalize and support your experience on our Sites Student PI collected may include: First Name, Last Name, Student ID, Email Address, and audio/visual recordings of in-app student performances. We do not market or advertise to students nor use their PII for such purposes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All traffic between users and the application occurs over HTTPS with TLS 1.2
• Connections between application and database are encrypted using TLS
• Application servers, database servers exist in a private virtual network
• Network Security groups are used to restrict access to application/database servers
• IAM policies are used to limit employee access to cloud computing resources
• OS Security patches are installed in a timely manner
• AWS GuardDuty is used to detect anomalous cloud account activity
• Data is encrypted in transit and at rest at a minimum of 128-bit AES
• Adopted practices and procedures which meet applicable CIS Control and NIST framework principles
• Annual training for employees and contracted personnel

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."

ManageBac

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ManageBac is a learning management system designed specifically for the International Baccalaureate Programme. Faculty and students are able to add/edit PII within the platform for the purposes of creating and managing curriculum and academic performance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. “School admins are able to view, manage, and edit PII in real time. Entity does not manage accuracy of or updating to school’s PII.”

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Entity’s Privacy Policy can be found here and its data security and regulatory compliance can be found here. The Entity maintains an information security management system compliant with ISO/IEC 27001:2022 as certified by BSI under certificate number IS 664562.

In terms of administrative safeguard, the Entity conducts cybersecurity-related awareness trainings for all employees who have access to PII during their onboarding and also makes available security awareness training program for cloud-related access and data management issues for all persons with access to customer data. The Entity’s has an Information Security Policy in place which sets out the conduct expected of employees with regard to use of such information. This policy is mandatory and applies to the Information Security Management System supporting ISO/IEC 27001:2022. It also applies to all interested stakeholders including employees, contractors, third parties and suppliers communicating on behalf of the Entity.

The technical safeguards are laid out in the Entity’s Security Policy, which includes the following key points:

• Access to data is carefully controlled and limited through measures such as:
  • pseudonymization and encryption
  • ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • ensuring ability to restore availability and access to PII in a timely manner in the event of a physical or technical incident
  • for user identification and authorisation
  • protection of data during transmission and storage
  • ensuring physical security of locations at which personal data are processed
  • ensuring events logging
  • ensuring system configuration, including default configuration
• Physical access to laptops and servers is monitored and controlled
• Passwords are held to a high standard of security
• All devices that access our systems are scanned for malware and centrally-managed
• All users undergo a required security training on an annual basis
• Our Security Incident Response Team is kept on 24/7 standby and meets weekly to review our security posture
• We remain vigilant for new security threats and monitor major reported breaches and vulnerabilities to understand their potential impact on our operations

The Entity’s Asset Management Policy encapsulates its physical safeguards. The Asset Management Policy defines the objectives for managing technology-based assets, including networks, systems and applications in use by the Entity, and applies to all of its digital assets. This policy applies to all employees of the Entity and provides specific instructions and requirements for the management of the Entity’s information systems, including hardware, software and external services. Asset management requirements for enterprise-wide systems and applications acquired or developed by, or on behalf of the Entity by a third-party for production implementation, are also defined in the policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

MarcoPolo Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. MarcoPolo Learning develops award-winning products designed for ages 3-7 that help children ignite their curiosity, explore the world around them, and practice foundational skills in literacy, mathematics, and social emotional development for success in kindergarten and beyond. For schools, the MarcoPolo for Educators platform—a web application and companion mobile app (MarcoPolo for Families)—gives teachers access to a large library of high-quality, curriculum-aligned, videos on a wide variety of topics like Animals, Alphabet, Feelings, Human Body, Inventions, Numbers, Ocean, Seasons, and much more. In addition, the mobile app has thousands of mini games that help young learners practice foundational skills in reading, writing, and mathematics.

PII is used:

• to create accounts and track the content that teachers and students are viewing,
• to associate students to teachers,
• to enable teachers to send video playlists to students for home engagement, and
• to track which skills students are practicing via mini-game play.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our team has the following measure sin place with regards to PII:

• MarcoPolo maintains a written IT Security Policy that lists MarcoPolo’s safeguards and security practices related to employee responsibilities, company VPN use, secure encrypted transfer policy, password policy, and remote work policy;
• MarcoPolo maintains a Security Incident response plan;
• Every MarcoPolo employees who receives access to PII must complete through background checks, complete our data privacy training annually and read and agree to our IT Security policy;
• Employees must utilize MarcoPolo’s VPN in order to access PII;
• MarcoPolo limits access to PII on a need to know basis;
• MarcoPolo secures all offices with multiple checks and consistent monitoring to limit unauthorized access;
• All devices are secured with malware protection and firewall;
• The MarcoPolo Learning utilizes Amazon Web Services (AWS) and its robust suite of services that offer storage, encryption, monitoring, alerts, and recovery solutions. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Massachusetts Institute of Technology (for work on MySchools)

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We will be helping the Office of Student Enrollment to develop a new feature within MySchools, the school application platform, that will give families additional information about their chances of getting into programs on their application.

Personally identifiable information (PII) is crucial for constructing and refining the predictive model that will estimate the likelihood of admission for prospective students. PII is needed to compute factors such as students’ admission priority and eligibility at each high school program, their potential rankings at screened programs, and their admission probability which will be used to create and test the forecast model being developed as part of this agreement.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “No data will be stored or hosted by this Entity.”

Challenges to Data Accuracy. “No data will be stored or hosted by this Entity.”

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. To mitigate any data privacy and security risks, access to private data will be strictly limited to the two researchers actively engaged in the project. Both researchers will sign confidentiality agreements and are trained in handling sensitive information, having completed both the on-boarding MIT Blueprint Lab and yearly Census Bureau trainings on managing confidential and protected data.

To maintain the integrity of data privacy, no data will be transferred outside of the NYC DOE's internal system. All coding activities will take place within the NYC DOE's secure internal environment. Furthermore, any work that requires access to personally identifiable data will be conducted on-site at the NYC DOE's facilities using DOE devices, thus ensuring operational security.  

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Mastery Coding

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. All potential PI is provided within our platform merely to access [the] platform. The PI is limited to the discretion and imagination of the instructor whereby no PI that Mastery Coding receives or retains has unique value outside the Enterprise and is not in any way verified to be accurate or identifiable and is merely used as a login identifier for a course. Additionally, from students we only collect first name, last name, and classroom ID number. The concatenated integrity of this information is up to the teacher’s discretion. This information is primarily required to create student accounts that in the platform provide teachers the visibility to monitor individual student progress and is not used outside the platform.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

“We utilize an internal and proprietary Learning Management System/Platform (LMS). The platform provides protections for students and teachers at levels set forth by local, state, federal, and school district laws/policy. We have no subcontractors that will receive student data. All student data is controlled and managed by Mastery Coding exclusively. No one outside Mastery Coding has access to student data."

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Mastery Coding has adopted a set of policies and safeguards that cover all aspects (administrative/technical/physical) of student and teacher PI. All student data is securely stored in an encrypted database. The data is only transferred securely on request using https requiring an authentication token that our platform creates.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Mastery Transcript Consortium

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Mastery Transcript Consortium offers access to a software platform providing digital competency-based learning records for use by educators and students in participating schools. Students upload artifacts of their learning and limited PII. The required PII to be entered by MTC member school educators and learners on MTC’s platforms includes: student first and last name, student email address, and progress on non-graded/course objectives (or mastery credits). Optionally, the school might also include student address and phone number and caregiver name/email. In addition, schools have the option of storing a PDF of the school’s student transcript.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud Storage/Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our app is designed with security at its core, incorporating several robust measures to safeguard against various threats. Security features:

CI/CD Isolated Environment (Environment Variables) - We employ a CI/CD (Continuous Integration/Continuous Deployment) pipeline that ensures the security of our application throughout its development and deployment process. Our CI/CD environment is isolated and tightly controlled to prevent unauthorized access. Environment variables, containing sensitive information such as API keys and credentials, are securely managed and stored using encryption mechanisms, ensuring they are only accessible to authorized personnel.

Kubernetes Cluster Deployment Opportunities - Our application leverages Kubernetes for container orchestration, enhancing both scalability and security. Kubernetes enables us to implement features like resource isolation, network policies, and role-based access control (RBAC), thus mitigating potential security threats associated with containerized applications. Additionally, our Kubernetes clusters are regularly updated with security patches to protect against known vulnerabilities.

Vulnerability protection - We proactively address the vulnerabilities which are common threats in web applications. Our security measures include:

• Injection Prevention - We employ input validation and parameterized queries to prevent SQL and NoSQL injection attacks.
• Authentication and Authorization - Strong authentication mechanisms are in place, with role-based access control to ensure only authorized users can access sensitive data or perform certain actions.
• Cross-Site Scripting (XSS) Protection - We sanitize user inputs and use security headers to mitigate XSS attacks.
• Cross-Site Request Forgery (CSRF) Protection. - We implement anti-CSRF tokens to prevent unauthorized actions initiated by malicious sites.
• Security Headers - HTTP security headers like Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS) are utilized to bolster application security.
• Session Management - Our session management is designed to prevent session fixation, session hijacking, and other session-related vulnerabilities.
• Sensitive Data Protection - Sensitive data is encrypted both in transit and at rest, and we follow industry best practices for data protection.
• Error Handling and Logging - We carefully handle errors and log them securely to prevent information leakage.
• File Upload Security - We enforce strict controls on file uploads to prevent malicious file execution or storage.

Database security - Google Protected DB Environment: Our database environment is hosted on Google Cloud Platform (GCP), which provides robust security features. It includes:

• Data Encryption: Data at rest is encrypted using GCP's encryption mechanisms.
• Firewalls and Access Control: Network firewalls and IAM (Identity and Access Management) policies are implemented to control and restrict access to the database.
• Regular Auditing and Monitoring: Continuous monitoring and auditing of database activities are conducted to identify and respond to any security threats promptly.
• Backup and Disaster Recovery: Data is regularly backed up and can be restored in case of data loss or security incidents.

Our app is designed with a multi-layered security approach, encompassing CI/CD security, Kubernetes deployment and a protected database environment on Google Cloud Platform. These security measures work in concert to provide a robust defense against potential threats and vulnerabilities, ensuring the confidentiality, integrity, and availability of our application and its data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

MaxScholar

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. MaxScholar is an educational technology company that provides a suite of online tools and resources to support student learning. MaxScholar offers a range of products and services, including online reading and writing programs, teacher training, and student workbooks and teacher manuals.

MaxScholar provides its products and services to support the education of students in New York City public schools. As part of this work, MaxScholar may receive personally identifiable information (PII) from the NYC DOE. This PII may include information such as student names, grades, and other academic records.

The purpose of receiving or accessing this PII is to support the delivery of educational services to students and to help improve student outcomes. MaxScholar uses this information to personalize learning experiences for students, to track student progress, and to provide feedback to educators and parents.

MaxScholar takes the privacy and security of student data very seriously and is committed to protecting the confidentiality of all PII it receives. The company complies with all applicable laws and regulations governing the use of student data, including the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS RDS, EC2

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Maxscholar has implemented a comprehensive range of administrative, technical, and physical safeguards to protect personally  identifiable information (PII) associated with students, teachers, and educational institutions. These measures have been in place and rigorously tested in a production environment for over ten years, demonstrating Maxscholar's commitment to maintaining the privacy and security of sensitive data. Importantly, Maxscholar has not experienced a single data breach during this time, further attesting to the effectiveness of these safeguards. To ensure the security of private data, Maxscholar utilizes encrypted Amazon RDS Cloud Databases for secure storage. All personally identifiable information is encrypted both at rest and during transit, bolstering the protection of sensitive data from unauthorized access. Access to Maxscholar's servers and databases is tightly controlled through multiple layers of security measures. These include restrictions based on IP addresses, PORT, and secret files, ensuring that only authorized individuals can access the system. Maxscholar also conducts periodic security checks to evaluate the efficacy of these safeguards and address any potential vulnerabilities. Notably, these security checks encompass unit testing in both the Django and Angular code, further enhancing the robustness of the system. Maxscholar places a high priority on compliance with state, federal, and local data security and privacy contract requirements throughout the duration of the agreement. These compliance efforts align with the data security and privacy policy of the NYC Department of Education (DOE). In the event of identifying any malicious activity or information breach, Maxscholar promptly notifies the NYC DOE, ensuring swift action can be taken to address and mitigate any potential risks. Data provided by the NYC DOE is retained by Maxscholar only for the necessary duration of its use. If requested, the data can be safely deleted, or if there has been no activity from the educational institutions for one year, it is automatically purged from the system. This approach ensures that data is handled responsibly and disposed of appropriately when it is no longer required.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

McGraw Hill LLC

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/1/2022 – 3/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. McGraw Hill offers multiple digital platforms that will collect Personally Identifiable Information (PII):

• ConnectED: A digital platform for delivering our PreK-12 content to teachers and students
• Connect: A digital platform for delivering content and learning tools for the higher education market.
• Open Learning: Provides K-12 and higher education instructors the opportunity to customize their McGraw-Hill courses by integrating their own content, open educational resources (OER), and other sources within a McGraw-Hill digital environment.

McGraw Hill will use personally identifiable information (“PII”) to provide the requested service or to process transactions such as information requests or purchases in order to meet our contractual obligations to the DOE institution that has subscribed to our products and services. We will also process DOE PII to meet our legitimate interests, for example to personalize your experience and to deliver relevant content to DOE; to maintain and improve our services to the DOE; to generate and analyze statistics about DOE use of the services; and to detect, prevent, or (if permitted by law) to respond to fraud, intellectual property infringement, violations of law, violations of our rights or our terms of use for McGraw Hill online products and services, or other misuse of the services. Except as described in this notice, we limit the use, collection, and disclosure of DOE PII to deliver the service or information requested by the DOE. We do not collect, use, or disclose PII that is not reasonably related to the purposes described within this notice without prior notification. Your information may be combined in an aggregate and de-identified manner in order to maintain and/or improve our services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. McGraw Hill utilizes the most up-to-date security systems and 24/7 monitoring. McGraw-Hill also has very strict internal processes to safeguard customers’ data, and all applications are built in compliance with federal regulations including FERPA. System penetration testing, vulnerability management and intrusion prevention is managed in conjunction with our third-party infrastructure provider. The application logs security-relevant events, including information around the user, the date/time of the event, type of event, success or failure of the event, and the seriousness of the event violation. User authentication communication and storage is protected by 256-bit advanced encryption standard security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

MEandMine Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. MEandMine provides innovative digital tools to support classroom well-being and empower district leaders to make data-informed decisions for early interventions. With daily well-being check-ins, MEandMine's algorithm launches individualized games based on students' daily regulation spectrums, emotion vitals, energy levels, and social interactions. These games assist students in centering themselves and preparing for learning. By incorporating students' preferences for games, the solution plays a crucial role in fostering the development of self-regulating skills. Simultaneously, teachers gain insights into students' well-being patterns and how they may affect behavior outcomes in real time through the teacher dashboard.

PII is necessary to provide our service as it enables educators to effectively monitor and stay alert to the mental health situations of students within their classroom or district. This allows for timely intervention and support, fostering a conducive learning environment conducive to students' well-being.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Platform Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In addition to the protections afforded by our cloud hosting providers, practices employed at MEandMine to protect personal data include, but are not limited to:

• Secure Data Storage: Hosted in access-controlled GCP data centers, data benefits from GCP facilitated data encryption mechanism.
• Monitoring and Response: Routine monitoring, supported by a dedicated incident response plan, ensures swift detection and response to potential breaches.
• Compliance Assurance: Adhering to FERPA, COPPA, and regional privacy agreements.
• Access Control & Data Transfer: Limited employee access, combined with secure SSH protocols, ensures data security during transmission.
• Firewall & Antivirus: Regularly updated firewalls and antivirus software fortify systems against evolving threats.
• Security Audits & Programming Practices: Regular audits and adherence to secure programming practices mitigate potential vulnerabilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Medgar Evers College of the City University of New York (for Learning to Work)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Medgar Evers College (MEC) offers a full day, year-round academic program that integrates intensive support services and youth development practices with personalized instruction. The MEC program operates in partnership with the New York City Department of Education (NYC DOE) and is based on the “Primary Person Model” where each student is supported by a MEC Advocate Counselor who guides them through all aspects of the program. MEC provides a range of youth development supports including: case management; counseling and crisis intervention services; resource referrals; attendance outreach; workshops; academic tutoring and test preparation; college preparation, employment readiness, and career exploration activities; job development and placement; and youth development opportunities. MEC also provides students the opportunity to participate in the Learning to Work internship program. We help students secure internships based on their career  interest and provide weekly workforce development training such as resume writing, interview skills, and how to dress for work. We do internship site visits as well to see how students are doing. Medgar Evers College staff is required by contact to effectively monitor student data jointly with our DOE partner by reviewing attendance, academic progress and personal information of all students enrolled in the Thomas Jefferson Young Adult Borough Center (YABC) program. In order to adhere to the requirement, our DOE Partner had login accounts created for each CBO staff member to access student information on the Salesforce program to ensure we have the necessary information to monitor our student’s progress. Salesforce collects all student data inputted by school administration and CBO staff in order to generate qualitative data that is vital in understanding what’s working for our students and what needs to be improved.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All MEC Staff are required to participate in the mandatory training on how to use the Salesforce software. Salesforce utilizes some of the most advanced technology for internet security available today. When accessing their website, Salesforce uses a secure socket layer (SSL) technology that protects all information using both server authentication and data encryption. When an individual logs in to Salesforce a small lock is displayed at the bottom of the browser display indicating a secure connection has been established. The MEC Program Director, Assistant Director and MEC employees monitor the access to the program’s offices located within a DOE building. All student information is stored in secured file cabinets within that office. Each night, prior to exiting the office, the MEC Program Director and/or Assistant Director will ensure that all file cabinets are locked. All MEC computers and telephones used under this agreement are housed in our assigned DOE office under lock and key. MED employees will be able to access and store DOE data on their assigned password protected computers. All MEC employees will ensure that their computers are logged off completely when they step away from their desk and when they leave for the work day. All MEC employees have been assigned DOE emails and passwords that adheres to DOE’s two-step verification process in order to receive secured DOE data. All MEC computers have installed a malware endpoint protection software called Cortex XDR. This software provides a higher level of protection against evolving threats and enhanced visibility for our MEC IT support staff to identify and coordinate responses to security incidents quickly and effectively. Additionally all MEC computers are installed with DOE software by the DOE Technical support team at Thomas Jefferson Campus adding another layer of protection to ensure our computers are protected from any breach or technical issues that may arise. Both Tech sides will keep me informed of any breaches or technical issues in a timely matter. In the event that cabinets are found open and/or files with student information missing or a breach in technology, MEC Program Director will review access to the building with DOE school safety and determine if anyone has been in the office and work with the DOE and MEC Technical support team to determine where the technical breach occurred. (The office is locked every night and only program staff have keys).

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Meg LLC

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Meg Journeys is a digital learning platform for students to learn World Language. PII is used for the students to partake in the learning, engage with classmates to boost engagement and for assessment.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Meg LLC takes data privacy and security seriously with robust policies in place that include but aren’t limited to:

• Access to PII is limited to authorized personnel only.
• Meg LLC uses as little as possible PII to achieve the delivery of the service.
• All PII is encrypted when in transit or at rest.
• Meg LLC deletes the PII as soon as the service is delivered, typically at the end of each school year. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Merlyn Mind

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/1/2021 – 12/31/2026.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Merlyn Mind will provide NYC DOE with access to Merlyn Mind’s “Symphony Classroom” as part of the Early Access Program. Symphony Classroom uses speech processing technology to assist teachers with the orchestration of classroom activities. Teachers provide verbal commands – via the hub’s far field microphones or via the hand-held remote control – to the Symphony Classroom hub, which controls the connected classroom devices (such as the teacher’s laptop and the interactive whiteboard) and the applications and content accessible from those devices.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Merlyn Mind has privacy and security policies and procedures to support the protection of Personal Information in its care. "Personal Information," for the purpose of this plan, means information that identifies or relates to a specific, natural person that is protected information under applicable laws, including Voice Audio. "Voice Audio," for purposes of this Plan, means spoken or audible speech, utterances, phrases, and sounds from or by a natural person within range of the Merlyn Solution.

Merlyn Mind's security policies and procedures include implementation of information security safeguards designed to protect the confidentiality, availability and integrity of Personal Information.

Merlyn Mind leverages the NIST Cybersecurity Framework in its security policies and procedures. Physical, administrative, and technical protections include, but are not limited to:

• Access Controls: Merlyn implements physical, administrative, and technical access controls to protect Personal Information and storage environments. Access to Personal Information is limited to authorized users with a need to access such information. Merlyn implements monitoring of remote access activities and regularly evaluates its security controls for remote access. Access changes are authorized as part of a documented provisioning process, and access levels are regularly reviewed.
• Encryption: Personal Information collected through the Merlyn Solution is encrypted in transit using Transport Layer Security (TLS} and HTTPS, and at rest using Advanced Encryption Standard (AES).
• Storage: Customer Personal Information is stored in a secure, third-party cloud environment. Third party configuration tools are leveraged to support resilient and secure configuration of the production environment. Network scans operate regularly in the production environment as part of our ongoing vulnerability management procedures.
• Third Parties: Merlyn Mind requires its third party providers that will access Personal Information to enter into appropriate security, confidentiality and privacy contract terms prior to accessing the Personal Information, and requires that such third parties only access and use the Personal Information to the extent required to perform the services in accordance with Merlyn Mind's customer agreements and applicable law.
• Incident Response: Merlyn Mind maintains an Incident Response Policy and Procedure that sets forth procedures for investigation, containment, and mitigation of a security incident. In the event of a security breach of customer Personal Information, Merlyn Mind shall notify its customers in accordance with applicable laws and the contractual agreement between the parties.
• System Development Life Cycle: Merlyn Mind has adopted a risk management process for its system development life cycle, which incorporates information security practices and controls throughout the system development life cycle.
  

Privacy:

• Family Educational Rights and Privacy Act: As applicable, we ask Institution customers to designate us as a "school official" as the term is used in FERPA, 34 C.F.R. §99 et. seq. As a "school official," we agree to be bound by the relevant provisions of FERPA, including that we will remain under the "direct control" of our Institutions with respect to the use and handling of any FER PA-protected "education records."
• Use of Personal Information: Merlyn Mind uses personal information to provide the Merlyn Solution and services in support of the legitimate educational interests of our education institution customers as governed by our agreement with that education institution and subject to the requirement that the education institution obtain any necessary consents to use and deploy the Merlyn Solution.

  Merlyn Mind does not send marketing messages to students or use or share student personal information for marketing or advertising purposes.

• Responding to Rights Requests: Institution Users may review, correct, update, or request that we delete their Personal Information or that of their Participants by contacting us at privacy@merlyn.org. Institution Users may also update their information in their account settings.

• Since the Merlyn Solution is used under the direction of Institutions, parents and legal guardians should work directly with their Institution to review, modify, or request deletion of their child's Personal Information submitted to and stored by the Merlyn Solution, if applicable. We will work with Institutions as needed to facilitate addressing those requests.

• Data Retention: We retain Personal Information for as long as is necessary to fulfill the purposes for which we obtained the Personal Information, including to provide the Merlyn Solution and its services, or for such longer period as may be required or permitted by applicable law. We will also retain Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements and policies.

  Subject to applicable law, it is our policy to delete Personal Information within 90 days of contract termination, or within 30 days of a valid deletion request or notification from an Institution of an Institution User account termination, unless we are required by law to retain such information for a longer period. After Voice Audio is overwritten or a transcript is generated, Merlyn Mind no longer retains that Voice Audio. It is our policy to de-identify transcripts within six (6) months of the transcript being generated.

  We retain de-identified information, including aggregated, de-identified information, for legally permissible purposes, including to develop and improve our educational products and to demonstrate the effectiveness of the Merlyn Solution, including in our marketing materials.

• Training: Merlyn Mind has policies to require that employees with access to Personal Information undergo annual data privacy training that addresses the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), applicable state student data privacy laws, and applicable Merlyn Mind security and privacy policies.
• Privacy Policy: Merlyn Mind operates its solutions in alignment with its publicly posted Merlyn Solution Privacy Policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Metis Associates

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2022 – 7/31/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Metis conducts evaluation research for numerous entities, including the NYCDOE, to determine the impact and efficacy of strategies/programs/efforts to improve school and student-level outcomes such as academic achievement, behavior (e.g., attendance, discipline), and socio-emotional development. Most of these evaluations utilize data analyses that require additional information to control for possible confounding factors to “isolate” the treatment effect, including student characteristics such as sex, race/ethnicity, poverty status, and the like.

As the unit of measurement for these efforts is typically at the student level, these evaluations require student-level data to appropriately determine intervention effectiveness, particularly for longitudinal models wherein baseline data is used to comparatively determine growth after treatment. All data are typically requested without any direct student identifiers (i.e., without NYC BOE – Non Disclosure Agreement student names or OSIS ID numbers), but are considered PII due to data elements required to carry out the studies properly (e.g., DBN, poverty status, student with disability flag).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an entity-owned and/or internally-hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Metis Associates’ technologies, safeguards, and practices align with the NIST Cybersecurity Framework. Our administrative, technical and physical structures ensure PII is protected and that we mitigate all data privacy risks. Sensitive data are stored in file servers, databases, and on temporary storage.

For data at rest scenarios, we use a shared mapped drive and a SQL database server:

• A Windows server is used to host the shared drive. Data access is controlled by domain group policy and NTFS permissions.
• A Windows server hosting a Microsoft SQL instance is also used to store sensitive data.
• Data access is controlled by domain group policy.

For data in motion scenarios, we use two file share web applications:

• A Linux Ubuntu server hosting a Secure FTP application is used to share sensitive data with clients. User access is controlled by local accounts and complex passwords. Once the data is collected, it is then moved to our shared drive. All data is subsequently deleted from the SFTP server.
• A Linux Ubuntu server hosting a web file-sharing application is also used to share sensitive data with clients. User access is controlled Domain Group Policy. Once the data is collected, it is then moved to our shared drive. All data are subsequently deleted from the server.

Individually identifiable data are processed expeditiously and stored on a secure server. Once processed, all data are maintained in a Microsoft SQL Server database with differential security access to confidential data elements (e.g., student name, student ID) restricted to authorized personnel. All backup data files - Including media upon which data were transferred from the originating agency - when not in use are maintained in a locked facility. Strict controls are maintained with respect to the location of removable disks and the identification of the data files stored on them. For larger projects requiring a centralized data repository, the repository itself is managed by a small group of data analysis specialists and individual data are only released to internal staff when necessary. Individual-level data are never transmitted electronically, nor permitted to be stored on removable media (e.g., usb thumb drives, magnetic media) - except for the aforementioned backups. At the end of project life, data will either be destroyed or returned when it is no longer needed or at the end of the agreement. Finally, unless consent Is specified by the originating agency, raw unit-record data are never released to clients, nor are any data that would contain information that could possibly link analysis results to individuals.

We have a detailed Data Security Action Plan in place that guides our activities to ensure we implement all state, federal and local data security and privacy contract requirements over the life of our data-sharing agreements. Furthermore, we have an independent cybersecurity firm conduct quarterly external and internal vulnerability scans to ensure our network is secure.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Microsoft Corporation

Type of Entity: Commercial Enterprise

Contract / Agreement Start Date: July 1, 2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Microsoft is providing its application, server and cloud products including but not limited to M365, Windows, and Azure under the Agreement between Microsoft and the New York City Public Schools.

Microsoft uses and processes Customer Data and Personal Data to provide Customer with the Products and Services and for any business operations incidental to providing those Products and Services to Customer. Customer will retain all right, title and interest in and to Customer Data, including Personal Data. Microsoft acquires no rights in Customer Data, including Personal Data other than rights that the Customer grants to Microsoft.

Type of PII that the Entity will receive/access: “Other: Customer is responsible for determining whether the Products and Services are appropriate for storage and processing of information subject to any specific law or regulation and for using the Products and Services in a manner consistent with Customer’s legal and regulatory obligations. Customer understands that Microsoft may possess limited or no contact information for Customer’s students and students’ parents.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity states “This section is not applicable to Microsoft. Customer understands that Microsoft may possess limited or no contact information for Customer’s students and students’ parents. Consequently, Customer will be responsible for obtaining any parental consent for any end user’s use of the Products and Services that may be required by applicable law and to convey notification on behalf of Microsoft to students (or, with respect to a student under 18 years of age and not in attendance at a postsecondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of Customer Data in Microsoft’s possession as may be required under applicable law.”

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Entity-owned and/or internally hosted-solution. “Microsoft subprocessors, as defined in the Products and Services Data Protection Addendum (DPA), may process Customer Data and Personal Data as part of Customer’s use of the Microsoft Online Services.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Microsoft has implemented and will maintain for Customer Data in the Core Online Services the security measures outlined in the Microsoft Data Protection Addendum, in particular Appendix A located at https://www.microsoft.com/en-us/Licensing/product-licensing/products.”   

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor states “Customer Data (including any Personal Data therein) in transit over public networks between Customer and Microsoft, or between Microsoft data centers, is encrypted by default. Microsoft also encrypts Customer Data stored at rest in Online Services. In the case of Online Services on which Customer or a third-party acting on Customer’s behalf may build applications (e.g., certain Azure Services), encryption of data stored in such applications may be employed at the discretion of Customer, using either capabilities provided by Microsoft or obtained by Customer from third parties.” 

MindPlay Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. MindPlay is an online reading intervention program for K-12 institutions. In order to function properly, provide appropriate user experiences and security, MindPlay uses PII data is for teacher and student login, rostering, and reporting in the MindPlay application platforms. Teachers can, but are not required to use email for login to MindPlay’s Management and Reporting platform. Student names, enrollment, and grade level information is included in MindPlay reports visible to teachers and administrators.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Role-based authentication following the principal of granting least access is used to protect student PII. Authorized persons receive training before access is granted. All application data is encrypted at rest and in transit. PII is additionally encrypted such that access to database administration platforms or network infrastructure does not comprise access to PII.   

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

MobyMax

Moozoom Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Utilizing moozoom's live-action bite-size SEL movies, the entity goal is to have the school's climate team work with classroom teachers to implement lessons and activities that help to increase student engagement and address students' social and emotional health. Because of moozoom ease of use and delivery of social and emotional skills, moozoom will support Tier 1, 2, and 3 interventions. Four(4) data assessment streams, including a research-based pre-post survey measuring skills acquisition in real time, will allow the entity to assess school climate improvement at all times

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Vendor selected “Other: Data will be returned or destroyed upon termination of services. The DOE need not request that data be destroyed or returned once services have been completed.” In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII is encrypted at both rest and in transit. All access to PII is limited via role based access within the company and security training is mandatory for all employees who have access to any PII. moozoom has several security measures in place to ensure we are applying security best practices from code development to the infrastructure that hosts the PII (e.g. Monitoring Tools, Static Code Analysis, Vulnerability Scanners, etc).

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Mosa Mack Science

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Mosa Mack Science is an interactive science curricular resource for 4th-8th grade featuring mysteries, phenomena, labs, and engineering challenges. It provides educators with online and offline science lessons that can be shared with students and includes assessments and projects. PII is necessary to create accounts and track student progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Digital Ocean.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The security of your personal information is important to us. We work hard to protect our community, and we maintain administrative, technical and physical safeguards designed to protect against unauthorized use, disclosure of or access to personal information. In particular:

• We use industry-trusted solutions and best practices in our infrastructure to maintain a high level of security. Safeguards include, but not limited to, a firewall on our servers to prevent undesired inbound connections. These safeguards meet industry standards and best practices.
• We periodically review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems
• We encrypt the transmission of that information using secure socket layer technology (SSL/TLS) by default
• We encrypt all data at rest and in transit.
• We ensure passwords are stored and transferred securely using encryption and salted hashing
• Employees with access to PII receive training on the federal and state laws governing confidentiality both prior to receiving access to the data, and annually thereafter.
• Students can only access Mosa Mack Science with a teacher invitation
• Your Mosa Mack account is protected by a strong password. You can help us protect against unauthorized access to your account by using a unique password and keeping your password secret at all times.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Mosholu Montefiore Community Center Inc

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. MMCC offers a fun and enriching combination of classes and clubs including sports, arts, technology, activity groups, homework help, family food pantry, and much more. Children receive snacks and enjoy after school time each day during the school week also MMCC will provide Mental health and food pantry to parents. PII is needed to track student attendance and progress, schedule appointments, enroll students in after school programming, and allocating additional support programs as needed.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Entity employs firewall, anti-virus software, and anti-spam/phishing on all organizational hardware and online platforms used by staff and/or subcontractors.
• Encryption at rest and in motion.
• Staff and subcontractor policies for use of mobile devices, personal devices, and handling and access of data.
• Access to data is limited to those with prior authorization and who require access to perform their jobs.
• All staff and/or subcontractors receive data privacy training.
• All accounts have robust password security.
• All electronic data is stored locally and is password protected with limited access.
• All physical data is stored in a locked area with limited access.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Mouse.org

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 11/1/2023 – 11/1/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Mouse.org provides The Board of Education of the City of New York with access to Mouse Create, a website and online learning application featuring STEM-related projects designed to facilitate student learning. Mouse Create content is password protected and accessible at https://create.mouse.org/.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. "Mouse Create is hosted using cloud architecture owned and managed by DigitalOcean, a reliable cloud services subcontractor with 99.99% uptime. Terraform is used to configure, automate, and update the DigitalOcean cloud infrastructure including Linux-based virtual private servers running Mouse Create. All information including Confidential Information and Protected Information are collected and stored using TLS 1.3 grade encryption with 256-bit size and stored using AES-256 encryption. Mouse stores Confidential Information and Protected Information in a secure manner and safeguards it from unauthorized access in a secure, restricted-access database."

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Applications provided by Mouse.org operate separately and independently of DOE and DIIT systems and Mouse is contractually obligated to comply with privacy and security policies mandated by DOE. The Student PII required by Mouse applications is limited to Student first and last name and year of birth. Additionally, at Student’s option, Students may provide their email address, date of birth, gender, and ethnicity. Mouse applications ask students to provide their name only for the purpose of allowing teachers to identify and track assignments completed by students in their class. Teachers do not have access to the names of students or PII of students who are not in their classes. Email address is collected to aid in password recovery. Students using the application do not have access to PII provided by any other student. Within all Mouse applications, all database queries and SQL injections are limited and validated using predefined rules and encryption.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Music and the Brain-Building for the Arts NY

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 8/23/21 – 8/22/26

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Music and the Brain All Access, located at learn.musicandthebrain.org, is a cloud-based learning platform of the Music and the Brain program that gives partner school music teachers and students access to our sequential music lessons materials. Email address protected information will only be used for NYCDOE educators, administrators and students to gain access to the Music and the Brain All Access platform. Google login integration is in place.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Web application is running on a virtual machine (VM) server, provisioned and hosted by AWS, in a data center with specific physical and logical security controls that prevent and restrict access to computer systems and data storage.
• Access to Web application for updates and management tasks require administrator level permission and requires VPN connection and Multi Factor Authentication (MFA).
• All data (including PII or any other confidential information) is encrypted in transit (HTTPS TLS 1.2 / AES256).
• All data is stored in MySQL database and encrypted at rest using the Transparent Data Encryption (TDE) option using AES ciphers.
• Per MATB Data Privacy and Security Policy, access to PII and other confidential information is granted based on the principle of least privilege.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

My Robin Inc

Type of Entity: Publisher of Social and Emotional Learning Content

Contract / Agreement Term: 11/1/2022 – 10/31/20209

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.  My Robin Inc provides a comprehensive online curriculum through engaging videos that teach skills and strategies for students to improve their social, emotional and mental health. To provide, analyze, and improve our Products. We use the information described in (5) below to provide, analyze, and improve our Products, including to:

• Create and maintain your account
• Identify you as a user
• Notate and assign support tickets
• Provide, operate, maintain, and improve our Products
• Personalize and improve your experience
• Contact you and communicate with you, including to respond to your comments or inquiries
• Provide customer support

De-identified or aggregate use. We may create and use de-identified or aggregate information – information removed of specific identifiers so that it cannot singly identify you (i.e., non-personal information) – for purposes only related to the services rendered.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

“Data is available for export from Canvas LMS via a variety of standards-based formats such as HTML and CSV at any point in time by our customers. Instructure is a sub-processor Robin (https://my-robin.com), requests to export or remove NYC DOE PII or other data in the system should be directed to them and they can use Instructure-provided tools to return or destroy DOE data. In the event that Robin terminates its contract with Instructure then 90 days after the end of the contract period Instructure will use AWS-provided methods to securely erase all Robin data (including NYC DOE data) from the system. My Robin Inc will destroy all data upon termination of services. If client requests, data will be returned to them via a secure platform.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. My Robin Inc, who license’s Instructure’s Canvas platform, utilizes a combination of industry best-practices for administrative, operational, and technical safeguards to protect client data. For detailed information please see the following documents which have been included with this submission and are available online at https://inst.bid/canvas/lms/dl:

• Instructure Security white paper: A high-level overview of Instructure’s security policies and procedures including incident response.
• Instructure Business Continuity white paper: A high-level overview of Instructure’s business continuity policies and procedures including disaster recovery with sample RPO/RTO timelines.
• Canvas LMS Architecture White Paper: An architectural overview of the Canvas LMS web application including scalability, reliability, redundancy, and security.
• Canvas LMS HECVAT: An industry-standard questionnaire published by Educause covering Subprocessors, application security, authentication/authorization, business continuity, change management, data handling and classification, data center security, disaster recovery, networking, policies & procedures, incident handling, quality assurance, and vulnerability scanning.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

N2Y LLC

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To provide the contracted services which include delivery and support of Software as a Service solutions for use by teacher and their students with special needs in the K-12 classroom.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. US-based Microsoft Azure data centers with cloud providers that are audited and certified for secure handling of data.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. n2y maintains safeguards to protect the security, confidentiality and integrity of PII received from the customer including encryption, administrative, technical and physical measures.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Nagarro Inc.

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Nagarro will provide support to DIIT for various programs including design, development, customer support, enhancement, and reporting services. Access to PII is necessary to troubleshoot issues and provide adequate support.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Entity does not store any PII.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. "No PII will be stored or hosted by Entity.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Nagarro has a robust set of safeguards that includes:

• To the extent possible, services are delivered from our ISO 27001 certified New York City facility.
• All PII is hosted and processed on DOE systems and infrastructure.
• All employees undergo periodic training on information and data security.
• Ensuring access to PII data is minimal unless necessary.
• Workstation usage only for the DOE requirements, strong passwords policy for systems and tools.
• Defined and signed-off Information Security Management System (ISMS) policy for each team member.
• No data or information is stored locally on Nagarro’s equipment.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  “Entity does not store any PII."

National Student Clearinghouse

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2024 - 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. StudentTracker® is a service that allows educational institutions to learn about the academic journey of their prior students. The Clearinghouse receives PII from BOE and/or its schools and uses it to locate the prior students in its database of postsecondary enrollment and graduation records. We then return a response file with information about the academic achievements of the students identified in the request file provided by BOE and/or its schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Clearinghouse shall implement administrative, physical, and technical safeguards to protect DOE’s Confidential Information that are no less rigorous than an accepted industry standard set of controls, and shall ensure that all such safeguards, including the manner in which DOE’s Confidential Information is collected, access, used, stored, processed, or disposed of satisfy the conditions of the Agreement with DOE.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

National Training Network (for MathKEYmatics)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. MathKEYmatics is a math software assessment program designed to simplify the way educators create, assign, and evaluate math formative and summative assessments. It aligns with the NY Next Gen mathematic state standards, making it easier for educators to gauge student progress accurately. The platform also offers real-time data reporting in various formats, giving educators valuable insights to tailor their instructional approaches. Additionally, students can access their scores and feedback, allowing them to track their performance and make improvements.

MathKEYmatics is a supplement to any core instructional resources the school may be using. It is flexible in providing ongoing assessment opportunities to yield student data to drive routine instructional decisions and can be used in conjunction with other benchmarking assessment tools. The resource can be used in various ways including:

• Mid-unit check ins that are standards based
• Standards aligned end of unit summative assessments
• Common assessments across a grade level to build consistency
• Identifies common student misconceptions
• A comprehensive view of student data at the administrator level

MathKEYmatics requires minimal PII in an effort to create user accounts within the system. The only fields necessary for user account generation are as follows:

• First Name (or initial)
• Last Name (or initial)
• Grade Level
• Class Name

The requested data listed above is what allows account creation and organization between students and educators, as well as access to the appropriate grade level(s) standards.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Administrative – MathKEYmatics administrators will manage the handling and communication of all PII in a password protected format, only accessible to the appointed school representatives who should have access. User passwords are not visible within the MathKEYmatics administrative account yet can be reset or generated. User data cannot be accessed within the admin platform.

Technical – User access controls and Programming Security Best Practices:

• Servers behind AZURE firewalls
• SSL for secure transactions
• Application runs on minimum database privileges
• All machines behind AZURE VPC
• All downloadable content is encrypted using AES-256 encryption
• MathKEYmatics is COPPA compliant
• FERPA and GDPR are followed. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Navigate360 (for Navigate360 and PBIS)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Navigate360 is the leader in holistic safety and wellness solutions. Our revolutionary model spans the full spectrum of safety, including threat detection and prevention, mental health and wellness, and safety management and preparedness – backed by research and developed by industry experts. We provide the tools necessary to save and enhance lives.

PBIS Rewards is a software-as-a-service solution that enables Schools and Districts to digitally manage their Positive Behavioral Interventions and Supports initiative. PBIS Rewards helps educators improve school culture, improve student behavior, and promote a safe environment for learning. PII is necessary to support and track student success.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Navigate360, LLC maintains appropriate security policies/procedures to ensure protection and integrity of company information systems and assets. This includes, but is not limited to, use of data encryption, firewalls, MFA, backup methodologies/procedures, periodic risk assessments, disaster recovery plans, security incident response plans, and use of the principle of least privilege.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Navigate360 (for P3 Campus)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/1/2024 – 6/30/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. P3 Campus is an anonymous tip reporting solution designed specifically for use in schools as a part of student safety and mental health initiatives. P3 Campus engages students to be proactive in the emotional and physical wellbeing of their peers by giving them a tool to make anonymous reports quickly, easily, and interactively. School community members can report about a wide range of concerns, from mental health issues to threats of violence through our P3 Campus mobile app or through any web browser at P3Campus.com. PII may be included in anonymous tips.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Navigate360, LLC maintains appropriate security policies/procedures to ensure protection and integrity of company information systems and assets. This includes, but is not limited to, use of data encryption, firewalls, MFA, backup methodologies/procedures, periodic risk assessments, disaster recovery plans, security incident response plans, and use of the principle of least privilege.

Navigate360 vets all employees prior to hiring and requires them to attest to and abide by the company’s data security policies prior to working with student data. All employees are also required to attend monthly security awareness training in addition to their annual training. Navigate 360 employs strict data access policies and reviews access on a consistent basis.   

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

NCS Pearson (for Certiport)

The exclusive purposes for which Protected Information will be used: Protected Information is collected from individual students to create an individual user account. This individual user account allows students to manage personal information, manage certification examination registration, view a record of certification exams taken and passed, print duplicate copies of certification certificates for certification exams passed. The user account allows the user to manage and control their personal information and certification exams after graduation – including capturing future certification the user may earn.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Certiport uses two subcontractors that to deliver the Certification Exams that Certiport offers. One subcontractor provides exam drivers to launch and run exams. This subcontractor only has access to a candidate’s name. The candidate’s name is only accessible through logs generated by the drivers – logs are accessible only to employees of the subcontractor that have a specific need and purpose to access them. This subcontractor is under a confidentiality agreement with Certiport and has technological and administrative controls designed to protect data.

The second subcontractor we use provides 1st-level tech support for candidates. This subcontractor needs the ability to look up candidate accounts, view candidate profiles and exam results in order to provide candidates with basic tech support services. This subcontractor is under a confidentiality agreement with Certiport and has technological and administrative controls designed to protect data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Protected Information is retained until the individual that has the associated account (or their legal guardian) requests deletion. The individual account holder may request deletion of certifications from a specific program sponsor (i.e. deletion request of all Microsoft exam records) or the deletion of their entire account. When deletion of the entire account occurs, all certifications earned are also deleted – they are no longer verifiable or valid. This means that the individual will be required to register for a new account and re-take exams if they wish to regain certification.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Parents, students, eligible students, teachers or principals may challenge the accuracy of the student data or teacher or principal data that is collected by Certiport by logging into the candidate’s account (candidate means any user that is authorized by the District to take a Certiport certification exam; this may include a student, teacher, teacher’s aid, principal, etc.), navigating to the candidate’s profile page, and editing/updating the incorrect or inaccurate data. Certification exam results are not challengeable and will not be changed or modified at the request of any individual.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All of our data is stored in a secure data center within the US. The database is behind multiple levels of protections, and is encrypted-at-rest. All access to the data utilizes secure, individual accounts and secure data transfer.

How the data will be encrypted (described in such a manner as to protect data security): The databased is encrypted-at-rest. Additionally, key data such as passwords are AES-256 encrypted.

NCS Pearson (for Periodic Assessment Program)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2021 – 7/31/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Pearson will support NYCDOE by delivering the technology and services to support the NYCDOE’s Periodic Assessment Program. Pearson will receive and access PII to complete the services outlined in the Periodic Assessment contract. Specifically, the data will be used to allow students to access assigned assessments by their classroom teacher in regard to the New York City Periodic Assessments. Student data will also include scored assessments used by classroom teachers and the NYC school district.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Pearson takes the privacy and security of customer and company information seriously. To protect sensitive assessment data, such as test items and student confidential information, Pearson employs recognized industry standard security measures to safeguard the confidentiality, integrity, and availability of customer data and the services we provide.

Our information security policies and standards are based on the ISO/IEC 27001 information systems security framework and align with the NIST catalogue of security controls. This ongoing alignment with NIST reflects our commitment to ensure our information security program remains current and appropriate to address the evolving threats to information security and data privacy.

System Security and Resiliency

• In accordance with security best practices, multiple layers of security exist in the computing environment to reduce the risk of unauthorized exposure of customer data. These protections include not only preventive controls designed to stop security incidents from happening, but also detective controls to inform us in the unlikely event a security control failure occurs. Along with the resilient and reliable design of our assessment platform, Pearson leads the industry in its ability to protect against and mitigate the effects of distributed denial of service (DDoS) attacks.

Staff Training Requirements

• When employees and staff augmentation resources begin working for Pearson, they must sign an acknowledgement of their obligation to adhere to the Pearson Global Information Security Policies and follow the company’s implementation guidelines and standards. On an annual basis, members of the Pearson workforce must complete information security training that is designed to ensure they not only maintain awareness of their responsibility to protect customer and company information, but also to help ensure they are educated regarding changes in the ever-evolving information risk universe.

Need to Know and Least Privilege

• Pearson provides access to systems based on need to know and in accordance with the principle of least privilege. If a workforce member does not have a business need for access, they do not get it. And where access is authorized, user accounts are assigned the minimum level of privilege necessary for their role.
• These principles also extend into the assessment services we provide. Customer staff who have been assigned to administration roles in service solutions have the ability to place staff and students into specific roles with privileges appropriate to them. In this way, the administration of the assessment platforms can conform to role-based access needs of each customer.

Entitlement Review

• A review of users and the permissions assigned to them is performed periodically, as well as when staff change positions and employment statuses change. This helps to ensure on-going adherence to our commitment to grant access based on need to know and according to the principle of least privilege.

Data Classification

• Pearson’s Global Information Security Policies and Standards define a three-tier data classification level (DCL) scheme. DCL3, the highest classification tier, denotes customer and Pearson intellectual property, data subject to US and International data security and privacy regulations, and data requiring comparable protections as defined in contracts. DCL3 classified data requires the most stringent information security controls. Given the nature of the services we provide to customers, practically all of our systems are designed with the baseline assumption that the data it maintains and processes is DCL3.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

NCS Pearson (for Q-global and Q-interactive)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Q-global and Q-interactive collect, process and store the data for administering, scoring, and reporting on clinical assessments.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “Pearson will be using AWS to host PII. AWS does not have access to PII nor does Pearson share the PII with any other subcontractors. AWS provides cloud computing services. Pearson maintains the data encryption keys.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Vendor selected “Other: Customers can delete their data at any time using the applications. The customer can also request in writing that Pearson delete their data. Data in dormant accounts will be deleted after two years.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Q-global and Q-interactive systems and data are hosted at Amazon Web Service (AWS) Canada Central region in Montreal, QC, Canada.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Pearson, Q-global, and Q-interactive employ many administrative, physical, and technical safeguards to protect customer data.

Administrative safeguards include Pearson’s Information Security Management Strategy based on the ISO 27001 Framework with movement towards NIST Cybersecurity Framework alignment which includes security policies and standards, information security and data privacy training for staff, least use privileges, configuration management, and formal processes for request and approval of accounts.

Physical controls include physical lock and key, badge access systems, locking equipment cages, security guards, dedicated alarm systems, visitor logs, CCTV and video recording. For data centers, individual access is authorized only by the data center manager and based upon the individual’s role, responsibilities, and business need. There is a data center control log that must be signed upon entrance and exit, and individuals must always present their access badge and display it visibly. Authorized employees must escort authorized visitors such as vendors, contractors, or consultants always in the data center.

Technical controls include firewalls, segregated virtual private clouds for products and environments, separated tiers for servers, data encryption for data at rest (AES 256) and in transit (TLS and HTTPS), role-based access and authentication, unique and complex authentication, secure coding practices, OS and application patching, and static and dynamic security scanning.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

NCS Pearson (for the SHSAT)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 11/1/2024 – 10/31/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Pearson receives PII to scan, process, and score the SHSAT exam in order for NYCDOE to make offers to students for admission to the Specialized High Schools within NYC.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Per the contract, Pearson will securely destroy all PII and non-secure materials 18 months after the last annual test administration date.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All NYC data will be stored in the AWS Cloud to provide consistent security and availability for the NYC SHSAT Assessment. For secure data transfer, Pearson employs HTTPS, an encrypted method of passing data over the Internet via web-based systems. Transport Layer Security (TLS) works with HTTPS to ensure the data is encrypted as it passes from our servers to the client. Web-based services and application layer interface (API) calls use industry-standard representational state transfer (REST) architecture to appropriately constrain and control data as it passes between components and across connections.

Pearson uses several systems to keep employee's computers and the data on those computers secure. The internal Pearson network is isolated from the public internet by a layered firewall approach that creates a secure local area network environment. Pearson laptops have a full disk encryption solution to protect all data if the computer is lost or stolen. Some of Pearson's uses of encryption are listed below:

• Secure FTP: for encrypting sensitive data files as they are moved between Pearson and our customers
• HTTPS using TLS encryption on websites to protect data in-transit
• Virtual Private Networks (VPN) connections for secure access to the Pearson network by Pearson personnel when accessing remotely
• Database encryption to protect data at rest from unauthorized access   

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Nearpod

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. For the exclusive purpose of delivering and supporting Nearpod's software services, including supplemental instruction, and formative assessment content and activities for authorized school and district users, including parents, teachers, and students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Nearpod will ensure that only the employees, contractors, and sub-processors who have a “need to know” access to any Protected Data, actually have access to the Protected Data by instituting separate types of user-permissions on the Nearpod platform back-end. Additionally, Nearpod will ensure that all employees, contractors, and sub-processors sign confidentiality agreements and nondisclosure agreements that limit the use of the data that is received in the course of their relationship with Nearpod to the limited purpose of providing the services needed to provide the Nearpod services to district.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

NetSupport (for Classroom.cloud)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Classroom.cloud is a teaching/instruction, monitoring and student engagement tool used to better manage technology in the classroom. It is cloud-based and hosted by NetSupport Incorporated. PII collected is used solely for the creation of classes and identification of students within the platform and is not shared with any third-party. We use this data to provide information/evidence about what learners are doing during and outside of lessons, to monitor the safety of students, and to provide schools with the information and tools necessary to delivery technical and instructional support.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or a successor contractor at the NYCDOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have organizational and technical measures in place to safeguard and secure the information we hold, based on standard industry privacy practices. More information can be provided on request as we prefer not to publicly publish too much security information as a measure to protect our services. Our infrastructure undergoes rigorous testing and security review to ensure PII is protected. Any potential risks will be made known to users through direct communications from us, as well as options for mitigating potential risks/threats.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

New Beginnings Performing Arts Studio

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 6/01/2023 – 5/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. New Beginnings Performing Arts Studio is committed to its mission to expose adolescents and adults to life experiences through the performing arts.

The New Beginnings Dance program meets the complex needs of today's dance students enabling them to develop as both highly versatile dancers and well-educated adolescents. This program provides an introduction to the study of dance cultures in diverse contexts around the world. They are offered a broad curriculum of dance techniques that allow them to become equally proficient and well-grounded in traditional and cultural based techniques.

This course was developed in alignment with the New York City Department of Education’s Blueprint for Teaching and Learning in the Arts: Dance, Grades PreK-12. The Blueprint is the

New York City Department of Education’s curriculum framework for instruction and notes indicators for student achievement in dance at various benchmark grades (2nd, 5th, 8th, and 12th). The Blueprint is directly aligned with the NY State Learning Standards for the Arts.

This program exposes students to pro-social activities preparing them for social and academic success through the performing arts. Students would meet on a daily basis to learn skills that will build self-discipline and self-control through dance, movement, and sound. These items would in turn build self-esteem, confidence and character, allowing them to learn in a positive and fun atmosphere.

We would need student names and classes to keep attendance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Password Protected
• Firewall
• All students documents are filed electronically in password protected database

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor wrote “will not be storing PII.”

New Classrooms Innovation Partners

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Teach to One Roadmaps is a tool and associated support that supports tailored acceleration in math. Roadmaps is based upon a cross-curricular map of well-defined and rigorously related elemental skills, which represent the conceptual, procedural or applied understanding of a mathematical idea based on the Common Core standards.

We provide a customized roadmap of skills for each student to work toward selected grade level or algebra targets. Students progress through their roadmap by accessing aligned lessons and practice on each skill and taking an on-demand assessment in order to demonstrate knowledge learned.

Roadmaps supports teachers to assess and understand each students’ progress toward mastery of skills to and through Algebra. Teachers can track progress with aggregated student and skill -based reports and data exports, as well as access to skill aligned lesson resources and basic grouping tools. PII is utilized by Teach to One Roadmaps to create student accounts, and track progress through lessons and skill assessments.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Akamai.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In addition to the protections afforded by our cloud hosting providers, practices employed at New Classrooms to protect personal data include but are not limited to:

• Data encryption: Data is encrypted in transit and at rest.
• Access: Access to personal information is restricted to those who need such access to perform their job.
• Incident Response Plan: New Classrooms regularly reviews and maintains an incident response plan.
• Training: Our employees are required to complete information security awareness training upon hire and yearly thereafter.
• Patching: Production systems receive regular maintenance to apply security patches.
• Physical Safeguards: New Classrooms utilizes cloud providers who are responsible for all physical safeguards.
• Database Access: New Classrooms ensures that the data is stored in privately addressed network devices that has no direct interaction with public networks.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

New York Center for Interpersonal Development (for Community Schools Services)

Type of Entity: Community Based Organization

Contract / Agreement Term: 7/1/2022 – 6/30/2024, extended to 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NYCID Community Schools strategy transforms a school into a place where educators, local community members, families, and students work together to strengthen conditions for student learning and healthy development. As partners, they organize in- and out-of-school resources, supports, and opportunities so that young people thrive. NYCID offers mentoring, mental health counseling, family engagement, food pantries, attendance improvement, life skills, peer mediation and various groups for students and families.

We collect student data based on attendance. Data gets generated by the DOE through their system.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Suite.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. NYCID uses Google Suite to collect and manage all information. Google uses the Advanced Encryption Standard technology to protect all data for our organization. NYCID ensures all staff members with access to their email domain use a range of security features, such as two-factor authentication, strong passwords, and limit non-essential third-party apps.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

New York Center for Interpersonal Development (for Learning to Work)

Type of Entity: Community Based Organization

Contract / Agreement Term: 7/1/2021 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NYCID provides a safe space to over-age and under-credited students that are looking for a new start in an inclusive environment. Any personal information collected from students are solely to complete employment packages (W-4 form, IT-2014 form, USCIS Form, I-9, etc.) and to be added to the payroll system that NYCID uses to process payroll so that a student is able to be legally paid through the Learning to Work program via a reputable payroll services provider.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Paycom and Google Suite.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Google Suite: NYCID uses Google Suite to collect and manage all information. Google uses the Advanced Encryption Standard technology to protect all data for our organization. NYCID ensures all staff members with access to their email domain use a range of security features, such as two-factor authentication, strong passwords, and limit non-essential third-party apps.

Paycom: NYCID is currently in partnership with Paycom for Payroll purposes. Paycom implemented industry standard measures designed to secure personal data from accidental loss and from unauthorized access, use, alteration, and disclosure. Internship wages are paid through Paycom.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

New York City Outward Bound Center

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/01/2015 – 6//30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NYC Outward Bound Schools receives student level data including names, student number, school, demographic information and performance data such as attendance and end of semester grades directly from the DOE and partner schools. We use this data to assess the impact of specific programs and services that are delivered to schools so that we can ensure that resources are being used effectively. At times we disaggregate the data by gender, race, special education or MLL status to assess impact on sub-groups of students. The programs we study include professional development, coaching and student community building.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• 256-bit SSL/TLS encryption is used for files in transit and 128-bit AES keys for files at rest.
• Access to information is limited to authorized individuals who require it to perform their job functions.
• Authorized individuals who have access to confidential data receive training on federal and state laws governing the confidentiality of such data.
• When staff employment is terminated, the employee’s accounts are disabled and passwords are changed.
• In the unlikely event of a security breach, New York City Outward Bound Center, Inc. will activate an incident handling procedure, conduct a thorough investigation, and contact the appropriate stakeholders as required by law.
• Third-party partners are vetted for their ability to comply with the security requirements outlined by NY State and NYC DOE.
• Other safeguards include, but are not limited to, physically secure data centers, up-to-date firewall rules, regular third-party security audits, and logical access controls of data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

New York Edge

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. New York Edge is a non-profit organization and one of the largest providers of school-based afterschool programs in New York City and the metropolitan region. NYE impacts nearly 40,000 students from over 100 sites in grades K-12 typically in underserved neighborhoods. Programs run before or after the school day, year-round (including Saturdays, over the summer, and holiday periods) and provide students with sports, arts, and academic enrichment activities New York Edge receives and accesses PII for the purposes of enrolling students into the program, monitoring their activities, communicating with parents & school, and assisting in college applications.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• NYE has established and appointed applicable roles with the mission to coordinate, develop, implement, and maintain the data privacy and information security program.
• Users must comply with DOE’s Information Security Policy, which outlines the responsibilities of all users of NYE information systems to maintain the security of the systems and to safeguard the confidentiality of NYE information.
• The confidentiality of NYE data must be protected and must only be used in accordance with state and federal laws, rules and regulations, and NYE policies to prevent unauthorized use  and/or disclosure.
• Where required by law, personal information, personally identifiable information, shall only be disclosed to third parties pursuant to a written agreement or subpoenaed that includes terms and conditions necessary to protect such information.
• NYE has policies and practices in place that identify the risks to the confidentiality, integrity, and accessibility of its DD systems and data, and manage its operations and the actions of its employees and vendors to minimize, mitigate or eliminate identified risk in line with applicable laws, rules and regulations, and industry recommended practices.
• All physical information systems within NYE shall be inventoried, and essential information systems identified. All software platforms and applications within NYE shall be inventoried.
• Inventories must include detailed information about the installed software, including the version number and patch level. The software/application inventory must be updated periodically, using an automated process where feasible.
• Access controls are implemented on all current and future NYE physical and virtual information systems and assets maintained by NYE or on behalf of NYE, to protect against unauthorized information alteration, loss, denial of service, or disclosure, as outlined in the information security policy.
• Access privileges will be granted in accordance with the user’s job responsibilities and will be limited only to those necessary to accomplish assigned tasks in accordance with NYE’s mission and business functions. Where technically feasible, users must be provided with the minimum privileges necessary to perform their job duties.
• All NYE personnel, volunteers, interns, and contractors with access to NYE information systems and/or information must complete data privacy and security awareness training on an annual basis.
• System protection controls must be established, implemented, and enforced on all current and future essential NYE information systems in accordance with NYE security standards. Controls must be implemented to ensure the physical and environmental protection of data and systems.
• Repairs and maintenance on all hardware and software must be controlled and performed only by approved personnel.
• NYE assets must be adequately protected, controlled, and monitored. Security protections commensurate with the sensitivity level of the system data must be implemented to protect NYE assets from unauthorized access or modification.
• All information system media (e.g., disk drives, diskettes, internal and external hard drives, portable devices, etc.), including backup media, removable media, and media containing NYE information and/or sensitive information must be secured and protected from unauthorized access at all times.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

New York Junior Tennis League

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 07/01/2022 – 06/30/2027.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We will be providing after-school programming including academic tutoring, test prep, SAT prep, math and literacy academic enrichment, among other activities. PII is necessary for attendance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Docuware.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Physical data is kept in a secured location that is locked. All physical copies of information are shredded at the end of the year.

For this, Administrative safeguards involve restricting access to authorized personnel only, who sign written agreement to keep information confidential.

Technical safeguards entail encrypting data during transmission and storage, access controls to electronic data, regular backups. Staff will be required to change passwords every 90 days and use two-factor authentication. We utilize password-protected cloud-based databases meeting industry standards. Access to cloud-based service logs requires multi-tiered authorization. All devices are secured with antivirus/antimalware software.

Operational safeguards include enforcing best practices for handling information and data among employees, and clear policies for handling student information and reporting security incidents. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

New York Mission Society

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Mission Society engages in continuous improvement and monitoring in partnership with DOE partners at the seven school we partner with which uses PII data to look at trends and outcomes. The results from these data monitoring activities provide the Learning to Work program, Principal, and school administration with the information necessary to create goals and establish areas of focus. This continuous improvement and monitoring of data is essential to our understanding of what is working well and what needs improvement. Also, PII data is also used to assist student with their post-secondary planning i.e. applying to college, financial aid applications for college and job applications, etc.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and

written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google and Microsoft, and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Mission Society collects personally identifiable information (PII) from students who participate in their education programs. Prior to obtaining PII data all students over the age of 18 must complete a data collection consent form that asks the students permission to share their PII data with Mission Society. Students under the age of 18 must have a parent or guardian sign the data collection consent form. All PII data is entered into a password protected cloud based database that employs current industry standards and legally required technical, organizational, and physical safeguards designed to protect the PII information that Mission Society collects. Mission Society staff are sufficiently trained on how to safeguard PII data. Mission Society does not sell, use, or disclose PII data for marketing, advertising, or other commercial purposes. Mission Society does not maintain copies of PII data once it is no longer needed for the agreed upon educational purpose and in accordance with DOE contract mandates.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

New York Pops

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

PopsEd Residencies – In-school residencies tailored according to each school’s needs, and specific curriculum is designed for each participating grade from Kindergarten through Grade 12. Student names and grades are made available to Teaching Artists in hard copy form to assist with managing the classroom and taking attendance where necessary. Attendance sheets are returned to the school contact teacher at the end of each session. TNYP education programming is assessed over the course of the year through regular site visits, meetings, and written communications. TNYP Education and Operations Manager, Analisa Bell, meets with teaching artists and partnering schoolteachers to discuss and evaluate the program’s impact, teacher effectiveness and student learning at the start, middle and end of each residency.

Kids in the Balcony - TNYP invites all participating schools to enjoy free tickets to TNYP concerts at Carnegie Hall through the Kids in the Balcony program and Forest Hills Stadium in Queens. Tickets are mailed to schools to handle distribution of said tickets. However, sometimes, families reach out to purchase additional tickets. Name, address and payment information are collected and entered into the PatronManager database. TNYP may also ask parents to sign media release forms for use of student’s image.

Kids on Stage - a FREE comprehensive program that provides middle and high school students access to the professional performance process, culminating onstage at Carnegie Hall alongside TNYP musicians at our annual Birthday Gala. Families receive a specific number of free tickets for this event, but also have the option to purchase additional tickets. Name, address, and payment information is collected and entered into PatronManager database. The application process also requires students and parent/guardians to provide information such as student age, grade, ethnicity, address, grade, school etc.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Chris Daniels, ACSYS, Computer Solutions.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We use encryption to protect any sensitive information transmitted online, we also protect information offline. Only employees who need the information to perform a specific job (for example, Kids on Stage audition scheduling) are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment. We utilize passwords for all protected materials and accounts including multi factor authentication, Firewall with advanced security, email spam filtering, Endpoint Detection and Response, back-up for computers and Office 365, and DNS filtering.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

NIA Community Services Network

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NIA Community Services Network Inc. partners with the NYC Department of Education as a subcontractor to provide after-school enrichment services including safe daily after-school care, daily homework support, academic support services, visual and performing arts instruction, STEM, sports and fitness, leadership and SEL programming, and additional enrichment topics as needed/required by school partners. Instruction takes place on site at each school location, within classrooms, gymnasiums, and other appropriate instructional spaces. Services are provided during after-school hours, Monday – Friday during the regular school year.

PII is necessary to enroll students and track participation and outcomes related to program services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. NIA has administrative, operational, and technical safeguards and practices in place to protect any Protected Information that we may potentially receive under the contract. This includes, but is not limited to:

• Best practices for staff and subcontractors with respect to handling Confidential Information, and authorized use of devices.
• Limited access to information to those who require access.
• End-to-end encryption in motion and at rest.
• Secure storage of physical and electronic data.
• Monitoring and management of data servers, including backups.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

No Tears Learning (also called Learning Without Tears)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. No Tears will provide access to several digital speech reading and writing products from our platform for K-6 students and their teachers. Products include +Live insights, Phonics, reading, and me, A-Z for Mat Man and Me, Handwriting Without Tears, The PreK Interactive Teaching tool, and Wet-Dry-Try Handwriting App.

PII is needed to make, manage, and personalize student accounts. PII is used to track student progress and provide teachers with feedback regarding student progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Privacy for all user data is critically important to us, and we have put into place best practices to safeguard its access and usage. Listed below are more specific safeguards we have in place:

• Access control – Zero-Trust model is in place, only security and system administrators can view.
• Auditing – Logging and reviewing our PII access.
• Encryption – PII is encrypted to make it unreadable for any user without access.
• Tokenization – PII is replaced by a unique identifier to prevent unauthorized access.
• Data Security – All data classified as PII is stored in a secure server hosted by a third-party cloud infrastructure service utilizing security best practices by default.

Because all of our data is hosted in the cloud environment at AWS, we are able to leverage Amazon’s implemented physical safeguards to protect our customers data. No current employee has physical access to machines with protected data. Our administrative safeguards ensure that any employee that is terminated has their access to our servers/infrastructure immediately revoked. Additionally, access to sensitive data in production is on a “need only” basis, and account access is extremely limited – for instance: the CEO, CFO nor CTO have access to any production-level data. If there are other specific safeguards that the district is curious about, please let us know. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

NoodleTools

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2023 – 7/1/2024.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NoodleTools is an online platform promoting authentic research and original writing. Students can build accurate source citations, write and organize notes, collaborate in teams, and receive in-context feedback from teachers.

Student first name, last initial, email address, and graduation year are used to identify the student uniquely in the application (for login purposes, and so that a teacher can identify work submitted to them within the application).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Provider employs industry standard security technologies to protect Data from unauthorized disclosure or acquisition by an unauthorized entity. When NoodleTools is accessed through a web browser, Secure Socket Layer ("SSL") is employed to protect data from unauthorized access. Server authentication and data encryption protects data at rest and in transit, and a firewall is periodically updated according to industry standards. Periodic risk assessments are run and any security and privacy vulnerabilities are remediated in a timely manner.

Provider limits access to PII to only core owners and employees who have a specific purpose for maintaining and processing such information. Anyone given access is provided with specific training to protect the confidentiality of that data.

Provider will maintain and store school/district data and PII on servers that physically reside in the United States, and will never transmit that data to any entity located outside of the United States. Provider will never provide or sell this data to any third party for any purpose. PII will never be used for any purpose other than in connection with the services provided to the school or district. PII will never be used for any form of targeted advertising. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

NoRedInk

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NoRedInk provides a comprehensive, online, adaptive, mastery-based writing curriculum for grades 3-12 that is aligned with the New York State Standards. We collect the following PII in order to provide, maintain, and improve NoRedInk:

• Student name, grade, email (optional), teacher names, school – required to create student accounts and associate them with the correct account and teachers
• Student assessment data (NoRedInk benchmark, diagnostic and growth assessments – required to assess student skill mastery, monitor progress and growth
• Student generated content (writing) – required for students to complete NoRedInk writing assignments and activities in order to receive teacher feedback and assignment grades to support their improvement

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII is stored in a secure environment on servers located in the United States (Amazon Web Services). Only the administrators of the cloud infrastructure provider have physical access to the data centers from which our service is hosted; the cloud infrastructure provider maintains security procedures compliant with a variety of US and international standards to ensure physical security of their data centers. It is our policy to prohibit storing any user data on employee devices.

Access to the NoRedInk production servers and database is permission controlled. We are able to revoke access remotely for any individual.

All NoRedInk users require a password-protected login in order to access the application. Teachers and students can register with a unique username and a password, or use Google SSO or Clever SSO.

All user data, including login credentials, provided in the use of the online service is encrypted in transmission using HTTPS. User data, including passwords, is encrypted at rest in our database. 

We have 24/7 security scanning, monitoring and alerts with a team on call for any required incident support. These systems also detect any required security patches or updates for our system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

North Brooklyn Development Corporation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NBDC after school program provides an opportunity for local school children (kindergarten to fifth grade) to participate in the following activities: homework, math, SEL/community circle, arts and crafts, science, ELA/literacy, horticultural society, gym, Spanish.

NBDC receives student data to track attendance, to personalize educational and recreational experiences for each student, and to communicate with parents.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII are collected by trained and background checked staff in schools, then files are securely transported to NBDC’s main office and are locked in the file cabinets.

• Employees adhere to data processing and don’t share protected information obtained from parents, students, or DOE student data system.
• NBDC safeguards all protected information in compliance with federal, state, and local regulations.
• Paper applications are properly locked when not used.
• Control access to the file cabinets by limited the number of individuals who have the keys
• Staff receive annual training on data privacy and security policies
• NBDC monitors and reports data breach incidents

 Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  “No electronic PII is stored or hosted”

Notable (also called Kami)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/30/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kami is a digital learning platform that allows teachers and students to annotate on documents, PDFs, images (or any other resource) using a variety of tools to increase accessibility, engagement, and collaboration. With Kami, teachers will find heaps of new ways to level up their documents, PDFs, images, activity sheets (or any other learning resources) to interactive and engaging learning environments. From there, teachers and students can collaborate in real-time through live annotations, video and audio recordings, drawings, and much, much more.

To summarize our purpose for receiving/accessing PII, we use the data you share with Kami solely to provide you the Kami service, to improve it, and to keep you updated about new developments. We use the PII for sign in purposes (using SSO). Kami collects limited personal information from students, including email address, first name, and last name. This information is not shared outside of the school or with any third parties except those needed for the provision of the service as outlined in our privacy policy here: https://www.kamiapp.com/privacy-policy/.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS and Google Cloud Platform.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Your data is protected using streaming replication to geographically distributed backup servers and log shipping to secure storage. We create daily backups using multiple independent systems and store them across multiple different providers. Our backups are encrypted on dm-crypt encrypted disks with strong passwords. Data is stored in physically secured google data centers, PII remains in the cloud and is never downloaded to local or mobile devices. Access to systems storing PII is restricted to staff needing it to provide the service. Staff are subject to police background checks, staff receive training on handling PII and recognizing and dealing with cyber threats upon joining and regularly thereafter.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

NoteFlight LLC

The exclusive purposes for which Protected Information will be used: To provide the services for teachers and students to learn music composition and performance in a private web-based environment.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All subcontractors sign DPAs, follow the same protocols as we do, and go through training.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: This agreement begins upon execution and ends upon written notice that services are no longer needed, and the district can request deletion of data. [NYC DOE comment: the agreement was signed on 12/20/2020 and updated on 8/6/2021.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Amazon Web Servers, Northeast Region 1, Northern Virginia. Data is encrypted in motion and at rest, with the service running AWS Elastic Beanstalk Instance clusters and SSH keys. 

How the data will be encrypted (described in such a manner as to protect data security): Hash and key, SSL, Database encrypted at rest and in motion. 

NTT DATA, Inc.

Type of Entity: Commercial Enterprise

Contract / Agreement Term:

• PCS Contract: 7/1/2023 – 6/20/2025
• IBOS Contract: 4/1/2023 – 3/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. 

Distribution of centrally purchased devices – PCS Contract – NTT DATA receives device distribution list through NYCDOE ftp site. We accept list which includes name of student, student ID, date of birth, and school student assigned. Student information is required to generate labels for computer boxes delivered to school. Label includes school, name of student, last 4 digits of student ID, and barcode for tracking. Distribution Team affixes label to box at warehouse and prepares for delivery. NTT DATA delivers devices to school. School Principal or designee signs Proof of Delivery.

IBOS Contract – NTT DATA Americas is assigned as the systems integrator for the refresh of all school and admin site wired and wireless networks. Services also include the refresh and integration of IP video surveillance networks including Door Locking and Access Control, Cybershift cabling and integration, and voice integration. We do not access student information while performing any of the contract services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. NTT DATA protects information assets by safeguarding the confidentiality, integrity, and availability of client information within its custody. We have established safeguards to protect information assets from theft, abuse, and misuse. Our Information Security Management System (ISMS) manages risks and provides protection to company information.

• Enable management and employees to maintain an appropriate level of awareness, knowledge, and skill through mandated periodic training, to allow them to minimize the occurrence and severity of Information Security Incidents.
• Work in collaboration with internal and external auditors to ensure compliance with NTT DATA Information Security policies and regulations.
• Manage the ISMS and monitor the effectiveness of the security controls implemented Proactively evaluate new security standards and data privacy and protection acts to stay current and in compliance with various legal, regulatory, contractual, and international security standard requirements.
• NTT DATA has well defined, documented, and implemented Information Security Management System (ISMS) policies, standards, and procedures in place based on industry standards including ISO 27001 and NIST 800-171. The ISMS program is approved and continually monitored by senior management, with ongoing security awareness and communication to all associates. The ISMS program includes both technical and non-technical controls to secure the information generated or accessed by NTT DATA, covering both NTT DATA-owned and customer-owned information/ data. The technical controls may vary based on the service(s) being performed, but generally include firewalls, intrusion detection/prevention, DMZ, Data Loss Prevention, advanced endpoint protection (EPP/EDR), disablement of unused ports and services, centralized patch and configuration management for all computing assets, and real-time logging and monitoring of infrastructure and identity systems to detect anomalies and mitigate potential threats and risks. The non-technical controls begin with the policies, standards, and procedures which include, but  are not limited to, data classification and handling, access management, risk management, asset disposal, exception management, vulnerability management, back up and restoration, anti-virus, patch management, laptop and desktop security. End user awareness, training, and education sessions such as new employee orientation training and refresher trainings are delivered to all associates. These combined controls shall enforce appropriate confidentiality, integrity and availability of NTTDS-owned as well as customer-owned information/data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

NWEA

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 6/30/2022 – 7/1/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NWEA receives PII in order to provide educational assessments and associated services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS; and using an entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. NWEA’s administrative, technical and physical safeguards can be found at: NWEA's Map Growth Security Whitepaper.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

NYSARC Inc. New York City Chapter

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NYSARC Inc. New York City Chapter will serve as the Community Based Organization. Through this partnership, the CBO will work with each school and community partners to engage families, improve attendance, offer extended learning time opportunities and enhance wellness.

PII will be used to allow teachers and school staff to communicate with families regarding student progress in extended learning time activities such as coding workshops and tennis workshops. PII is used to monitor students’ progress in these workshops and to make recommendations for next steps in these areas. PII will also be utilized to measure the programs and students’ success.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Sharepoint.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. NYSARC Inc. New York City (AHRCNYC) employes a multi-platform security layer approach when protecting PII and all sensitive data to ensure proper and effective safeguarding:

• Email – all external outbound email is initially sent via TLS protocols which ensure encryption when transmitting content over email. Staff have the option of enforcing security when PII is present in the email body or as an attachment. (For security, we do not disclose technology vendors or information).
• Login/Authentication – All ARHC NYC uses Multi Factor Authentication to access any level of infrastructure, the networks or the applications. (For security, we do not disclose technology vendors or information).
• Infrastructure – All aspects of on premise infrastructure is secured by firewalls and monitored 24/7 through our security team utilizing a NOC (Network Operations Center).
• Data at rest – All stored data residing in our marts or database are encrypted by default
• Data in motion – All data accessed or in transition is typically accessed through SSL protocols (when access is through web applications). If large PII is required (example: reports or exports sent to external entities), the data is transmitted using SFTP systems to share with appropriate recipients.
• Risk mitigation – data use training and social engineering is performed periodically. AHRC NYC conducts an annual technology/security risk audit using an external third party provider.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

OmniLearn

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/30/2021 - 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. OmniLearn staff provide hands-on STEM lab instruction for pre K -12 students and Professional Development for teachers in Brooklyn, Queens, and the Bronx. We are subcontracted by CBO’s (Community-Based Organizations) for teaching labs in Community Schools and named as vendors in 21st Century Community Learning Center Grants. Student signatures are collected each day we teach a lab for 2 purposes: 1) Evaluators must submit evidence that the schools have met the requirements set by the grant providers for Numbers of students participating in the lab program on each of the dates throughout the school year. Copies of the daily sign-in sheets are kept in a binder at the school for inspection by the NYS Education Department; and 2) OmniLearn is required to submit attendance reports to the NYC DOE to be paid. We count the number of students from the sign-in sheets and send the totals from each date in each school with our invoices for the Principals’ signatures. No student names are included in the attendance reports.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Microsoft OneDrive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. If signatures have been scanned into OmniLearn’s Google Drive for record-keeping, OmniLearn implements an IT infrastructure which conforms with the requirements of PCI or HIPAA including a Cisco UTM firewall, the cloud-managed firewall and anti-virus system, complex passwords, encrypted backup, auto-locking screens, and remote wipe technology. Once payment is made, signatures are removed from the drive.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."

OneGoal

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. “Note: While OneGoal’s services are governed by its overarching contract with the NYCDOE, OneGoal also has school-specific agreements in place with active school partners,”

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. OneGoal engages with NYCDOE school partners to provide the Classroom Model program, a multi-year curriculum that ensures students graduate with a postsecondary plan, enroll in their chosen postsecondary institution, and ultimate complete a degree. OneGoal’s program takes place during the school day as a credit-bearing elective for juniors and seniors in high school. School-assigned teachers, whom we designate as Program Directors, run the program at partner institutions with ongoing training, support, and guidance from OneGoal staff.

Implementation of the OneGoal program relies on the import of certain student and educator data into OneGoal systems, which we may receive directly from school partners and students, as applicable. OneGoal uses this data to: 1) facilitate enrollment and access to our curriculum; 2) maintain communication with educators, school partners, and students (as appropriate); and 3) analyze and provide progress reports to our school partners about their students’ performance and progress sin connection with OneGoal’s program, including information on post-secondary outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The OneGoal security program is based on the NIST Cybersecurity Framework. The program comprises physical, technical, and administrative safeguards designed to help maintain the confidentiality, security, and availability of personal information in its care. These include, but are not limited to:

• Administrative access to environments storing student personal information is controlled with multi-factor authentication and auditing of user provisioning. The principal of least privilege ensures that only authorized users with a direct need to handle student personal information have access. Employees are briefed on their information security roles and responsibilities before being granted access to students’ personal information or information systems. When an employee leaves the organization, access to OneGoal systems is revoked.
• Student PII is encrypted in transit and at rest.
• Data is stored in a secure cloud environment that employs a combination of industry-standard physical, technical, administrative, and cloud-based measures to ensure confidentiality, integrity, and availability of data.
• OneGoal leverages a variety of third-party tools and technologies to provide its services. OneGoal conducts a privacy and security assessment of third parties with access to student information and takes reasonable steps to ensure that its third-party service providers will adhere to equivalent data security and confidentiality requirements as those included in the NDA, and as governed by our contracts with partners, data sharing agreements, and applicable laws.
• While OneGoal utilizes third-party tools and technologies to aid in the programmatic execution of its services, OneGoal does not leverage subcontractors. All involved parties performing classroom-based, student-facing services are OneGoal staff and teachers assigned by the school partner.
• Incident Response Policy and Procedure that includes a discussion of investigation, containment, mitigation, communications, and post-incident review and remediation. This involves a dedicated Security Response Team responsible for the maintenance, monitoring, and timely response to OneGoals internal security systems and any incidents, applicable.
• Annual and more frequent cadence of updates, all-staff training, and campaigns on cybersecurity hygiene and applicable data security policies.
• Ongoing implementation of industry-standard vulnerability scanning tools and malware scans for endpoint devices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Ookla

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/15/2021 – 8/14/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Ookla is licensing Ookla-owned Cell Analytics data. We are also licensing a Speedtest Powered Mobile SDK. The Mobile SDK may be run by the NYCDOE on its Learn@Home app. The Mobile SDK generates test results of those end users that take a Speedtest. Ookla processes these test results only for the purpose of providing the SDK and providing subsequent data to NYCDOE.

Type of PII that the Entity will receive/access (check all that apply): Student PII and Other. We receive location and IP address of any end user that takes a Speedtest in the app in which the SDK is included.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedure outlined below:

In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted: Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is stored in secure datacenter facilities hosted by Amazon Web services. All data is fully encrypted at rest using EBS encryption based on the industry standard AES-256 cryptographic algorithm.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor selected: “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Open Assessment Technologies

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/1/2023 – 9/30/2030.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. OAT leverages TAO, its cutting-edge test delivery platform, to facilitate the administration of online World Language assessments for the NYC DOE. It is important to highlight that the system does not retain any personally identifiable information (PII). The Department of Education and OAT will work to implement a single-sign-on solution which does not share PII, using industry-standard data protection measures.

Type of PII that the Entity will receive/access: Entity will not receive or access PII (do not choose this response if Entity’s services or products permit users to store PII on a platform that the Entity or its subcontractors host).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “As noted above, no PII is stored in the system. All data at rest and in flight are encrypted as required by our ISO 27001 certification process.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “As noted above, no PII is stored in the system.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The TAO solution, as used for NYC DOE, does not store any identifiable details of test takers in its platform. The assessment is launched with an anonymous identifier for each test taker, which is also used to retrieve the results. Through a de-identified sign-on process, the OAT and the DOE avoid sharing any personally identifiable information of students.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “As noted above, no PII is stored in the system. All data at rest and in flight are encrypted as required by our ISO 27001 certification process.”

Open Education and Development Group (also called OpenEDG)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. OpenEDG {short for Open Education and Development Group LLC) is an education company that offers free courseware {study materials that include quizzes, tests, labs, summaries, etc.) dedicated to learning computer programming and coding technologies.

OpenEDG has created three main projects, Institutes dedicated to the Python, C, C++, JavaScript, HTML, and CSS programming languages: the Python Institute, the C++ Institute, and the JS Institute. Our courseware is aligned with industry-recognized certifications we have also developed. These certifications are obtained by passing a certification exam through our secure testing service. We need PII so we can issue a certification to a test candidate. We primarily need an email address, a name, and a date of birth since test candidates need to be at least 13 to take one of our certification exams.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Open Education and Development Group (OpenEDG) is committed to keeping Personally Identifiable Information {PII) safe, and therefore we've established a solid set of safeguards. These steps are aimed at maintaining the security and privacy of sensitive data. Our approach involves several protective actions:

• Administrative Measures:
  • Data Management Policies - we've set up clear policies and procedures for handling PII, defining the responsibilities of our staff.
  • Training and Awareness - our team regularly receives training on how to handle data safely and securely, highlighting the importance of PII protection.
  • Access Restrictions -we strictly control who can access PII, ensuring only authorized staff with a need based on their job can see this information.
  • Incident Management- we have a plan ready for any data breaches, with set steps for investigating, notifying affected parties, and reducing the impact.
  • Vendor Management- we carefully check and keep an eye on the security practices of any external partners or contractors with access to PII, ensuring they meet our standards.
• Technical Measures:
  • Encryption - we protect PII by encrypting it both when sending it and when storing it, using well­ established encryption methods.
  • Firewalls and Intrusion Detection - we have strong firewall systems and intrusion detection methods to prevent unauthorized access.
  • Regular Updates - we regularly update and patch our software and systems to close any security gaps.
  • Multi-Factor Authentication (MFA)-for extra security, we use MFA in systems and applications where PII is accessed.
• Physical Measures:
  • Data Center Security- our data centers have physical security measures like controlled access, monitoring, and environmental controls to protect the hardware.
  • Secure Storage - we keep any physical documents with PII in locked storage and areas where access is controlled.
  • Safe Disposal- we follow strict rules for safely getting rid of physical devices or media that might have PII. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

OpenMethods

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. OpenMethods provides tools that allow call center agents to handle interactions more efficiently and accurately; giving them the ability to answer calls, and automate processes, within the primary application they use to track constituents’ issues. OpenMethods products do not store any additional personal data than that which has already been provided, and never sell any data to other entities.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The OpenMethods solution is designed to operate within Oracle Service Cloud. The solutions is, therefore, restricted to using data within that application unless otherwise configured to do so by an employee of NYCDOE that has been given appropriate access privileges by an NYCDOE administrator. The OpenMethods solutions are also governed by the same security restrictions enforced by the Service Cloud application already running within the NYCDOE. Note that OpenMethods clients have overall responsibility for ensuring PII compliance when creating CRM experience flows. OpenMethods PopFlow and Harmony are architected to not persist sensitive information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Optical Academy/Optical Outlet

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Optical Academy will be providing onsite vision screening service and eyewear to students in NYC schools. We provide detailed reports for pass/failing/diagnosis for every student in excel format. In order to formulate the report, we require a student ID number, students full name, and date of birth. The report is shared only to the school but is kept for internal use and records.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Optical Academy takes the privacy and security of customer and company information seriously. To protect sensitive assessment data, such as confidential information like student’s prescriptions and ID numbers, Optical Academy employs recognized industry standard security measures to safeguard the confidentiality, integrity, and availability of customer data and the services we provide.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Oracle

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. DOE is placing an order for Oracle cloud services, allowing DOE to upload data to an Oracle cloud service environment. If DOE’s uploaded data includes PII, Oracle will receive that PII, which is encrypted in transit and at rest. While the encrypted data may not be human-readable by Oracle, DOE is able to share its computer screen with Oracle reps during a technical support call, in which case DOE is allowing the Oracle rep to see the DOE data on its screen in human readable form.

Type of PII that the Entity will receive/access: “Oracle does not know what DOE data will be uploaded; Oracle contract terms permit DOE to upload PII.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. “Under the order for cloud services Oracle is only a data processor, and DOE is the data controller, allowing DOE to be the party controlling the existence, accuracy, and distribution of DOE data is in the cloud environment.”

Security and Storage Protections. Describe where PII will be stored or hosted. “For the ordered cloud service, the cloud environment made available to DOE for uploading and storing the DOE data will be an Oracle owned or controlled datacenter located in the United States.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Oracle has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Information designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. These security measures govern all areas of security applicable to the Services, including physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Orchard Blue Counseling Services

Please include a brief description of the product(s) or service(s) being provided, and the exclusive purposes for which Protected Information will be used, collected or otherwise processed: Orchard Blue Counseling Services LCSW, PLLC will provide group counseling to students, and parent psychoeducation to parents of students. Students' and parents' Protected information is collected and stored solely for the purpose in which rendering services, assessment and parent communication with use of a HIPAA compliant and data secured registered system.

How you will ensure that the subcontractors or other authorized persons or entities that you will share Protected Information with will abide by data protection and security requirements required by your agreement with the NYC DOE: All staff and subcontractors are required to complete training on the data protection and security requirements required by our agreement with the NYC DOE; all staff and subcontractors are required to sign an agreement to uphold the data and protection and security requirements required by our agreement with the NYC DOE.

When your agreement with the NYC DOE starts and ends, and what happens to Protected Information upon expiration of the agreement: Agreement starts on March 1st, 2022 and ends on February 28th, 2027 unless either party terminates the agreement earlier pursuant to the terms of the agreement. With the parents' consent, upon the termination of our contracts with NYCDOE, Orchard Blue Counseling will transfer all client data and Protected information using one of our HIPAA compliant registered systems to the contracted organization and/or entity.

If and how a parent, student, eligible student, teacher or principal may obtain copies of, and challenge the accuracy of, the Protected Information in the custody or control of the Contractor: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov.

Orchard Blue Counseling Services LCSW, PLLC agrees to notify NYC DOE of request for copies of client data and Protected Information via studenprivacy@schools.nyc.gov.

Whether the Protected information will be stored in the US or outside of the US (and if outside of the US, where), and (ii) the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The Orchard Blue Counseling shall ensure that client data is stored securely using HIPAA compliant and secure modern software that is kept-up-to-date; client data is protected in motion and at rest. Access to client data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorized sharing of information. All employees and subcontractors receive training on relevant data privacy and security laws and regulations prior to accessing Confidential Information. When client data is deleted this should be done safely such that the data is irrecoverable. Appropriate back-up and disaster recovery solutions is in place with the registered systems. In the event of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, client data, the Organization shall notify NYCDOE promptly, and in any event no less than 24 hours, after a known or suspected breach of security or unauthorized disclosure of Confidential Information.

How the data will be encrypted (described in such a manner as to protect data security): All staff are issued a Two Factor Verification to secure their user name and passwords in efforts to secure Protected Information; All Protected Information is stored and protected with use of a data secured registered system. The confidentiality information will be encrypted in motion and at rest.

Overgrad

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/1/2022 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Overgrad is a college and career readiness platform to support students, schools, and community-based organizations. Overgrad will be supporting the College and Career Planning Team in integrating postsecondary readiness milestones into NYCSA while also supporting platform use at select NYC DOE schools. Student PII is required to create student accounts which will be used to assess academic preparedness for postsecondary pathways and support counseling in streamlining common counselor tasks like student transcript submission to higher education universities.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Overgrad has a number of administrative, technical, and physical safeguards in place to ensure PII will be protected. Only background-checked, key personnel ever have access to any student data at Overgrad, and they are only granted access in specific school- or student-support scenarios. All access activity is logged and can be referenced should there be any questions asked by schools, students, or parents. Data is stored using standard bank-level 256-bit AES encryption. All database connections utilize SSL encryption, meaning that data is secured at all points when utilizing Overgrad. All of Overgrad’s physical servers are located in access-controlled environments. Overgrad mitigates data privacy and security risks with automated application monitoring and patching its code and servers with the most currently available security protocols. Overgrad also contracts with an outside party to contact vulnerability testing in order to identify and remedy any potential security risks in the platform.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

P2L: Pathways to Leadership

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. P2L: Pathways to Leadership (P2L) provides the following services:

• Student In-Class and After School SEL (Social Emotional Learning)-based services in youth development, violence prevention, and in counseling support and mentoring.
• Professional Development services on a wide range of SEL-based topics including Embedding SEL practices in the classroom, Engaging Youth, Building Parent Relationships, Creating a Positive Classroom Culture, Trauma Awareness, and Trauma-informed Practices.
• Parent Workshops on a wide range of SEL-based topics including Parenting Skills, Building a Relationship with Your Child’s Teacher, Supporting Your Child’s Academic Success, Financial Planning for College, and Family Healthy Lifestyle.

In P2L's provision of services PII is necessary to track workshop attendance and to communicate with families of students in attendance. Student data and PII will not be used for any commercial purpose or for any reason outside the scope of services at all.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Implementation of Data Security and Privacy Contract Requirements

• The Director of Operations will keep abreast of current Data Privacy and Security regulations, policies, and procedures, will adapt organization policies as appropriate to adhere to those standards, and in collaboration with the Director of Programming will train organization employees on procedures to ensure data privacy and security.
• In order to ensure cyber safety, P2L: Pathways to Leadership (P2L) utilizes an IT services vendor, Altourage, who on an ongoing basis will conduct cyber risk assessment and monitoring, inform the organization of all current and relevant federal and NY state regulations regarding Data Privacy and Security, and advise measures and policies to comply, and provides staff training in cybersecurity and data privacy. Altourage does not provide any services to our clients, nor do they have access to client records or information.
• All employees are provided with the standards of data privacy and security required by law and are required to understand and attend training on the applicable policies and procedures.
• Any third parties or subcontractor with whom P2L needs to share student or school data will be required to have similar data protection obligations as contained herein, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security. P2L will not utilize any student or school data or information or student data for any purpose outside of the scope of services and will not sell or release for any commercial purpose any student PII.

Administrative, Operational and Technical Safeguards and Practices

• Employee agreements require that employees align with the security requirements of any projects undertaken.
• P2L files and software are protected by a Smart Firewall and anti-virus and antimalware software.
• Information that identified as PII is entered and kept in files on the P2L owned host solutions that are password-protected and encrypted. Physical copies are kept in locked files on school premises.
• Access to PII permissions and authorizations are managed: only persons with a direct need-to-know will be given access to PII information and only while it is needed.
• User identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
• User passwords will be changed at least every 120 days and must contain a complex mix of characters.
• Physical access to equipment and hard copy PII files are managed and protected through the above-mentioned practices described in II. Administrative, Operational and Technical Safeguards and Practices 1-4; all files containing PII are stored in designated, encrypted folders and/or password protected.
• Remote access is managed through items described in II. Administrative, Operational and Technical Safeguards and Practices 1-4.
• Once documents have been used for their intended purpose they will be securely deleted.
• Authentication for users, devices, and other assets are established for access to PII.

Training of Regulations and Procedures

• Employees with access to PII are provided with and are required to be familiar and understand all Data Security and Privacy policies and procedures.
• P2L will provide compliance training online and in person to employees with access to PII, who are required to attend. Ongoing training on cybersecurity is provided by Altourage through short online instructional videos with tests that employees are required to take.
• Supervisors will coach and monitor subordinates with access to PII to ensure they follow policies and procedures.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Padlet (owned by Wallwisher Inc)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Padlet Service is delivered through a digital platform which can be described as a digital canvas and is commonly used as a project and productivity software and collaboration platform for institutions (especially schools). Users can add/upload photos, videos, audio, recordings, text, drawings, graphs, charts, attachments and more. The nature of the processing includes all processing operations related to providing these Services to our customers, including collection, recording, organization, structuring, storage, adaptation, retrieval, or otherwise making content available to end users.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.” The vendor states “We work with third party service providers that may be considered our “sub-processors” under GDPR. Some providers like Google Cloud host our application while others like Postmark help us send you notification emails. We only share the data that is needed for these services to perform the task and we make sure we only work with providers that take our users privacy as seriously as we do.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Technical measures
  • Encryption
    • We encrypt all data at rest using AES 256 bit encryption.
    • When you enter any information anywhere on the Service, we encrypt the transmission of that information using secure socket layer technology (SSL/TLS) v1.2 by default.
    • We encrypt all backups of the data. Our personal devices like mobile phones and laptops have data encryption turned on so that unauthorized users cannot access our data if the device is stolen.
    • We ensure user account passwords used in our application are stored and transferred securely using encryption and salted hashing.
  • Security testing
    • We operate a ‘bug bounty’ security program to encourage an active community of third-party security researchers to report any security bugs to us.
    • We conduct rigorous penetration tests annually to ensure our service is secured against known and potential attack vectors. The tests are conducted by a reputed external security agency.
    • We scan all files uploaded to our service for malware and quarantine them if required.
    • Our work devices have anti-virus protection turned on by default.
  • Resilience
    • We maintain backups at different time delays ranging from a few minutes to a few hours to a day so that we can effectively restore data to the closest recoverable point and minimize data loss in the case of a security event.
    • We maintain cross cloud backups to ensure the data is accessible in case of a major outage impacting one provider.
    • Backups are only retained for thirty (30) days and are securely deleted after that.
    • We have designed our architecture to be resilient against DDoS attacks. We publish our uptime stats at https://status.padlet.help/.
    • We have planned and documented disaster scenarios specific to our infrastructure and the steps needed to restore service to our users with the least possible downtime and data loss.
• Physical measures
  • Data centers
    • Padlet is hosted on Google Cloud in the United States. Google maintains numerous certifications like ISO/IEC 27001 and SOC 2 to guarantee that our data is not any less protected than the bullion at Fort Knox. This includes secure perimeter defense systems, comprehensive camera coverage, biometric authentication, intrusion detection systems and a suite of other measures.
  • Our offices
    • The Service is hosted on servers at third-party facilities, with whom we have a contract providing for enhanced security measures. For example, personal information is stored on a server equipped with industry standard firewalls. In addition, the hosting facility provides a 24x7 security system, video surveillance, intrusion detection systems and locked cage areas. The Service provider is SOC 2 and ISO 27001 certified.
    • Padlet has its headquarters in San Francisco, United States and a regional office in Singapore.
      • The San Francisco office is located in Presidio which is a national park site. Access to the office is via an external door secured with a security lock. The access keys are only given to Padlet employees while they work at Padlet. The Presidio premise is monitored 24/7 by the Presidio Park Police.
      • The Singapore office is located in the Central Business District. Access to the Padlet office is via an external door secured with a security lock that can only be accessed by Padlet employees. There are other companies operating in the same building besides Padlet. All entry/exit points are monitored by CCTV cameras.
• Organizational measures
  • We restrict access to personal information to authorized Padlet employees, agents or independent contractors who need to know that information in order to process it for us, and who are subject to strict confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
  • We require sub-processors to comply with security requirements via separate data processing agreements.
  • We use a Password Manager to secure usernames, passwords, and any other means of gaining access to the Services or to User Data, at a level suggested by Article 4.3 of NIST 800-63-3.
  • We require 2FA authentication to be enabled for all services where applicable.
  • We conduct training on data privacy and security for all our employees at least once annually.
  • We maintain security conscious policies like Encryption key management policy, Vulnerability Management, Acceptable Use, Business Continuity and Disaster Recovery and update it actively for robustness.
  • We have a documented offboarding procedure to be executed when an employee leaves the company. We remove all physical and digital access to our services as soon as an employee leaves.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Panorama Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/1/2024 – 5/31/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Panorama is a survey data collection and reporting platform that collects and analyzes data for educational purposes. Panorama’s reporting platform is a series of data dashboards that bring together the perspectives of students, staff, and families. Panorama’s survey reports are designed to provide meaningful feedback to educators to help them take positive and data-informed action to improve educational environments and improve student outcomes. These dashboards will help teachers refine their practices, schools plan for growth, and districts track against strategic KPIs. Surveys are administered to all teachers and staff across the school system, students from grades 6 through 12, as well as parents and/or guardians that have students enrolled in Pre-K through 12. Providing PII enables survey responses to be tied to demographic data to be used to filter reporting.

Parents, families and students do not have accounts to access the platform as a permissioned user. All users access and complete surveys using secure survey links, anonymous survey links, or paper survey forms.

Purposes for which Contractor will receive/access PII:

• PII is used to create staff accounts in Panorama’s reporting platform so that staff can access reports.
• PII is used to roster surveys in order to link survey response data with demographic information so that NYCPS is able to utilize demographic filters and other data groupings in reporting tools.
• PII is used to send out platform updates about new functionality and enhancements to our clients.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Access Control - In accordance with our Information Security Policy, minimum access is granted based on job duties. Strong authentication with multiple authentication factors is required.
• Change Management - Changes are carefully planned and closely managed in accordance with our Change Management Policy. They are reviewed thoroughly, including security scans and functionality testing, before release. Automated testing detects and addresses issues early, ensuring reliable and secure updates.
• Vulnerability Management - Regular network scans are performed to identify and address infrastructure weaknesses. Third-party libraries and other dependencies are scanned for vulnerabilities and patched promptly.
• Encryption Standards - Data is encrypted in transit and at rest using industry standard data encryption technology.
• Incident Management - Documented incident response procedures guide actions from detection to resolution. Periodic desktop exercises ensure readiness. Retrospective incident reviews help prevent future occurrences and support continuous improvement.
• Risk Management - Periodic risk reviews proactively identify emerging threats and inform mitigation priorities. Penetration tests simulate real-world attacks to identify vulnerabilities. Third- party vendors are assessed for compliance with security requirements. Independent audits evaluate effectiveness of security measures.
• Business Continuity - Systems are designed to be resilient. Recovery procedures are documented and tested annually, in accordance with our Business Continuity Plan.
• Security Awareness Training - Workforce is trained to create and maintain secure passwords, how to identify phishing, and the importance of maintaining confidentiality of sensitive data. Annual training refreshers are mandatory.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Paper Education America

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Access to live and asynchronous homework and assignment support services provided by qualified tutors, and independent and interactive subject matter practice modules. PII that Processor receives and processes in order to begin providing Services typically includes: first name and last name; email address; student ID; relevant rostering information such as grade levels, class rosters, and classes that students are enrolled in; relevant data for assessing efficacy and reporting to the NYC DOE or its districts, shared both during onboarding and periodically thereafter when updated data is available. Processor nay also collect the following types of PII as end-users access and use the Services, including through related interactions or communications with Processor:

• Account/Profile Data such as usernames, passwords, nicknames, student IDs, Zoom name or nickname, or similar personal identifiers.
• Contact Information such as end-user email addresses, postal addresses, phone numbers, or parent/guardian name and contact information.
• User Created Content such as live, recorded, or transcribed interactions using text, speech/audio, video or other messages or content generated by end-users in various forms through their use of our Services (along with documents or images shared, emojis used, etc.), message content from support requests, feedback on tutoring sessions, questions asked by students, and documents submitted for review (along with related information provided by students, such as the title, language, related instructions and similar document requirements), and which may contain further types of Personal Information added by the end-user.
• Usage and Performance Data includes information about how end-users interact with our Services, such as statistics regarding the opening of communications sent by Paper, URL data collected by the Paper Chrome Extension, clickstream information, Platform activity (e.g. top questions asked and which students use our Services the most), bugs, errors and logs which are generated by end-users, and other similar Platform usage and performance data.
• Technical Data such as end-user IP address, browser information, screen resolution, operating system name and version, device ID, and device manufacturer and model.
• Communications Information such as preferences for receiving communications from us and a history of communications sent or received.
• Information Collected Using Cookies. We and our service providers may use cookies, pixels, and other tracking technology to recognize end-users’ browsers or devices and to capture and remember certain information about their activities when using our Services. In this Statement, when we refer to “cookies” we also include other technologies with similar purposes, such as pixels, tags and beacons. Services do not contain any marketing cookies and we do not conduct interest-based advertising. Our Services only contain essential, functional and analytic cookies.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud Platform and AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our security program is aligned with CIS Critical Security Controls, which closely aligns with the NIST Critical Infrastructure Cybersecurity standard, and we perform annual reviews of our policies and procedures related to the security safeguards and technologies used for the protection of PII.

We utilize recognized partners to act as security/privacy consultants and to store PII (e.g. AWS). We leverage expert agencies to audit and certify that our security and privacy program adhere to state and federal regulations.

Additionally, we have documented an incident response process that outlines identification, mitigation, communication, and improvement efforts designed to ensure NYC DOE’s and all customers’ clarity and confidence associated with data and security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ParentSquare

The exclusive purposes for which Protected Information will be used: ParentSquare uses PISI for the purposes of school-home communication, as administered by districts, schools, teachers, and parents.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: When ParentSquare contracts with a third party, their organizations must maintain privacy policies as stringent as ours if we share PII with them.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At the end of a customer's usage of the ParentSquare platform, the customer may request that ParentSquare make their data unavailable. At this point ParentSquare will disable access to the customer's data by configuring the software to disallow access. If a customer has other specific requirements, ParentSquare will engage with the customer to define the next steps. Data can be exported in a CSV file and sent to the customer. In the case that a customer has a need to permanently remove a piece of data that was mistakenly entered into ParentSquare, they can engage with ParentSquare's support organization to permanently obfuscate that data item from the live system and all future backups. 

[NYC DOE comment: The current agreement became effective starting on June 4, 2020 and terminates when all NYC DOE schools and/or offices cease using ParentSquare’s products/services. The terms of the agreement remain effective through the period during which ParentSquare possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): ParentSquare’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. ParentSquare’s primary data center is on the East coast and the backup is on the West coast. We backup our data on AWS S3 and in multiple zones. ParentSquare uses AWS security best practices such as virtual private cloud, firewalls, and recommended intrusion detection. AWS’ highly secure data centers have been accredited under: SOC 1/SSAE 16/ISAE 3402, SOC 2 (formerly SAS70), PCI Level 1, ISO 27001, and FISMA.

How the data will be encrypted (described in such a manner as to protect data security): With ParentSquare, data is encrypted in transit and at rest to provide protection of sensitive data at all critical points in its lifecycle. All data is transmitted over HTTPS connection to and from the ParentSquare application.

Partnership with Children

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To carry out our mission, PWC partners with schools in New York City to provide school-based counseling, healing-focused arts education, and community school services. PWC serves as a Lead CBO in the city’s Community Schools Initiative, through which our social workers and community school staff are placed full-time into partner schools to support students and families and provide or coordinate school-wide services. In order to do this work, PWC must access PII in order to implement student attendance, enrichment and family engagement initiatives; assess students’ needs and provide student mental health and social-emotional interventions including counseling, group work and case management; and track student program attendance and progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Bonterra Tech (Apricot data system); Microsoft (Microsoft Office 365); Google (Google Drive); and Aperture Education (Aperture Education online).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PWC takes seriously the need to protect the confidentiality and security of student data. PWC has administrative, operational, and technical safeguards and practices that maintain confidentiality and security of PII in a manner that complies with federal, New York State, and local laws.

Examples of administrative policies to protect data confidentiality include developing and training all staff on relevant laws and regulations, policies regarding the protection of confidential information, how to safely use technology in a way that protects confidential data, and what to do in the event of a data breach. Administrative processes also include regularly assessing risks and reviewing all aspects of data security to identify areas for improvement.

Operational safeguards include setting up systems and permissions so that staff or subcontractors can only access the data they need to do their jobs, ensuring all devices that staff use to access PII are protected with strong passwords, not storing PII locally on devices, and using secure, locked storage for any paper files with student data. PWC staff will only disclose or discuss confidential information with teachers, other providers or other external parties when they have explicit written permission from the student’s parent or guardian, unless subject to a court order or other legal order. When sharing reports or program evaluations internally or externally, data will be presented in aggregate in order to protect student confidentiality; no individually identifying data will be included unless PWC has explicit written consent to share this information.

PWC’s technological safeguards include only using electronic and cloud-based data systems that are compliant with DOE’s data privacy and meet industry standards, including using encryption for all data at rest and in storage, firewalls, regular backups, and FERPA compliance. PWC regularly monitors these systems and assesses our implementation of them to ensure continued compliance. PWC further prevents unauthorized access by ensuring system data access is determined and limited based on contract, school site, job title, and other considerations so that staff or subcontractors only have access to data that is necessary for them to do their jobs. Social work documentation, including counseling notes and case histories, are only recorded and stored in a system which is FERPA compliant with strict access controls and user audit trails.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Pathful

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Pathful is a cloud-based platform that transforms K-16 workforce readiness by aligning industry needs with educational practices, consolidating college and career exploration, work-based learning, and employability skills into a single, cost-effective solution. Only necessary data is collected in order for educators and students to access and effectively use the Pathful Platform. We do not rent or sell Personal Information that we collect from users with third parties.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS; Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data is stored in a SOC2 compliant environment in the continental United States and encrypted at rest using AES 256 bit encryption. All fields containing PII related data within our databases use dynamic masking and all PII data is deleted within 30 days of customer request or contract termination, whichever is earlier. Access is granted internally on a “need to know” basis and personnel undergo background checks. Furthermore, all fields containing PII related data within our databases use dynamic masking. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Pearson Education

Type of Entity: Commercial Enterprise

Contract Start Date: 11/1/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Exploring Digital Vendor Authorization to provide learning materials to students for English as a Second Language. MyEnglishLab is a brand comprising a suite of online, cutting-edge digital learning & assessment products currently enjoyed by over users in 178 countries (2019 data). Our learning products are aimed at Adult, Secondary and Primary English language teachers and learners offering engaging, motivating, and relevant content. Learners’ name, email, username, country of residence, native language will be used to identify and show the user data as part of the user interface and represent in the application the institution/class organization and relation.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS- Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In accordance with security best practices, multiple layers of security exist in the computing environment to reduce the risk of unauthorized exposure of customer data. These protections include not only preventive controls designed to stop security incidents from happening, but also detective controls to inform us in the unlikely event a security control failure occurs. Along with the resilient and reliable design of our assessment platform, Pearson leads the industry in its ability to protect against and mitigate the effects of distributed denial of service (DDoS) attacks.

Administrative safeguards include measures taken to reduce errors associated with human factors whilst increasing the awareness on how user, learner, and customer data must be protected. Primarily this is governed through Pearson's security policies which are aligned to Industry information security standards and frameworks. Additionally, all Pearson Staff are required to complete a mandatory Information Security and Data Privacy training on an annual basis. 

The technical safeguards are provided as service offerings from Pearson's Chief Information Security Office to reduce the overall vulnerability landscape to Pearson network and systems hosting PII and proprietary data. These include controls such as Firewalls (Enterprise, Web and Hostbased), Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), Application Security and Infrastructure security scanning tools, Anti-Virus solution, Identity and Access Management, and Encryption for both data in transit and data at rest.

Physical and environmental safeguards are fully inherited from Pearson's Cloud service provider, Amazon Web Services who follow and are certified to industry best practices such as ISO27001, ISO27017 and SOC 2. With regards to mitigating Data Privacy and security risks, risk findings are managed through Pearson's enterprise risk management tool and commitments are obtained from senior management or relevant risk owner to fix such risk findings within an agreed timeline whilst obtaining business sign-off in the form of a risk exception.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Peer Consulting Resources

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Provide staff augmentation to DOE offices for a range of services, such as Field Project Managers, Project Managers, Network Architects, Data Analysts, Data Developers, Server Deployment Engineers, Full Stack Developers, Lead Developers, UI/UX Designers, etc. Access to PII is necessary to troubleshoot issues, provide adequate support, and develop initiatives.

Type of PII that the Entity will receive/access: Student PII, APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: PII is only being accessed, not stored or processed.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our policy for Protection and Handling of PII: All consultants while discharging their duties at external client’s location(s), must ensure the privacy of all PII and protect such information from unauthorized disclosure. All consultants must ensure that PII used during their engagement has been utilized in conformity with applicable Federal and state laws and policies governing the confidentiality of information. All PII stored onsite must be always kept safe from unauthorized individuals and must be managed with appropriate information technology (IT) services. Accessing, processing, and storing of PII data on personally owned equipment at off- site locations (e.g. employee’s home, and non-grantee managed IT services, e.g. Yahoo mail, Gmail, etc.) is strictly prohibited.

All consultants who will have access to sensitive/confidential/proprietary/private data must be advised of the confidential nature of the information, the safeguards with which they must comply to protect the information, and that they may be liable to civil and criminal sanctions for improper disclosure.

Additional Requirements:

• Use appropriate methods for destroying sensitive PII in paper files (i.e. shredding) and securely deleting sensitive electronic PII.
• Do not leave records containing PII open and unattended.
• Store documents containing PII in locked cabinets when not in use.
• Immediately report any breach or suspected breach of PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Peoples Education (also called Mastery Education)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Product: Measuring Up Live 2.0 will provide educators and students with assessment and adaptive practice tools. The PII is needed to create unique user accounts and track student progress within the app.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Peoples Education, Inc. DBA Mastery Education makes reasonable efforts to secure Measuring Up Live 2.0 and the information users send to us against unauthorized access and corruption. These efforts include employment of physical, administrative, and technical safeguards based on currently available technology and practices to promote the integrity and security of Website user information we collect. ME implements the best in cybersecurity and data management practices to protect customer connection, data access, and availability.

• Transportation Level: The data are encrypted with an SSL certificate by GoDaddyCA©, renewed every two years.
• Rest Level: The data are encrypted with Microsoft SQL Server 2014 Enterprise Edition SP3 utilizing Transparent Data Encryption (TDE) with AES 128-bit.
• Database Backup and Transaction Log Backup: Following the backup policy, the database backups and transaction log backups are backed-up and stored on Azure Storage Accounts protected with security keys. All the backups are encrypted with the master key and asymmetric keys for restoration protection.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Perfection Learning Corporation

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Perfection Learning is providing an online delivery platform (LMS) to deliver educational content to students, teachers, and administrators in schools/districts. This enables users to access digital materials from devices such as computers, laptops, tablets, and phones if they have an Internet connection. The digital programs support and extend our print offerings with additional capabilities to enrich learning.

The personally identifiable information (PII) is needed to create student and teacher accounts, provide instruction, track student progress, and provide customized instruction for students’ needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud (GCP).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Organizationally we follow the NIST Cyber Security. Our infrastructure is hosted in Google Cloud Infrastructure in the United States with all data being transmitted via HTTPS in transit and stored AES-256 encrypted at rest. We utilize a 3rd party security firm to audit our policies, procedures, monitoring, and penetration testing of our infrastructure. All employees are required to go through background checks as part of the hiring process. Employees handling customer data are required to go through additional training on FERPA and COPPA. All employees are required to go through monthly training on security and privacy. In the event they do not pass the training, they are sent into a remediation plan for security and privacy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Phipps Neighborhoods

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Community Schools emphasize family engagement, characterized by strong partnerships and additional supports for students and families designed to counter environmental factors that impede student achievement. Phipps Neighborhoods Community Schools provide service including academic support, attendance support, school climate and culture initiatives, family engagement, and student and family need-responsive wrap around services. Student PII, including contact information and date of birth, facilitates real-time communication with families regarding availability of services as well as assessment of eligibility for other services available inside and outside of Phipps Neighborhoods. (Please note that PII will never be shared with internal or external service partners. Rather, Phipps Neighborhoods staff will share information about available services with students and families.) Phipps Neighborhoods staff collaborate with DOE staff to review student data, both personal and academic, in order to assess student-specific and group-level needs, collaboratively plan responsive services and to evaluate effectiveness of individual and group-level interventions. To store and review student records of the planning and providing of the highest level of service, Phipps Neighborhoods staff use data tools provided by the DOE and those developed by Phipps Neighborhood's own Data, Evaluation, and Learning team.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Phipps Neighborhoods, a contractor for the New York City Department of Education, will implement administrative, technical, and physical safeguards to ensure the protection of personally identifiable information (PII) of students, as required by FERPA, New York State Education Law 2-d, and Chancellor’s Regulation A-820. These safeguards will include at-rest and in-transit encryption on our cloud storage system that centralizes Phipps Neighborhoods client data, and system security settings, including the creation of permission specific to user groups, record-criterion level exclusion rules, and multifactor authentication to restrict PII access to authorized users. Phipps Neighborhoods will provide training for officers and employees on confidentiality laws, management of sub-contractors to ensure PII protection, and a plan for managing data security and privacy incidents, including breach identification and prompt notification to NYC DOE. Additionally, Phipps Neighborhoods will, at the preference of the DOE, either transition all PII to a successor contractor, or delete/destroy all PII when the contract is terminated or expires.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Pickcode Technologies

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Pickcode is an online platform for grades 5-12 designed to lower the barrier of entry to coding for students and support educators in teaching computer science effectively. The platform allows teachers to create, assign, and manage coding lessons for their students using a variety of popular programming languages. Teachers can roster students into class sections and distribute coding activities for completion. Teachers can roster students into class sections and distribute coding activities for completion. Pickcode also provides teachers with real-time tools for monitoring student progress and collaborating on coding tasks. This includes live updates on student activity and features for providing instant feedback and guidance.

Pickcode receives PII for the purposes of creating and administering accounts, and allowing teachers to identify what work has been completed by which student and track progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Okta Auth0.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Student PII is securely stored on Pickcode’s cloud servers.
• Only authorized full-time employees may access student data for the purposes of technical support or platform maintenance.
• All new employees and contractors are trained on the safe and secure handling of student data.
• Student information is encrypted at rest and in motion.
• Our cloud databases are secured with firewall rules that limit access for only authorized uses.
• Pickcode employee access to data is protected using Multi-Factor Authentication (MFA).
• To access student PII, an authorized administrator must receive the written approval of another administrator via email authorizing the access. The request for access must include the reason for access, either customer support or platform maintenance and upkeep. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Pitsco Education (for TETRIX Virtual Robotics (VR) Software)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Teachers have learning management capabilities within the software, where they can organize and add, remove, or change teacher and student information. They also track students’ progress through an adaptive learning environment, manage, assign and assess individual student tasks, view student data analytics, and usage reports. Teachers can sync the information with Google Classroom or Clever.

Type of PII that the Entity will receive/access: Student PII and Identifiable teacher data (names/email address).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. There are many safeguards in place. We secure managed office space and ensure all office and remote workers operate under the clean desk policy. We ensure all data applications are protected using multi-factor authentication. We also run background checks on incoming hires and ensure all data is secure at all times. Additional information is available on request.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Pivot Interactives SBC

Type of Entity: Commercial Enterprise

Contract / Agreement Start Date: 10/25/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Pivot Interactives uses PII to provide the service that we provide. Specifically we use PII to allow students to complete online activities for science education, save their work, submit work to teachers, collaborate with peers, and receive feedback from teachers.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Heroku and MongoDB to organize our data, which is housed on AWS servers in the US.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We limit the amount of data we collect; we encrypt it in motion and at rest, we store it on AWS servers in the US, we limit who on our team has access to PII, we run background checks on them, we comply with all federal, state, and local data security requirements especially NY 2D Ed Law. We delete the PII as soon as possible.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Planet Technologies

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/29/2024 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Planet resources will be configuring Power Pages and Dynamics Customer Service to digitize the application process for schools including: GED, Adult Education, and Coop Tech. As part of the application life cycle, Planet will be assisting with deploying a solution in a production environment which is being actively used. There is potential that the Planet Technologies consultants will be able to view Student PII in that process.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No DOE data will be stored outside of DOE systems.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. As part of the service delivery Planet will access, store, and process customer’s data strictly within the confines of the environments and systems owned or explicitly approved by the customer and in accordance with customer’s information security policies.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Platform Athletics

Type of Entity: Commercial Enterprise

Contract / Agreement Term: One year from purchase.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To provide software to educators to implement and execute a student and/or staff wellness program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS and Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is encrypted in transit and at rest, employees undergo security and anti-hacking training, and only C-Level employees have access to PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Playlab Education

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 2/1/2024 – 6/1/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Playlab is providing NYCPS staff and educators access to the Playlab platform so that they can (build their understanding of AI by creating, using, and adapting AI tools and (begin to responsibly adopt AI to support teaching and learning. Playlab is also providing professional development opportunities for NYCPS staff and educators, including regular hackathons; professional learning communities; and other ongoing professional learning and support.

PII is used for creating student accounts so that educators can see how students are using specific tools. For example, if a student uses a writing feedback tool on Playlab, a student account allows the educator to see what feedback the student has received and how the student responded to that feedback.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Fly.io Postgres PostHog, and sentry.io.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We’re dedicated to the following principles regarding gathering and protecting PII. This includes:

Administrative safeguards:

• Playlab follows the principle of least privilege, restricting access to production infrastructure and services that have access to PII.
• Limiting access to a minimal number of authorized personnel who have a legitimate need.
• Requiring confidentiality agreements for any personnel with access.
• We implement top tier security measures and encryption technologies to PII. This includes Multi-Factor Authentication, vulnerability scanning, and Cloudflare protections alerts
• Playlab follows industry standard practices for the review and release of new code and services into our platform, including code reviews, protected branches and release monitoring.
• Playlab ensures all third party services and components of the platform have privacy and security safeguards that meet or surpass standards set by Playlab and requirements of our partner schools and districts.
• All Playlab employees and contractors go through a background check before commencing work.
• Student Data is exclusively used for purposes sanctioned by the student's educator, school, parent, or legal custodian.
• We have established a Privacy Policy and a Platform that meet or surpass applicable obligations under COPPA, FERPA, and relevant state laws governing student privacy.
• We do not display third party advertisements to students utilizing the Platform.
• We strictly prohibit the use or disclosure of Student Data for targeted promotions or marketing.
• We are committed to continuously disclosing our data policies and practices in a transparent and comprehensible manner to our users and the broader public.
• We are committed to not retaining Student Data longer than necessary for supporting the Platform's functions or legitimate business requirements.
• We are committed to notifying our users and customers of major alterations to our Privacy Policy

Additional technical safeguards include:

• Encryption of data in transit and at rest, access controls, and implementing regular and encrypted backups
• Staff are required to change their passwords every 90 days and to use multi-tiered authentication
• Vulnerability scanning
• Threat Detection
• Regular security audits and penetration testing using tools from Fly.io, Sentry.io, and Cloudflare.
• Dependency scanning

 Physical safeguards:

• Playlab does not store any data in analog form. All data is stored in cloud services that require multi-factor authentication to access as detailed above.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

PNQ LLC (for ClassStars)

Type of Entity: Commercial Enterprise

Contract Start Date: 12/1/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are offering a tablet-based app (iOS, Android or Windows) called ClasStars. The purpose of the app is to help teachers manage the teacher/student relationship. The app allows teachers to record attendance both at the start of class and during class when a student arrives late or leaves for a break. The primary value of the app is to allow teachers to record student behaviors and teacher encouragement during class using simple gestures. The teacher receives color-coded feedback showing the relationship of positive to negative feedback so that the teacher can provide additional encouraging feedback to those that need it most. We also show the number of times a student has been engaged in the past 2 days so that a teacher can easily attend to any students that have been missed. We offer several reports to allow teachers to view behavioral or attendance trends over time using interactive charts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The only information on students that we obtain from DOE is a student name and class enrollments. Student pictures can be added (highly recommended) depending on school policy. To ensure security, student data is never stored on the device. It is read from our servers and displayed in the app but not saved to permanent storage. Our servers follow strict security protocols. Servers and data are all hosted on Microsoft Azure. Databases and servers are protected and access to client data is strictly limited. Developers do not have access to any production data. All server access is over secure https. No identifiable information is ever passed in a request Url. We also allow teachers to capture screen images and share them, but with all identifiable information, such as names and pictures, removed. We are partnering with an outside security firm to perform regular Penetration testing to ensure that our services are secure.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Positive Physics

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Positive Physics provides an online question and lesson bank to help all students have a positive experience in science. Students access the site through student accounts and answer practice questions. Teachers can see their students’ results through their teacher account.

PII is required to set up accounts, monitor students’ progress, and allow for account recovery and SSO.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In order to ensure privacy and security, Positive Physics only collects the information that we truly need. All data is stored on a secure server in the United States of America with Amazon Web Services (which has physical protections) and all PII is encrypted in transit and at rest. We ensure that all code is double-checked for vulnerabilities  prior to deployment and regularly scan for system software vulnerabilities.

Software is secured through robust password policies, including complexity and regular updates. Multi-Factor Authentication (MFA) is implemented to add an extra layer of verification, enhancing overall security. Importantly, PII is not stored on hardware devices.

Access to PII is restricted to minimal personnel through role-based access controls (RBAC), ensuring employees have permissions only for tasks essential to their roles. Regular access reviews and audits help maintain a least privilege principle.

Staff is educated on security measures through comprehensive training programs. Policies include guidelines on handling sensitive information, recognizing phishing attempts, securing any devices used for work and reporting security incidents promptly. Clear communication emphasizes that PII should not be stored on individual hardware devices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Possip

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Possip is a service that makes it easier for schools and school districts to hear from the people who matter most in education: students, their families, and staff. Here's how it works and why certain information is needed:

• What Possip Does: Possip sends out short surveys, called Pulse Checks, to get opinions and feedback. These surveys can be in over 100 different languages, so everyone can understand and respond. The goal is to find out what's going well and what could be better in the schools.
•  Why Certain Information is Collected (Personally Identifiable Information - PII): To make sure these Pulse Checks reach the right people, Possip needs some basic information about students, families, and staff. This might include names or contact details, which are given to Possip by the school or district. This information helps Possip send the surveys to the right people and allows schools to understand and act on the feedback they receive.
• Type of Information Collected: The information collected is basic, including: Email address, phone number, first and last name, student grade, student name, and student ID. Think of it like the kind of info you'd find in a school directory.

In simple terms, Possip helps schools listen to their communities by sending out easy-to-understand survey and using some basic information to make sure these surveys go to the right people. This way, schools can learn and improve based on what everyone thinks and feels.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Heroku, a division of Salesforce. Possip also utilizes additional cloud services from industry-leading providers such as Amazon Web Services (AWS) and Google Cloud Platform (GCP). These services are leveraged for specific functionalities that complement the core hosting provided by Heroku.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Personal identifying information, account information, or restricted District information, whether in electronic format or hard copy, will be secured and protected at all times to avoid unauthorized access. Possip has different levels of administrative access with various levels of visibility into sensitive information. Possip encrypts and/or password protects electronic files; which includes data saved to laptop computers, computerized devices or removable storage devices. Scheduled database backups are stored encrypted and maintained for 60 days. Vendor will not retain any Protected Data on any storage medium upon fulfillment of requested action by Participating Educational Agency. Possip will provide annual SSAE-16 / SOC 2 reports on request by district. Possip is compliant to the following Security Guidelines as defined by:

• FERPA
• PPRA
• COPPA
• CIPA
• Texas Education Agency (TEA) - Possip holds an active 3 year agreement with the state of Texas
• EdLaw2A in New York
• SOPPA in Illinois

Company shall undertake to perform reasonable measures to ensure the security, confidentiality and integrity of all Licensee Content and other proprietary information transmitted through or stored on the System including: Firewall protection of the Remote Data Center, Maintenance of independent archival and backup copies of the vendor product and Licensee Content, Protection from network attack or other malicious harmful or disabling data, work, code or program.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

PowerMyLearning

The exclusive purposes for which Protected Information will be used: PISI consists of basic identifying information (student name, etc.) that is used exclusively to enable access to the PowerMyLearning Application. The Application does not hold any information received from the DOE beyond basic identifying information. For example, the application does not hold teacher personnel data, student grades, student discipline history, student IEP records, or student health data.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: No subcontractors have access rights to the Application containing DOE Information. Per PowerMyLearning’s Information Security Policy, access rights to the Application production system containing DOE Information are granted only to three employees (1) Managing Director of Technology & Architecture, (2) Senior Developer, and (3) Senior Data Analyst.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon expiration of the DOE non-disclosure agreement or upon written request from the DOE, PowerMyLearning will erase from the Application any DOE confidential information. When a Microsoft Azure customer deletes a storage object (e.g., blob, file, queue, table), the pointer to this object is immediately deleted from the storage index used to locate and access the data. This operation is replicated asynchronously for Geo-Redundant Storage, which is the system that PowerMyLearning deploys for redundancy. With the storage index updated, the data is immediately unavailable. Azure Storage interfaces do not permit direct disk reads, mitigating the risk of another customer (or even the same customer) from accessing the deleted data before it is overwritten.

[NYC DOE comment: The current agreement became effective starting on August 19, 2019 and terminates when all NYC DOE schools and/or offices cease using PowerMyLearning’s products/services. The terms of the agreement remain effective through the period during which PowerMyLearning possesses or otherwise is in control of covered protected information.] 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All PISI is stored in the US.

How the data will be encrypted (described in such a manner as to protect data security): All PISI encrypted in transit. All PISI is encrypted at rest at the hard disk level. Encryption methodologies used are HTTPS SSL – SHA 256 with RSA encryption and RSA-SHA1 encryption.

PowerSchool Group

Type of Entity: Commercial Enterprise

Contract / Agreement Term: TBD, contract in progress

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• Naviance: Naviance is a college and career readiness platform that Naviance helps students explore goal setting, career interests, academic planning, and college preparation, while operating as the system of records for schools and districts.
• Enrollment: Enrollment is an enterprise enrollment product that facilitates student acquisition and registration business process through data collection from parents, administrative workflows, data integration with various SIS’s, and lotteries, streamlining related business processes. Registration is a multitenant cloudbased web application.
• Enrollment Express: Enrollment Express is a student enrollment management system inside PowerSchool SIS.
• Performance Matters Advanced Reporting: Performance Matters Advanced Reporting brings multiple data measures into one location to help school districts identify, monitor, and improve student performance. Dashboards provide access to state and national test scores, third-party diagnostic results, and district-based common formative assessments to give you the data needed to inform decisions for your schools, district, and students.
• Performance Matters Assessment: Performance Matters Assessment offers a school-wide assessment management system for curriculum teams to build student assessments for use across grade levels, content areas, and schools. Various assessment delivery methods are available including online testing, scanning, and observational scoring tools. The data is available within minutes to view how students performed on standards, each item, and overall making data-driven decisions about instructional needs quick and easy for teachers.
• PowerSchool SIS: Our SIS solution provides deep functionality across PowerSchool solutions empowering schools to configure the administrative and instructional tools for their unique needs, from managing classroom data and assignments to family engagement, student enrollment and registration, student analytics, and special education.
• Unified Talent Employee Records: digitizing processes with Unified Talent™ Employee Records simplifies onboarding. Online checklists, digital storage, centralized tracking, automated alerts, and information forwarding combine to create a more positive experience. Say goodbye to the calls, emails, and tedious verifications that hamper traditional, paper-based onboarding processes.
• Unified Classroom Schoology Learning: Schoology Learning Management System (LMS) provides learning management, assessment, and professional development all in one integrated platform. Be prepared for inevitable changes and challenges with a more flexible and reliable approach to teaching and learning while providing consistent access to learning resources across your whole district.
• Unified Classroom Curriculum and Instruction: Provide centralized access to shared curriculum so teachers can collaborate in real-time and connect curriculum directly to their lesson plans. Streamline horizontal and vertical standards alignment with our integrated digital curriculum mapping and lesson planning solution.
• Unified Classroom Special Programs: Special Programs gives special education staff the support they need to simplify case management, collaborate with general education staff, save time, and meet compliance requirements with confidence. This allows special education staff the ability to provide high-quality instruction, services, and appropriate modifications and accommodations for students with disabilities.
• Unified Classroom Behavior Support: Support the whole child with the only evidence-based (ESSA Level II) behavior solution proven to reduce suspensions and referrals and increase school positivity. Educators can collect and analyze real-time data to further positive behavior support and interventions (PBIS) and social and emotional learning (SEL).
• Unified Home Communication: By adding mass communication, two-way communication, attendance and engagement technology in combination to PowerSchool, schools and districts will benefit from stronger collaboration and enable more equitable partnerships between educators, students, and families.
• Unified Insights: Unified Insights provides a comprehensive analytics platform with actionable insights across key aspects of school and district operations and allows district staff to extract student data, create notifications, gain access with mobile devices, and distribute reports throughout the entire district.
• Unified Talent Perform: K-12 teacher evaluation software that Improves teacher support and retains effective educators. Manage and conduct teacher evaluations and observations online or in person.
• Unified Talent Professional Learning: Provides professional learning for teachers that supports career growth with easier professional development management and 24/7 accessibility.
• Unified Talent SmartFind Express: K-12 substitute teacher management software that automates callouts and streamlines online substitute management to quickly fill teacher and staff absences.
• Unified Talent Applicant Tracking: Helps schools and districts hire the teachers and staff they need faster and easier.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Processor agrees that it will protect the security, confidentiality, and integrity of the Customer Data it receives from Customers in accordance with customer’s Parents’ Bill of Rights for Data Privacy and Security. Additional elements of Processor’s Data Security and Privacy Plan are as follows:

• To implement all state, federal, and local data security and privacy requirements, including those contained within this Data Security and Privacy Plan (“DSPP”), consistent with customer’s data security and privacy policy, Processor will: Review its data security and privacy policy and practices to ensure they are in conformance with all applicable federal, state, and local laws and the terms of this DSPP. In the event Processor’s policy and practices are not in conformance, Processor will implement commercially reasonable efforts to ensure such compliance.
• As required by the NIST Cybersecurity Framework, to protect the security, confidentiality and integrity of the Customer Data that it receives under the MSA, Processor will have the following reasonable physical, administrative, and technical safeguards and practices in place throughout the term of the Agreement:
  • Data Security: Processor ensures that both data-at-rest and data-in-transit (motion) is encrypted, and data leak protections are implemented.
  • Information Protection Processes and Procedures: Processor performs data destructions according to the terms set in contracts and agreements. Processor also possesses a vulnerability management plan that will be developed and implemented.
  • Protective Technology: To ensure that network communications are protected, log/audit records are ascertained, implemented, documented, and reviewed according to Processor/District policy.
  • Identity Management, Authentication and Access Control: Processor manages remote access through credentials and identities that are issued, verified, managed, audited, and revoked, as applicable, for authorized devices, processes, and users.
• If Processor engages any subcontractors, assignees, or other authorized agents to perform its obligations under the MSA, Processor will require such subcontractors, assignees, or other authorized agents to execute written agreements requiring those parties to protect the confidentiality and security of Protected Data under applicable privacy laws.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

PRACTICE Benefit Corporation

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PRACTICE Software is a web application designed to provide learning and communication tools for the entire school community. Our goal is to digitize the classroom experience and provide one centralized portal that students, teachers, administrators, and parents can all use to access information and learning materials such as attendance, homework assignments, grades, schedules/calendars and standardized test scores as well as access tutoring services. Our goal is to help schools across the DOE gain greater oversight on what happens at their school and save time managing and accessing class and roster information as well as provide a more efficient manner for students and parents to access assignments, view performance, and communicate with teachers.

We receive PII in order to provide our services to Students (who use our application to access and submit assignments, view individual and overall grades, receive announcements from teachers and staff, and attend virtual class meetings) and teachers (who use the application to post assignments, track grades, and send communications to students and families. Administrators use the application to monitor classes, access attendance and reporting data, and compile individual data for students such as anecdotals, demographic information, and an archive of classes and grades).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Digital Ocean.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PRACTICE Benefit Corp is cloud hosted with Digital Ocean on a secure, highly reliable, and redundant infrastructure. PRACTICE Benefit Corp software is designed to provide multiple levels of gatekeeping and provide access to individual users on a need-to-know basis with our main goal of protecting PII and privacy. All data is encrypted in transit and at rest.

PRACTICE Benefit Corp has established a multi-faceted approach to protect any DOE Confidential Information that it may receive under the contract and to ensure that PRACTICE Benefit Corp is aligned with the NIST Cybersecurity Framework. This approach includes organizational safeguards, such as restricting employee access to DOE Confidential Information, preventing disclosure of DOE Confidential Information to third parties outside of specified exceptions, training employees on the importance of protecting confidential information, including DOE Protected Information, and implementing a comprehensive incident response plan. PRACTICE Benefit Corp also utilizes various technical safeguards, including web application firewalls, automated vulnerability testing, stringent password requirements, and encryption pursuant to Transport Layer Security (“TLS”) 1.3 protocol.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Press4Kids

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Press4Kids would like to be able to roster and authenticate NYC DOE users to its service News-OMatic using Clever integration.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Press4Kids CISO periodically conducts an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic, paper, or other records containing PII maintained by Press4Kids; the CISO reports such risks as promptly as possible to Press4Kids' leadership team or other official within Press4Kids designated to be responsible for data privacy and security compliance; and implements security measures sufficient to reduce identified risks and vulnerabilities. Such measures are implemented based on the level of risks, capabilities, and operating requirements. These measures must include as appropriate and reasonable the following safeguards:

• Discipline: Press4Kids enacts appropriate discipline with respect to employees who fail to comply with Press4Kids security policies and procedures.
• System Monitoring: Press4Kids maintains procedures to regularly review records of information systems activity, including maintaining access logs, access reports, security incident tracking reports, and periodic access audits.
• Security Oversight: Press4Kids CISO is responsible for developing, implementing, and monitoring of safeguards and security issues.
• Appropriate Access: Procedures to determine that the access of Press4Kids employees to PII is appropriate and meets a legitimate need to support their roles in business or educational operations. Procedures for establishing appropriate authorization and authentication mechanisms for Press4Kids employees who have access to PII.
• Access Termination: Procedures for terminating access to PII when employment ends, or when an individual no longer has a legitimate need for access.
• Access to PII: Procedures that grant access to PII by establishing, documenting, reviewing, and modifying a user’s right of access to a workstation, software application/transaction, or process.
• Awareness Training: On-going security awareness through training or other means that provide Press4Kids employees (including management) with updates to security procedures and policies (including guarding against, detecting, and reporting malicious software). Awareness training should also address procedures for safeguarding passwords.
• Incident Response Plan: Procedures for responding to, documenting, and mitigating where practicable suspected or known incidents involving a possible breach of security and their outcomes.
• Encryption and Final Disposition of Information: Procedures addressing encryption of all data at rest and in transit and the final disposition of PII. Procedures must include processes for the continued encryption of customer's PII through the time when its secure deletion/destruction has been requested in writing by the customer, or when the terms of the agreement between Press4Kids and a customer require that the PII be deleted/destroyed.
• Access to PII: Procedures that grant access to PII by establishing, documenting, reviewing, and modifying a user’s right of access to a workstation, software application/transaction, or process.
• Awareness Training: On-going security awareness through training or other means
• Data Transmissions: Technical safeguards to ensure PII transmitted over an electronic communications network is not accessed by unauthorized persons or groups. Encryption is used when PII are in transit or at rest. Unencrypted PII is not transmitted over public networks to third parties.
• Data Integrity: Procedures that protect PII maintained by Press4Kids from improper alteration or destruction. These procedures include mechanisms to authenticate records and corroborate that they have not been altered or destroyed in an unauthorized manner
• Press4Kids collects only the data required to operate the service. PII data is not shared with third parties for marketing purposes.
• Press4Kids source code is stored in private password protected repositories. Repository access is approved by CISO. Press4Kids repositories may be available to contracted engineers on an as needed and temporary basis. Contractors may not receive access to repositories without cause and without being signatories to Press4Kids’s contracting agreement. Access is revoked upon lapse of contract.
• Hosting: All production application infrastructure is hosted by a Third-Party Services. Hosting providers must provide materials to Press4Kids documenting rigorous security and data privacy practices.
• Firewalls & Network Isolation All production and staging servers are hosted inside of a Virtual Private Cloud. Press4Kids does not own or co-locate servers for its applications. Press4Kids does not maintain on- premise application infrastructure. Application production and staging networks are isolated from business networks.
• Credentials Press4Kids engineers are granted access to services by the principle of least privilege-required upon onboarding, and permissions and users are audited monthly. Requests for new permissions must be submitted to senior management. Removal of credentials is part of off-boarding procedure when employment is terminated. Contracted personnel are not permitted to have credentials to production assets.
• Encryption HTTPS via SSL is required to connect to all web servers from the public network. Application database is encrypted-at-rest.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Prisms of Reality

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our product is a math and science curriculum supplement that uses Virtual Reality programs designed and built by our company. PII is needed to generate login credentials and manage licensing and provide class rostering to teachers. We do not send any communication to students directly.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Prisms is dedicated to protecting student personally identifiable information (PII). We collect the minimum PII necessary to perform our essential functions. All Prisms employees with access to PII undergo annual third party security training. Access to student PII is only made available to the minimum-necessary personnel.

We conduct internal security audits every 6 months and conduct all our product development on a separate server without any student PII.

All data is encrypted, both in flight and at rest, using industry-standard encryption algorithms. The data we collect is stored on servers operated and maintained by Amazon Web Services (AWS). We do not otherwise utilize any subcontractors to deliver our core product or services.

In the event of a data breach, we follow a detailed incident response plan accessible to all Prisms employees that details the course of action. We agree to notify any key external contacts within 24 hours of confirmation of the incident.

Prisms destroys PII within 21 days of the end of the services agreement, or within 21 days upon written request from the district. We maintain user-generated data (actions taken in our app, answers submitted in our app, time spent in our app, et cetera) indefinitely, which is necessary for improving our product and maintaining accurate historical usage data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Project Lead the Way

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PLTW provides transformative learning experiences for PreK-12 students and teachers across the U.S. We create an engaging, hands-on classroom environment and empower students to develop in-demand knowledge and skills they need to thrive. We also provide teachers and other district personnel with the training, resources, and support they need to engage students in real-world learning. PLTW may receive protected information at the time of rostering for its programming and/or End-of-Course Assessments, during registration for professional development, and in furtherance of student and personnel opportunities. The data enable student and authorized personnel access to course curriculum, professional development, resources, and the End-of-Course Assessments, as well as opportunities for students and personnel opportunities; allow PLTW to evaluate whether there is differential impact and/or bias based on demographic categories; ensure that we offer equitable programming; evaluate program impact and efficacy; continually improve our programs, products and services; enable user functionality within the courses; and provide accurate records for PLTW users. The data will be used for such purposes and consistent with FERPA, COPPA, PPRA, and any other applicable state and federal regulations.

Type of PII that the Entity will receive/access: Student PII and APPR PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Delete identifiable data unless consent to maintain data has been obtained from an eligible student, parent, or legal guardian.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Use or access to protected data shall be limited to PLTW representatives with a legitimate interest, including limits on internal access to education records to those individuals determined to have legitimate educational interests.

PLTW has adopted and utilizes technologies, safeguards and practices that, at a minimum, align with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, as required by Part 121. PLTW utilizes webs application firewalls, multi-factor authentication, regular information security awareness training for all Team Members, anti-virus and  security incident event monitoring, IPS and IDS, and secure data centers to help protect all data, as well as maintain a comprehensive library of internal policies surrounding protection of data. PLTW implements a robust risk management program to continually monitor and mitigate risks to PLTW and data it stores, and in the event of a data security incident which compromises personally identifiable information, including any breach of security resulting in an unauthorized release of student data by PLTW or any of its subcontractors or assignees, PLTW agrees to promptly notify the BOE and otherwise comply with applicable laws regarding any notification obligations. Furthermore, PLTW implements safeguards including elastic load balancing, has VPCs in place, maintains a decoupled infrastructure, and requires network facing username and passwords. Server maintenance is performed by PLTW’s Infrastructure and Application Development teams, including but not limited to server patches and upgrades, which is thereafter locked down with encrypted key authentication

PLTW stores all data in an encrypted format within AWS data centers in the United States of America, stored with AES-256, block-level storage encryption. Keys are managed by Amazon, and individual volume keys are stable for the lifetime of the volume. PLTW reviews external audits of AWS data centers on a regular basis to ensure AWS is maintaining compliance and security requirements.

Encryption technology, as defined in Part 121.1(i), shall be used to protect data from unauthorized disclosure, and safeguards associated with industry standards and best practices, such as encryption technology, login information transmitted over SSL, firewalls, and encrypted password protection, shall be used when data is stored or transferred; encryption, as defined in Part 121.1(i), shall also be utilized to protect personally identifiable information in PLTW’s custody while in motion and at rest. All data is encrypted at rest at a volume level by default (minimum AES 256) and in transit (minimum TLS 1.2). 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Project STEM

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Project STEM provides computer science curriculum, delivered to teachers and students online. Any PII provided by teachers and students is for identification purposes (teacher knows which student is which). Specific student data may include first name, last name, and email address. Email addresses are collected so users can reset their own passwords. Student PII is not required to participate in this program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Project STEM regularly performs an assessment of whether procedures, policies and records of processing activities must be updated.
• Project STEM ensures external access to systems and databases used for processing personal data happens via a secured firewall.
• Project STEM’s internal network is segmented in order to ensure limited access to systems and databases used to process personal data.
• Project STEM ensures access to personal data is isolated to users with a work-related need.
• Project STEM infrastructure and related systems used for processing personal data utilize monitoring with alerting.
• Project STEM uses industry standard encryption for the transmission of confidential and sensitive personal data via the internet.
• Project STEM logs changes made by system administrators, changes in access controls and failed attempts to login to Project STEM systems, databases and networks.
• Project STEM ensures implemented technical security measures are being tested continuously by the use of vulnerability scans, and penetration tests.
• Changes to infrastructure, systems, databases and network follow procedures that ensure maintenance with relevant updates and patches, including security patches.
• Project STEM has formalized procedures for the assignment and revocation of user access to personal data, after which user access is reassessed regularly, including whether rights can still be justified by a work-related need.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Project Wayfinder

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Wayfinder’s website allows teachers, students, and administrators to access Wayfinder’s Social Emotional Learning (SEL) curriculum. Wayfinder’s website also features Waypoints, an adaptive check-in tool that helps you get a pulse on how your students are doing in relation to Wayfinder’s Core Skills. Student PII – name, email, student ID are only required - is used for log in and search purposes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS via Heroku.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data are encrypted in transit and at rest. Staff undergo yearly security and FERPA training. No keys are checked into code. Access to the site is credentialed. Data are hosted on AWS with stringent physical and network protections.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

PruTech Solutions (for Early Childhood Management System)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/01/2023 – 7/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Entity will implement the Early Childhood Management System to help the NYC DOE achieve its mission of enhancing early childhood education services. These services include the following:

• Enhance the accurateness and completeness of data collection to improve student progress and program quality.
• Provide the agency with better tools for analyzing and reporting on student progress and program quality, affording educators and administrators to make informed decisions.
• Reduce and streamline administrative processes that will result in better use of staff time and effort in managing student data and program operations.
• Build a user-friendly and accessible system that will make it easier for educators and administrators to use and understand.
• Give educators and administrators robust tools to make informed decisions that will support ongoing program improvement efforts.

DIIT will spearhead this initiative and work with the vendor to ensure all in-scope requirements are successfully achieved. This project is will be implemented on DOE’s secure Salesforce cloud environment. Data integration between DOE’s internal systems and Salesforce Cloud database will only be granted by DOE and DOE will dictate how the new system will use, view or access this data. The Entity will work with DOE to access to the necessary Student PII, Vendor Information, Accounts Payable Information and other data that will be used for the Early Childhood Management System. This application that will store and host this data on only DOE's infrastructure and DOE’s Salesforce instance. The Entity will follow all DOE's security procedures and protocols when accessing all data through these approved systems.

Type of PII that the Entity will receive/access: Student PII. “Entity will only be accessing internal data on NYC DOE approved environments. No Student PII data or other sensitive data will be stored on the Entity or subcontractors’ environments. Only individuals that have conducted full back-ground checks, finger printing by NYC DOE and signed acceptance of the applicable security policies and confidentiality agreements will be granted this VIEW ONLY access”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII data will be stored on Entity consultant’s computers or on the Entity’s development environments.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Entity will ensure security of NYC DOE protected information by completing the following:

• All development and data storage will only be completed on NYC DOE approved encrypted environment.
• No data will be stored outside of NYC DOE environments by the Entity
• All resources assigned to the project will complete DOE's security screening and sign all necessary NDAs
• All resources assigned to the project are informed on PruTech's Data Security and Privacy
• Policy and are required to sign that they will comply with all security best practice.
• Data access will only be allowed with users that have been granted DOE access and only through VPN into DOE's systems
• DOE systems will restrict the usage of this data and will not allow any data to be copied local environments
• PruTech Solutions will continually monitor our resource activity to ensure all development and data storage and usage is compliant with DOE policies.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

PruTech Solutions (for Family App Enhancements)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/24/2023 – 4/25/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. DOE Family App Enhancements Project provides digital solutions for families to allow them to gain near-real time information related to their students. Current applications require enhancements tailored to improve user experience that will have lasting effects for students and families which may include but not limited to generating efficiencies in DOE business processes.

The Entity will implement enhancements to support any updated business policies/processes and implement recommended improvements based on end-user feedback for the following applications:

• NYC Schools Account (NYCSA)
• Student Profile (SP)
• Public Schools Athletic League (PSAL)
• Public Apps System and Emergency Management System (EMMA)
• DOE Website
• Enterprise Messaging Center

High-level project goals include:

• Provide centrally managed system tool that offers multiple methods of communication such as emails, SMS text, and robocalls with families, students, and teachers.
• Automate business processes for end-users by building seamless data integrations as required with new and existing DOE applications
• Provide families with updates to student information and capture any actions/consents required from parents
• Provide families with updates on students/schools during emergencies
• Provide families with DOE-wide, school-specific information and updates on health, safety, and policies
• Provide families with information during admissions, transfers, and schools research process

DIIT will spearhead this initiative and manage the day-to-day activities for this project and work with the vendor to ensure all in-scope requirements are successfully achieved. This project is only making enhancements on existing applications where the data and development processes have already been defined. Data will only be granted by DOE and DOE will dictate how the system will use, view or access this data. PruTech will work with DOE access to the necessary data for this application that will store and host on only DOE's infrastructure and will follow all DOE's security procedures and protocols.

Type of PII that the Entity will receive/access: Student PII. “Entity will only be accessing internal data on NYC DOE approved environments. No Student PII data or other sensitive data will be stored on the Entity or subcontractors’ environments. Only individuals that have conducted full back-ground checks and finger printing will be granted this VIEW ONLY access.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “No PII data will be stored on Entity consultant’s computers or on the Entity’s development environments.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Entity will ensure security of NYC DOE protected information by completing the following:

• All development and data storage will only be completed on NYC DOE approved encrypted environment.
• No data will be stored outside of NYC DOE environments by the Entity
• All resources assigned to the project will complete DOE's security screening and sign all necessary NDAs
• All resources assigned to the project are informed on PruTech's Data Security and Privacy Policy and are required to sign that they will comply with all security best practice.
• Data access will only be allowed with users that have been granted DOE access and only through VPN into DOE's systems
• DOE systems will restrict the usage of this data and will not allow any data to be copied local environments
• PruTech Solutions will continually monitor our resource activity to ensure all development and data storage and usage is compliant with DOE policies.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

PruTech Solutions (for Next Generation Student Information System)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/11/2022 – 10/10/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The entity will be implementing a Next Generation Student Information System to manage, maintain, and support all the student information, as it pertains to student and adult biographical data, attendance, and tests and exams. This new system will consolidate the functions of a modern-day Student Information System into a single integrated, flexible system that will support all student information. This system will be used by the schools, parents, and students and maintain the student information data on a single application and on one central database.

The NGSIS solution will also include a feature rich portal interface for student and family members of the student to access and gain valuable insight into the student’s progress and school events. The portal will serve as central communication platform between the school and the student, parent/guardian of the student. This portal will be web based and will be accessible to all users on a variety of mobile devices and browsers.

All student information and PII data will be hosted on DOE’s infrastructure and will follow all of DOE’s security procedures and protocols.

Type of PII that the Entity will receive/access: Other: Entity will only be accessing Student PII data on NYC DOE approved environments. No Student PII data will be stored on the Entity or subcontractor’s environments. Only individuals that who conducted full background checks and fingerprinting will be granted this VIEW ONLY access.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Other: No PII data will be stored on Entity consultant’s computers or on the Entity’s development environments.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Entity will ensure security of NYC DOE protected information by completing the following:

• All development and data storage will only be completed on NYC DOE approved and encrypted environments.
• No data will be stored outside of NYC DOE environments by the Entity.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

PruTech Solutions (for School Food App)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/3/2023 – 3/28/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Entity will implement the School Food Apps Modernization project and provide the necessary project management and technical resources to enhance and maintain over 40 School Food Applications. These applications mainly consist of in-house developed software and a few Commercial Off-the-Shelf (COTS) applications. These applications are web-based, with a select few residing on the DOE Intranet, and provide automation and support to various DOE business processes at different levels of maturity.

In understanding the overall School Food operations, the Entity acknowledges that the New York City (NYC) Department of Education (DOE) supports more than 1,300 cafeterias within 1,800 schools. The Office of Food and Nutrition Services (OFNS) spearheads the City’s Public Schools student meal program, responsible for sourcing and delivering approximately 1 million meals each day to NYC students. As part of this project, the Entity will update and enhance the applications that manage requests and claims associated with this complex operation.

DIIT will spearhead this initiative and manage the day-to-day activities for this project and work with the vendor to ensure all in-scope requirements are successfully achieved. This project is only making enhancements on existing applications where the data and development processes have already been defined. Data will only be granted by DOE and DOE will dictate how the system will use, view or access this data. PruTech will work with DOE access to the necessary data for this application that will store and host on only DOE's infrastructure and will follow all DOE's security procedures and protocols.

Type of PII that the Entity will receive/access: Student PII. “Entity will only be accessing internal data on NYC DOE approved environments. No Student PII data or other sensitive data will be stored on the Entity or subcontractors’ environments. Only individuals that have conducted full back-ground checks and finger printing will be granted this VIEW ONLY access.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “No PII data will be stored on Entity consultant’s computers or on the Entity’s development environments.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Entity will ensure security of NYC DOE protected information by completing the following:

• All development and data storage will only be completed on NYC DOE approved encrypted environment.
• No data will be stored outside of NYC DOE environments by the Entity
• All resources assigned to the project will complete DOE's security screening and sign all necessary NDAs
• All resources assigned to the project are informed on PruTech's Data Security and Privacy Policy and are required to sign that they will comply with all security best practice.
• Data access will only be allowed with users that have been granted DOE access and only through VPN into DOE's systems
• DOE systems will restrict the usage of this data and will not allow any data to be copied local environments
• PruTech Solutions will continually monitor our resource activity to ensure all development and data storage and usage is compliant with DOE policies.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Psychological Assessment Resources (also called PAR)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PAR, Inc. will be providing psychological assessments including the Feifer Assessment of Reading (FAR) to the DOE. The Student PII is needed in order to score and interpret the results.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PAR employs and applies a variety of information technology tools, strategies, devices, and methodologies to protect both PAR Customer data and patient/client data and item responses that are captured and stored on PARiConnect. Below is information pertaining to these various IT controls.

Hosting and Storage Controls

• Servers utilized by PARiConnect are located at a professionally managed data hosting facility located in the central southeast region of the U.S. This is the primary facility for PARiConnect servers and is connected via a dedicated circuit to a backup facility at PAR in Florida, U.S.
• The hosting facility data centers have been evaluated against ISO 27001 and have undergone a SAS 70 Type II or SSAE 16 review.
• A third party has performed penetration testing using established guidelines/methodology.
• All sites housing PARiConnect applications and data have secure firewalls and current antivirus software installed.
• A third party has performed an external vulnerability scan.
• Sensitive application data is encrypted in transit using at least HTTPS TLS 1.2.
• Sensitive application data is encrypted at rest using the encryption algorithm AES-256.
• Database tables/fields are protected using FIPS-140-compliant encryption for all tables/fields containing sensitive data.

Application Controls

• Applications log security-relevant events. Each log entry must contain, at minimum, the following: user or process ID of the user or process causing the event, failure of the attempt to access security file, date/time of the event, type of event, success or failure of the event, and seriousness of event violation.
• Application logs are retained for at least 30 days.
• The application process runs only with least privileges necessary for proper operation (for example, root or administrator privileges are used only for specifically required operations, whereas in normal mode the application runs as a user without administrative privileges).
• A disaster recovery and backup/restore plan are in place. If applicable, data are destroyed using a NIST 800-88 compliant method.
• PAR has a Secure Software Development Life Cycle (SSDLC) in place that includes peer code review and developer security training, and a code promotion/release management strategy is in place.
• PAR does NOT store assessment scores and/or results—only item responses are stored, and such item responses are stored separately from the patient/client personal data and separately from the assessment items. This data, along with many other elements including personal data and demographics, are encrypted.

General Security Controls

• PARiConnect has a team designated with overall responsibility for the application, its controls, design, security, etc.
• PAR regularly monitors vulnerabilities in underlying products (e.g., Microsoft, Linux, databases) and patches all critical vulnerabilities within 30 days, unless overridden by Senior Leadership which is documented as an exception (example: patching would break application until the patch vendor or internal staff resolve the issues causing the failure).
• PAR and its hosting vendor maintain and monitor security appliances such as intrusion protection systems (IPS) to detect abnormal system, malware, and user behavior.
• No vendor has access to PARiConnect data and/or applications.
• All PAR employees are subject to pre-employment background checks.
• All PAR employees must complete annual security awareness training with testing. A record of each employee’s compliance status is retained.
• Passwords are accessible only to select IT employees and require oversight by the Chief Technology Officer.
• Payment information related to purchases by PAR Customers is NOT maintained or stored on PARiConnect.
• PAR complies with the EU-U.S. Privacy Shield Framework, certified to adhere to privacy and security principles outlined by the U.S. Department of Commerce to meet EU privacy concerns.

Disaster Recovery/Business Continuity Strategy (DR/BC)

• PAR employs an active/passive strategy with respect to DR/BC. The primary PARiConnect production servers act as the active installation, with real-time replication occurring to a fail-over (passive) server structure that remains ready and available to take over processing. Failover for Customer-facing systems is generally accomplished in approximately two minutes or less.
• PAR effectively creates backups in real time. Additionally, further backups are retained at a secure third-party location, as well as on-site for at least 30 days to facilitate any unlikely, but potential, need to restore data from a prior date(s).
• PAR retains electronic logs regarding the digital backup process, as well as logs regarding off-site storage.

HIPAA and FERPA

• Business associate agreements are executed electronically as part of PARiConnect account setup.
• No “designated record set,” as defined by HIPAA, is created or retained by PARiConnect.
• PARiConnect contains no billing, insurance, or diagnostic information pertaining to any PAR Customer patient/client.
• PAR staff receive annual HIPAA training.
• PAR completes an annual HIPAA risk assessment.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

PTC Wizard

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PTC Wizard is an online application that allows parents to schedule meetings with teachers. PII is necessary to help schedule these meetings.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Administrative Safeguards
  • Require confidentiality agreements with all employees that have access to PII.
  • Limit access to PII for employees so that only employees that need access to perform their responsibilities have access to PII.
• Operational Safeguards
  • We have policies and required employee training for securing PII
  • We have incident management policies to handle security breaches.
• Technical Safeguards
  • Encryption in flight and at rest
  • Firewall protection
  • Private subnets.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Q.E.D. Inc (also called QED National)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2023 – 7/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. QED National is a Staff Augmentation Firm. DOE has selected one of our resources to provide Data Analyst services. The selected Data Analyst resource will work with the existing DOE team to update existing reports and scripts and create new reports to support operations in assessment and implementation of transportation policies and report to external DOE offices on students, routes, vehicles, stops, MetroCard’s and school bus companies. The function of this role involves the processing of student level data, both in terms of providing streamlined access to OPT services and in developing reports based on such data for DOE to identify gaps, make data-driven decisions, etc. DOE has advised that there would be no way to accomplish this without providing access to PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII will be stored or hosted by QED National, as a result no data will be transferred, and security restrictions are not required.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by QED National, as a result no data will be transferred, and security restrictions are not required.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. No PII will be stored or hosted by QED National. QED National will adhere to all DOE Policies and Security Standards for all Technical and Administrative Controls. QED National will ensure any DOE required training is completed upon the request of the DOE. In additional QED will require consultants to complete Data Privacy and Information Security Training. This 30-minute training covers data privacy, general data protection regulations (GDPR), information security and asset protection.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor stated “No PII will be stored or hosted by QED National.” 

Queens Community House (Community Schools Services)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The 21st Century Community Learning Center (21st CCLC) program’s mission to unite school, family and community through a program that builds on existing strengths and provides targeted academic enrichment, social emotional learning and mental health counseling supports for identified community needs. Students at our target schools desperately need this support.

Personal Identifiable Information (PII) plays an integral role in fulfilling the legitimate educational purposes in these programs. PII is necessary to monitor attendance, monitor student progress, and provide individualized assistance for students’ specific educational needs. PII is also needed to track progress and make the necessary improvements to the program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Queens Community House is in the process of implementing secure data handling and storage procedures, advanced encryption technologies, and comprehensive data privacy and security policies. We will create robust incident management system to quickly identify and respond to any data security and privacy incidents. In case of a breach or unauthorized disclosure of Protected Information, Queens Community House will promptly notify NYC DOE and take immediate steps to control the situation.

In terms of securing participant data, Queens Community House has adopted robust data security measures. We take the following steps to protect the data:

• Data Encryption: All PII are stored in Salesforce and is encrypted both in transit and at rest.
• Access Control: Access to PII is strictly controlled and granted only to authorized personnel.
• Regular Audits: We conduct regular audits to ensure data security measures are working effectively and to identify any potential vulnerabilities.
• Data Minimization: We collect and retain only the minimum amount of PII necessary for our purposes.
• Data Deletion/Transmission: Upon the termination of our contract, all PII will be securely deleted or transmitted to the Board of Education, as required.
• Staff Training: All staff undergo thorough training on data protection and privacy laws to ensure compliance.
• Employees are provided with a handbook that includes policies to support data privacy such as data use and access restrictions and our social media policy.
• Physical data safeguards include:
  • All files are kept secured in locked cabinets. No staff are permitted to take files off site.
  • All physical doors to offices containing PII are locked when room not in use.
  • Data is only accessed by staff on-site, never remotely.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Queens Community House (Learning to Work program)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Learning to Work (LTW) program at Queens Community House is an initiative that empowers out-of-school and off-track youth to acquire their high school diplomas while simultaneously gaining vital career and life skills. This program aids in creating educational and employment pathways for these young individuals by offering academic support, work readiness training, paid internships, and college preparation.

Personal Identifiable Information (PII) plays an integral role in fulfilling the legitimate educational purposes of the LTW program. This is due to a few key reasons:

• Individualized Attention: By having access to PII, the LTW program can provide personalized attention to each participant, ensuring they receive the specific educational support and career guidance they need.
• Program Improvement and Evaluation: PII aids in measuring the effectiveness of the program, tracking participant progress, and making necessary improvements. This data-driven approach ensures the program continually meets the needs of its participants.
• Reporting and Accountability: As part of our contractual obligations with the NYC DOE, we are required to maintain accurate records of participant engagement and progress. PII allows us to fulfill these reporting requirements effectively.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365 (including OneDrive and SharePoint); Google Suite (including Drive); SalesForce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Queens Community House is in the process of implementing secure data handling and storage procedures, advanced encryption technologies, and comprehensive data privacy and security policies. We will create robust incident management system to quickly identify and respond to any data security and privacy incidents. In case of a breach or unauthorized disclosure of Protected Information, Queens Community House will promptly notify NYC DOE and take immediate steps to control the situation.

In terms of securing participant data, Queens Community House has adopted robust data security measures. We take the following steps to protect the data:

• Data Encryption: All PII are stored in Salesforce and is encrypted both in transit and at rest.
• Access Control: Access to PII is strictly controlled and granted only to authorized personnel.
• Regular Audits: We conduct regular audits to ensure data security measures are working effectively and to identify any potential vulnerabilities.
• Data Minimization: We collect and retain only the minimum amount of PII necessary for our purposes.
• Data Deletion/Transmission: Upon the termination of our contract, all PII will be securely deleted or transmitted to the Board of Education, as required.
• Staff Training: All staff undergo thorough training on data protection and privacy laws to ensure compliance.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Quill.org

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Quill.org uses the data we collect to provide users with a high quality engaging experience and fulfill our mission of creating an active learning environment and helping students take charge of their education. Collected PII includes skill based Quill assessment scores, student school enrollment, teacher defined classes, student’s name and email address, open ended responses to Quill activities, and teacher’s names..

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Google Cloud Platform.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Quill abides by data security best practices. All of our websites and tools use secure SSL connections over HTTPS to encrypt data in transport. Our websites are hosted within the secure cloud providers Amazon AWS and Google Cloud Platform and we use their IAM security tools to restrict access to our resources. All passwords in our system are encrypted using modern password encryption techniques. For our internal tools, we use password generators and managers to generate strong random passwords and we do not re-use these passwords. Our databases are encrypted-at-rest, providing an extra layer of security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Quizizz

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Quizizz is a teacher-powered learning activity platform where teachers can create or adapt their curriculum to motivate every student.

We combine easy-to-customize content with tools for engaging assessment, instruction, and practice that makes every learner feel included.

The information we collect helps us to provide maintain and improve the user experience over time. For example, helping teachers identify and support individual students.

Accounts are not a prerequisite to using Quizizz, but are required to access some features and to save progress over time. If you create an account, Quizizz saves the account information you provide. This information may include: an email address, a parent or guardian email address, first name or last name.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Engaging every student starts with trust. We use technical, operational, and logical security measures to keep student data safe. Here are a few examples:

• Privacy-centered design means that students can use Quizizz without creating accounts or sharing PII unless required to use a specific feature such as saving progress to a profile. Student accounts and all relevant personal data may also be deleted at any time.
• To keep your personal data secure, all data is encrypted in transit, and we maintain up-to-date certificates with a verified third-party provider—DigiCert.
• All passwords are protected using the password-hashing function bcrypt.
• Data is stored in access-controlled data centers with 24/7 monitoring by AWS, an industry-leading provider.
• Data is stored redundantly and is geographically distributed in order to maximize uptime and allow our team to restore access to your data in the event of an incident.
• Employee access to personally identifiable information is provided on an as-needed basis, to provide customer support for example.
• Employees with access to personal data are required to undergo background checks, sign a nondisclosure agreement, and are prohibited from saving personal data locally on their devices.
• Routine monitoring and alerts are used to detect and respond to potential security breaches.
• Quizizz complies with, and helps LEAs meet their obligations under, FERPA, COPPA, the EU-U.S. Privacy Shield Framework, and regional privacy agreements.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”