Vendors I-Q

Listed in Alphabetical Order:

Illuminate Education, Inc.

1. The exclusive purposes for which PISI will be used: The provision, implementation, administration, and/or maintenance of K-12 education technology products and services related thereto.

2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Any and all subcontractors or other authorized persons or entities that Illuminate shares data with will be required to enter into strict confidentiality provisions in accordance with similar terms contained herein, and Illuminate retains the right to demand certification of compliance to said terms.

3. When the agreement expires and what happens to PISI upon expiration of the agreement: There is no one set term for the non-disclosure agreement, as individual schools may purchase Illuminate’s products or services at different times and for different periods. Within thirty (30) days of the termination of any license or data sharing agreement, Illuminate destroys all PISI. The data privacy and security terms of Illuminate’s agreement with NYC DOE will remain in effect for as long as Illuminate is in possession of NYC DOE confidential information.

 [NYC DOE additional information: The current agreement became effective starting on January 24, 2020 and remains effective through the period during which Illuminate Education, Inc. possesses or otherwise is in control of covered protected information, which varies depending on the services a given school purchased from Illuminate Education, Inc.]

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. Challenges should be emailed to studentprivacy@schools.nyc.gov or mailed to the attention of the Chief Privacy Officer Rm 308, NYC Department of Education, 52 Chambers Street, New York, NY 10007.

[NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: All PISI data is hosted primarily with Amazon Web Services, and there are select products hosted with Google Cloud Platform, which are being migrated to AWS. AWS hosts the data in the United States. Either provider’s SOC2 report is available upon request or can be accessed by contacting AWS or GCP directly.

6. How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at both rest and in transfer in accordance with NIST Cybersecurity Framework requirements.

Imagine Learning, Inc.

  1. The exclusive purposes for which Protected Information will be used: The exclusive purposes for which Protected Information will be used:

    Imagine Learning may use PI it collects, either separately or in combination with pre-existing data, for the following educational purposes:

    • To provide, maintain, secure, and operate the Services (such as authenticating users and troubleshooting problems as requested by an authorized person or user);
    • To develop and improve our services for NYC DOE;
    • To customize your experience or content within our Services;
    • To track and assess student development and progress through our Applications;
    • To generate reports that allow parents, teachers, and other Authorized Persons to evaluate student progress, identify students who need intervention, and discover students who can be taught together as a group;
    • To email teachers and other Authorized Persons about new features and other information related to our Services;
    • To conduct aggregate statistical studies and perform research for Authorized Persons;
    • To protect Imagine Learning and our Users, such as conducting audits or notifying NYC DOE of inappropriate or potentially harmful behavior;
    • To assist students who request online help from our state-certified, security-cleared teachers who are employed by Imagine Learning to provide individualized instruction; and other educational purposes requested and sanctioned by NYC DOE
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Imagine Learning may, at times, share certain pieces of PI with third parties that help us provide our Services. These third-party suppliers are considered “sub-processors” under applicable data protection laws because they process (e.g., store) personal data. We expect and require that these sub-processors implement appropriate security measures to safeguard personal data, and that they comply with applicable data protection la.ws.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All PI held by Imagine Learning is destroyed or de-identified upon one of the following after termination of our relationship with a School or Authorized Person, (ii) when it is no longer needed for the purpose for which it was provided, (iii) when advised to do so by the School or Authorized Person, or (iv) as directed by agreement with the School. De-identified data (anonymous data with all PI removed) is maintained and used for reporting, analytics, and statistical research. This research helps us evaluate the effectiveness of Imagine. Learning and improve our Services for you and other customers. We do not attempt to re-identify information that has been de-identified. [NYC DOE comment: The current agreement became effective starting on April 14, 2020 and terminates when all NYC DOE schools and/or offices cease using Imagine Learning, Inc’s products/services. The terms of the agreement remain effective through the period during which Imagine Learning, Inc. possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Personal information collected and processed by Imagine Learning is encrypted in transit and at rest. It is also stored within the continental United States. See the Security Practices section of the Imagine Learning Privacy Policy FAQ (https://imaginelearning.com/privacy/faq) for additional details. 
  6. How the data will be encrypted (described in such a manner as to protect data security): Personal information collected and processed by Imagine Learning is encrypted in transit and at rest using FIPS 140-2 compliant methods and algorithms.

Jupiter Ed, Inc.

1. The exclusive purposes for which Protected Information will be used: Grading, homework, attendance, classroom management, and any school related activities.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We do not grant sub-contractors access to any customer data.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Jupiter Ed has been proudly serving many NCY DOE schools for a decade, and we have always kept PISI private, and will continue to do so. When school accounts expire and are not renewed, all data is deleted after several months, or within 2 business days of request.
 
[NYC DOE comment: The current agreement became effective starting on August 15, 2019 and terminates when all NYC DOE schools and/or offices cease using Jupiter Ed, Inc.’s products/services. The terms of the agreement remain effective through the period during which Jupiter Ed, Inc. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Inside the US. We have detailed all our security protections in your other questionnaires.
 
6. How the data will be encrypted (described in such a manner as to protect data security): Passwords are salted and hashed using multiple algorithms. All data in and out goes through https (TLS)

Kinvolved, Inc.

  1. The exclusive purposes for which Protected Information will be used: KiNVO is an app that is used by educators and administrators to inform parents of a student’s attendance. Educators and administrators can also send contacts information relevant to a student’s education, such as homework assignments, school event, and so forth.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:  Kinvolved requires subcontractors or other authorized persons or entities to sign non-disclosure agreements and abide by company-driven privacy and security protocols.  
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI is permanently deleted from Kinvoled’s database, Kinvolved does not maintain a record of PISI. Note: Data may exist in backups for a period of 35 days after the data is deleted from the database.  [NYC DOE comment: The current agreement became effective starting on August 22, 2019 and terminates when all NYC DOE schools and/or offices cease using Kinvolved, Inc.’s products/services. The terms of the agreement remain effective through the period during which Kinvolved, Inc. possesses or otherwise is in control of covered protected information.]    
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data and the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI is stored in the United States.
  6. How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted in transit and at rest.

KneoWorld, Inc.

1. The exclusive purposes for which Protected Information will be used: The Protected Information will be used in connection with the services identified in Attachment A.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The subcontractors or other authorized persons or entities that will share the student data or teacher or principal data with, if any, will be required to provide an Affidavit confirming that they will abide by data protection and security requirements required by the NYC DOE non-disclosure agreement.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The NYC DOE non-disclosure agreement with the NYC DOE starts and ends as stipulated in the agreement, and any Protected Information will be deleted and/or destroyed upon expiration of the agreement.
 
[NYC DOE comment: The current agreement became effective starting on June 9, 2020 and terminates when all NYC DOE schools and/or offices cease using KneoWorld, Inc.’s products/services. The terms of the agreement remain effective through the period during which KneoWorld, Inc.’s possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the KneoWorld Inc. will work with the NYC DOE in
processing challenges to the accuracy of student data in the custody of KneoWorld.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The Protected Information will be stored in the US, and the security protections taken to ensure such data will be protected by necessary, reasonable and appropriate means to maintain confidentiality.
 
6. How the data will be encrypted (described in such a manner as to protect data security): The Protected Information will be encrypted, stored and safeguarded by utilizing necessary, reasonable and appropriate state-of-the-art technologies to assure confidentiality

KPMG LLP 

1. The exclusive purposes for which Protected Information will be used: The exclusive purposes for which PISI will be used is not known at this time. KPMG will be providing the deliverables, documents, reports and other materials as required by the DOE under Task Order Request assigned to KPMG during the course of the Agreement.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: KPMG uses third party service providers within and without the United States to provide, at KPMG’s direction, certain administrative and clerical services, including information technology development and support services, to KPMG. For these purposes, KPMG would not provide access to student data or teacher or principal data with the third party service providers. KPMG has contractual terms in place with the third party service providers that dictate policy, procedural and technical controls designed to preserve the confidentiality, integrity and availability of the information to which the third party has access.
 
KPMG Subcontractors or other authorized persons with who we share student data or teacher or principal data would be subject to the same data confidentiality terms and conditions as contained in the Agreement. Please note, NYC DOE has informed us that, the confidentiality section of our Agreement would serve to cover our confidentiality obligations under this Agreement.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: KPMG will return data to the Company at the end of the contract or upon the related Task Order completion, whichever is earlier. KPMG has policies and procedures in place related to the retention and destruction of client data, as described below.
 
KPMG uses commercially reasonable industry practices for destruction of physical documents and, if data destruction occurs as part of KPMG asset disposal and renewal process, will wipe electronic media such that Client data is rendered unreadable and unrecoverable. If laws or professional standards applicable to KPMG do not permit such return or disposal of the Client data, in whole or part, KPMG shall retain such data as required by such laws or professional standards, shall maintain the continued confidentiality and security of such data in accordance with the requirements of the Agreement, and shall not actively process or use Client data for any purpose other than as required by laws or professional standards.
 
KPMG will appropriately wipe or degauss storage media used to store or process client
Information prior to media reuse, at the end of its life, and prior to transfer of such media offsite to a third party for maintenance or destruction. Information stored on routine back-up media for the purpose of disaster recovery will be subject to destruction in due course.
 
[NYC DOE comment: The current agreement became effective starting on December 11, 2019 and terminates when all NYC DOE schools and/or offices cease using KPMG LLP’s products/services. The terms of the agreement remain effective through the period during which KPMG LLP. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to the Agreement, KPMG will work with the NYC DOE where such data is expected to be collected under a specific Task Order Request to put appropriate processes in place to address any such challenges to the accuracy of student data or teacher or principal data that is collected in the course of performing the scope of work under that Task Order Request.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): If a task order request will involve us receiving PISI, PISI will only be stored in the US. KPMG has legal, regulatory, professional, contractual, and ethical obligations to protect all confidential information including Personally Identifiable Information (PII) that is entrusted to us by our clients, during the provision of professional services, as well as by our own employees and vendors. KPMG’s information security framework aligns with a number of authoritative sources and industry standards (e.g. ISO27001, NIST, COBIT, HIPAA, etc.) which cover physical and environmental security, logical access, incident management, business continuity management, system development, and compliance. Our framework consists of comprehensive IT policies, procedures, baselines and standards used to secure information resources and protect confidential information entrusted to us by our clients. Our system of internal controls is consistent with professional standards promulgated by AICPA for public accounting firms. KPMG complies with all applicable data protection and privacy laws and regulations.
 
6. How the data will be encrypted (described in such a manner as to protect data security): KPMG all sensitive data (PII/PHI/PISI) at rest, and some KPMG applications – including KPMG workstations – encrypt all data at rest. KPMG’s encryption standard is AES-256, and technologies used will vary based on the application. For example, we use Bitlocker to encrypt workstations, and TDE to encrypt databases. For data travelling over public networks, we encrypt using TLS 1.2

Lexia Learning Systems LLC

1. The exclusive purposes for which Protected Information will be used: The provision of literacy learning services.
 

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Lexia flows down all data privacy and security requirements to sub-contractors working on services provided to NYC DOE (if any). Employees undergo training and abide by the Data and Security Plan (attached above and in accompanying documents).

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:
 
After 30 days of expiration of the agreement, or upon NYC DOE request, Protected Information is (at NYC DOE’s option) returned or destroyed.
 
[NYC DOE comment: The current agreement became effective starting on July 1, 2020 and terminates when all NYC DOE schools and/or offices cease using Lexia Learning Systems LLC products/services. The terms of the agreement remain effective through the period during which Lexia Learning Systems LLC possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:
 
Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information is only stored within the United States.
 
6. How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted in transit and at rest in accordance with then current best practices with regards to data security and cryptography. For more information, please see attached documents

Mathletics 3P Learning Inc.

1. The exclusive purposes for which Protected Information will be used: To enable teachers, students and customer admin users to access 3P Learning’s online learning resources and associated professional development.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Employment contracts contain provisions in relation to confidentiality and employees are trained in privacy compliance requirements. To the extent subcontractors have access (which is not expected), contractual obligations would be imposed.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI is retained for the life of the agreement and for a minimum period of two years after agreement expiration, unless otherwise explicitly requested by the DOE.
 
[NYC DOE comment: The current agreement became effective starting on August 14, 2019 and terminates when all NYC DOE schools and/or offices cease using 3P Learning Inc.’s products/services. The terms of the agreement remain effective through the period during which 3P Learning Inc. possesses or otherwise is in control of covered protected information.]
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The primary server where PISI is located is in the US. A disaster recovery site in located in Western Europe. The same controls and security protections apply to both the primary and disaster recovery site.
 
6. How the data will be encrypted (described in such a manner as to protect data security): At reset and in transit

McGraw Hill LLC

The exclusive purposes for which Protected Information will be used:  

  1. Processor will use PII to provide the requested service or to process transactions such as information requests or purchases in order to meet our contractual obligations to you. We will also process your PII to meet our legitimate interests, for example to personalize your experience and to deliver relevant content to you; to maintain and improve our services; to generate and analyze statistics about your use of the services; and to detect, prevent, or respond to fraud, intellectual property infringement, violations of law, violations of our rights or Terms of Use, or other misuse of the services. Except as described in this notice, we limit the use, collection, and disclosure of your PII to deliver the service or information requested by you. We do not collect, use, or disclose PII that is not reasonably related to the purposes described within this notice without prior notification. Your information may be combined in an aggregate and de-identified manner in order to maintain and/or improve our services.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Processor requires any and all subcontractors, persons or entities with which the Processor may share the PII to commit contractually that they will abide by the terms of the Agreement and/or the data protection and security requirements set forth in Education Law §2-d.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: When the Agreement terminates between the NYC DOE and the Processor, upon written request, the Processor shall return to the NYC DOE or, if agreed to by the NYC DOE, destroy the remaining PII that the Processor still maintains in any form. [NYC DOE comment: The current agreement became effective starting on August 3, 2020 and terminates when all NYC DOE schools and/or offices cease using McGraw Hill LLC’s products/services. The terms of the agreement remain effective through the period during which McGraw Hill possesses or otherwise is in control of covered protected information.] 
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Processor’s products require a minimal amount of PII to be collected and stored for proper use of the program. Our platform is a hybrid cloud-based and physical data center platform fully hosted by Processor. We utilize Amazon Web Services (AWS) cloud services for delivering our content to customers. Processor maintains two geographically separate data centers (East Windsor, NJ and Secaucus, NJ) which are interconnected via high speed private links. All data is stored in the continental United States.
  6. How the data will be encrypted (described in such a manner as to protect data security): Processor uses encryption technology to protect data while in motion or in its custody from unauthorized disclosure as specified in Education Law §2-d;

Microsoft

 
1. The exclusive purposes for which Protected Information will be used: PISI will be used or otherwise processed only to provide the NYC DOE Online Services including purposes compatible with providing those services:
 
  • Processing of Customer Data: Ownership
Customer Data will be used or otherwise processed only to provide Customer the Online Services including purposes compatible with providing those services. Microsoft will not use or otherwise process Customer Data or derive information from it for any advertising or similar commercial purposes. As between the parties, Customer retains all right, title and interest in and to Customer Data. Microsoft acquires no rights in Customer Data, other than the rights Customer grants to Microsoft to provide the Online Services to Customer. This paragraph does not affect Microsoft’s rights in software or services Microsoft licenses to Customer.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Microsoft is responsible for its Subprocessor’s compliance with Microsoft’s obligations as
outlined in the Online Services terms as follows:
 
  • Notice and Controls on use of Subprocessors
Microsoft may hire third parties to provide certain limited or ancillary services on its behalf. Customer consents to the engagement of these third parties and Microsoft Affiliates as Subprocessors. The above authorizations will constitute Customer’s prior written consent to the subcontracting by Microsoft of the processing of Customer Data and Personal Data if such consent is required under the Standard Contractual Clauses or the GDPR Terms. 
 
Microsoft is responsible for its Subprocessor’s compliance with Microsoft’s obligations in the OST. Microsoft makes available information about Subprocessors on a Microsoft website. When engaging any Subprocessor, Microsoft will ensure via a written contract that the Subprocessor may access and use Customer Data or Personal Data only to deliver the services Microsoft has retained them to provide and is prohibited from using Customer Data or Personal Data for any other purpose. Microsoft will ensure that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required of Microsoft by the OST. 
 
From time to time, Microsoft may engage new Subprocessors. Microsoft will give Customer notice (by updating the website and provide Customer with a mechanism to obtain notice of that update) of any new Subprocessor at least 14- days in advance of providing that Subprocessor with access to Customer Data or Personal Data. However, with respect to Core Online Services, Microsoft will give Customer notice (by updating the website and provide Customer with a mechanism to obtain notice of that update) of any new Subprocessor at least 6-months in advance of providing that Subprocessor with access to Customer Data. 
 
If Customer does not approve of a new Subprocessor, then Customer may terminate any subscription for the affected Online Service without penalty by providing, before the end of the relevant notice period, written notice of termination that includes an explanation of the grounds for non-approval. If the affected Online Service is part of a suite (or similar single purchase of services), then any termination will apply to the entire suite. After termination, Microsoft will remove payment obligations for any subscriptions for the terminated Online Service from subsequent invoices to Customer or its reseller.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Microsoft’s Data Retention and Deletion terms are outlined in the Online Services Terms as follows:
 
  • Data Retention and Deletion
At all times during the term of Customer’s subscription, Customer will have the ability to access, extract and delete
Customer Data stored in each Online Service.
 
Except for free trials and LinkedIn services, Microsoft will retain Customer Data that remains stored in Online Services in a limited function account for 90 days after expiration or termination of Customer’s subscription so that Customer may extract the data. After the 90-day retention period ends, Microsoft will disable Customer’s account and delete the Customer Data and Personal Data within an additional 90 days, unless Microsoft is permitted or required by applicable law to retain such data or authorized in this agreement.
 
The Online Service may not support retention or extraction of software provided by Customer. Microsoft has no liability for the deletion of Customer Data or Personal Data as described in this section.
 
[NYC DOE comment: The current agreement became effective starting on July 1, 2019 and terminates when all NYC DOE schools and/or offices cease using Microsoft’s products/services. The terms of the agreement remain effective through the period during which Microsoft possesses or otherwise is in control of covered protected information.]
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to studentprivacy@schools.nyc.gov or to your child’s school.] 
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Microsoft’s storage protocols for data at rest are outlined in the Online Services Terms as
follows:
 
  • Location of Customer Data at Rest
For the Core Online Services, Microsoft will store Customer Data at rest within certain major geographic areas (each, a
Geo) as follows:
  • Office 365 Services. If Customer provisions its tenant in Australia, Canada, the European Union, France, India, Japan, South Korea, the United Kingdom, or the United States, Microsoft will store the following Customer Data at rest only within that Geo: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint Online site content and the files stored within that site, (3) files uploaded to OneDrive for Business, and (4) project content uploaded to Project Online.
  • Microsoft Intune Online Services. When Customer provisions a tenant account, Customer selects an available Geo where Customer Data at rest will be stored. Microsoft will not transfer the Customer Data outside of Customer’s selected Geo except as noted in the “Data Location” section of the Microsoft Intune Trust Center.
  • Microsoft Business Application Platform Core Services. If Customer provisions its tenant in Australia, Canada, Asia Pacific, India, Japan, the European Union, United Kingdom, or the United States, Microsoft will store Customer Data at rest only within that Geo, except as noted in the data location section of the Microsoft Business Application Platform Trust Center.
  • Microsoft Azure Core Services. If Customer configures a particular service to be deployed within a Geo then, for that service, Microsoft will store Customer Data at rest within the specified Geo. Certain services may not enable Customer to configure deployment in a particular Geo or outside the United States and may store backups in other locations, as detailed in the Microsoft Trust Center (which Microsoft may update from time to time, but Microsoft will not add exceptions for existing Services in general release).
  • Microsoft Cloud App Security. If Customer provisions its tenant in the European Union or the United States, Microsoft will store Customer Data at rest only within that Geo.
  • Microsoft Dynamics 365 Core Services. When Customer provisions a Dynamics 365 Core Service to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo, except as described in the Microsoft Dynamics 365 Trust Center (which Microsoft may update from time to time).
  • Windows Defender Advanced Threat Protection Services. When Customer provisions a tenant account, Customer selects an available Geo where Customer Data at rest will be stored. Microsoft will not transfer the Customer Data outside of the Customer’s selected Geo except as noted in the “Data Location” section of the Microsoft Trust Center.
Microsoft does not control or limit the regions from which Customer or Customer’s end users may access or move
Customer Data.
 
6. How the data will be encrypted (described in such a manner as to protect data security): Microsoft encrypts, or enables Customer to encrypt, Customer Data that is transmitted over public networks.
 

MobyMax

1. The exclusive purposes for which Protected Information will be used: To deliver software services, including supplemental instruction, intervention, assessment, and adaptive practice. To provide technical support, coaching, professional development, and/or troubleshooting for authorized users, including parents, teachers, and administrators.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: MobyMax does not share data with subcontractors or other third parties in its normal course of doing business. Should MobyMax partner with a third-party for scientific research or integration of any kind, MobyMax will do so in accordance with district and NYC DOE policies, and only with the authorization of the district or NYC DOE.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The agreement will be considered “in effect” as of the signing date. Upon expiration of the agreement, PISI will be disposed of according to the guidelines as stated in the agreement, including full removal of all relevant data nodes.
[NYC DOE comment: The current agreement became effective starting on October 23, 2019 and terminates when all NYC DOE schools and/or offices cease using MobyMax’s products/services. The terms of the agreement remain effective through the period during which MobyMax possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All MobyMax data is stored in secure servers managed by Rackspace. The physical data center is located outside of Chicago, IL.
6. How the data will be encrypted (described in such a manner as to protect data security): All network traffic happens over encrypted channels (SFTP or HTTPS). The private keys for encryption/decryption are password-protected and accessible only to a limited number of systems engineers under tightly constrained conditions. All user passwords are encrypted in storage

myOn Renaissance Learning, Inc.

1. The exclusive purposes for which Protected Information will be used: For Recipient to fulfill the services requested by NYC DOE (e.g., to provide Renaissance educational products to NYC DOE school customers).
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Contractual obligation and periodic vendor compliance review.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Effective 11/12/2019 and continues until expiration/termination of underlying service agreement. PISI is disposed of per Exhibit D.
[NYC DOE comment: The current agreement became effective starting on November 12, 2019 and terminates when all NYC DOE schools and/or offices cease using Renaissance Learning, Inc.’s products/services. The terms of the agreement remain effective through the period during which Renaissance Learning, Inc. possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI is stored in the United States; PISI is encrypted at rest and hosted in the cloud by Amazon Web Services (AWS). PISI transferred on the Internet is over HTTPS. Backups are also handled by AWS and backups are also encrypted at rest.
6. How the data will be encrypted (described in such a manner as to protect data security): PISI is encrypted at rest (no less than AES128) and hosted in the cloud by Amazon Web Services (AWS). PISI transferred on the Internet is over HTTPS (TLS 1.2). Backups are also handled by AWS and backups are also encrypted at rest

n2y LLC

  1. The exclusive purposes for which Protected Information will be used: To provide the contracted services which include delivery and support of Software as a Service solutions for use by teachers and their students with special needs in the K-12 classroom.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Typically n2y does not provide authorized non-employee resources credentials to access the production environment where a customer’s student and teacher data resides.    In the event an authorized non-employee needed access to the production environment to support the contracted services, they would grated the appropriate role and permissions to access n2y’s tenant, not the customer’s tenant where their student or teacher or principal data resides. 
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:  The data is destroyed within 90 days of termination of the customers subscriptions in accordance with n2y’s Terms of Use and Data Privacy Policy. [NYC DOE comment: The current agreement became effective starting on August 13, 2020 and terminates when all NYC DOE schools and/or offices cease using n2y’s products/services. The terms of the agreement remain effective through the period during which n2y possesses or otherwise is in control of covered protected information.]   
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US in multiple Microsoft Azure data centers. Data is encrypted in transit and at rest in the SQL Server data base. The SaaS applications are built on MS Azure App Services platform as a service which includes several levels of security at the app services operations level. MS Azure monitoring tools are also used to monitor the services used to operate n2y SaaS platform.  
  6. How the data will be encrypted (described in such a manner as to protect data security): Using TLS 1.2 in transit and Azure SQL TDE for encryption at rest. 

Nagarro Inc.

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

Contract Start Date: 7/10/2021
Contract End Date: 6/30/2023

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Nagarro will be responsible for day-to-day IT Help desk and transportation support operations providing the following type of services. The Level 1 support will include, receiving initial calls, engaging translation services as needed, logging of calls into IT Service Management (ITSM) tool, basic troubleshooting and escalation to the DOE support teams. The Level 2 support includes second level troubleshooting, escalating to vendors and field support. Additionally, common support functions include but not limited to; Troubleshooting services for the Hardware and Software related issues; Providing assistance to parents, students and teachers for inquiries related to student remote devices, such as connectivity, break-fix, and procurement processes etc; Providing assistance to parents and students for inquiries related to student remote applications.
  2. Type of PII that the Entity will receive/access: Protected information like records of student ID, address, DOE provided assets, proprietary & confidential records concerning DOE students and employees, will be only referred and used in context of the incoming calls and their associated resolution flow/path by the authorized Nagarro team personnel on this DOE project engagement. Any Protected Information we might have access to will only be on NYC DOE systems and not stored or accessible on company’s equipment.
  3. Subcontractor Written Agreement Requirement: In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Any PII information accessed by Nagarro to address calls are stored in DOE managed and hosted environment and Nagarro will not store any PII information on its infrastructure and making changes to any PII.
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In the event DOE needs any assistance from us to facilitate correction we agree to full transparency and will work with NYC DOE on any issues that arise as part of providing the contracted services.
  6. Security and Storage Protections. Describe where PII will be stored or hosted: No PII will be stored or hosted by Entity.
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Nagarro will not store PII information on its hosted products and solutions.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor’s response: “No NYC DOE data will be stored or available to Nagarro or any of the sub-contractors other than that resides on NYC DOE systems itself.”

NTT DATA, Inc.

  1. The exclusive purposes for which Protected Information will be used: The New York City (NYC) Department of Education (DOE) has a requirement for supporting the Learn at Home initiative brought about by the Coronavirus pandemic that has caused the DOE to close its schools for the safety of the students and DOE staff. To continue to meet the education needs of its students, the DOE Learn at home program requested that NTT DATA, Inc., manage the distribution of iPads and smart devices to students and teachers who do not have computer access at home. 
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: NTT DATA, Inc., works with Custom Computer Specialists as their sub-contractors. Only authorized personnel from NTT DATA’s sub-contractor will be allowed to access the protected information in order to carry out and perform required services. All authorized users will be contractually bound by an agreement that will include confidential and data security obligations. In addition, all authorized users with access to confidential information will be trained to understand the privacy and data security obligations of this Agreement.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All confidential data and PII will be securely stored and access will only be grated to authorized users for the purpose of providing services to the extent mentioned under the contract. Upon completion of project and/or termination all data will be securely destroyed or returned to DOE. [NYC DOE comment: The current agreement became effective starting on June 18, 2020, and terminates when all NYC DOE schools and/or offices cease using NTT DATA, Inc.’s products/services. The terms of the agreement remain effective through the period during which NTT DATA, Inc. possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be accessed in US and securely on SharePoint. Access to the data is strictly issued based on job requirement and at the minimal to perform the same. The customer data shall be logically and physically separated from other customer data. Data shall be periodically backed up based on the customer requirement. NTT DATA Services encrypts the data at rest which resides in our environment and data in motion which leaves our environment using industry standard cryptographic techniques. In this way confidentiality, integrity and availability of the data in ensured in NTT DATA Services. 
  6. How the data will be encrypted (described in such a manner as to protect data security): NTT DATA Services encrypts the data at rest which resides in our environment and data in motion which leaves our environment using industry standard cryptographic techniques.

Ookla, Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

Contract Start Date: 2/15/2021
Contract End Date: 8/14/2022

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Ookla is licensing Ookla-owned Cell Analytics data. We are also licensing a Speedtest Powered Mobile SDK. The Mobile SDK may be run by the NYCDOE on its Learn@Home app. The Mobile SDK generates test results of those end users that take a Speedtest. Ookla processes these test results only for the purpose of providing the SDK and providing subsequent data to NYCDOE.
  2. Type of PII that the Entity will receive/access (check all that apply): Student PII and Other. We receive location and IP address of any end user that takes a Speedtest in the app in which the SDK is included.
  3. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  6. Security and Storage Protections. Describe where PII will be stored or hosted: Using a cloud or infrastructure owned tool hosted by a subcontractor.
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is stored in secure datacenter facilities hosted by Amazon Web services. All data is fully encrypted at rest using EBS encryption based on the industry standard AES-256 cryptographic algorithm.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. 

The vendor selected: “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Operoo Inc.

1. The exclusive purposes for which Protected Information will be used: The Processor’s software applications will be used by NYC DOE schools to gather information from families/students and teachers/principals, to store such data, and to make such data available to appropriate individuals within the applicable school. The Processor does not itself use the data in any way.

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: No subcontractors utilized by the Processor are able to see any Protected Information; all Protected Information received by any subcontractor is in encrypted form, not readable by a human. The Processor maintains contracts with all subcontractors that receive protected, encrypted data that require those subcontractors to maintain robust security protocols and to obey applicable federal and state law.

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The current non-disclosure agreement between the Processor and NYC DOE started on October 1, 2020, replacing an earlier non-disclosure agreement. The current nondisclosure agreement will continue indefinitely until terminated by the NYC DOE on notice to the Processor. Following termination, all Protected Information will be deleted by the Processor upon the request of the NYC DOE after giving the NYC DOE (or the applicable school) an opportunity to export the data before deletion.

[NYC DOE Additional Information: Individual schools may have a contract period which varies based on when their agreement with Operoo began, however the NDA in place with this vendor covers the data privacy and security terms between the parties for all student PII. Operoo is obligated to destroy or return data for a particular school once the school’s agreement with Operoo terminates.]

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. The Processor shall make any changes the NYC DOE directs it to make. Requests to amend records should be made to studentprivacy@schools.nyc.gov.

[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All NYC DOE data is stored on Amazon Web Services servers located in the United States. All Protected Information is encrypted both while in transit and while at rest, using protocols that have been validated by an external security audit. The Processor has adopted and adheres to robust internal policies that implement best practices security guidelines, and applies an overall philosophy of only transmitting, processing and storing the minimum amount of Protected Information required to perform the function.

6. How the data will be encrypted (described in such a manner as to protect data security): As indicated in the preceding paragraph, data is always encrypted both at rest and in transit. Processor's security layers include strong cryptographic implementations (such as 256 bit encryption, 256 bit data encrypted TLS systems using AES) and defensive-in-depth network protection including firewalls and active monitoring systems. Processor periodically tests its encryption processes and other security layers to ensure their effectiveness through an ongoing security and compliance program that includes penetration testing, vulnerability testing, and code reviews, all conducted by independent third parties.

Overgrad, Inc

  1. Type of Entity: Commercial Enterprise 
  2. Contract / Agreement Term

    Contract Start Date: 4/1/2022

    Contract End Date: 6/30/2025 

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Overgrad is a college and career readiness platform to support students, schools, and community-based organizations. Overgrad will be supporting the College and Career Planning Team in integrating postsecondary readiness milestones into NYCSA while also supporting platform use at select NYC DOE schools. Student PII is required to create student accounts which will be used to assess academic preparedness for postsecondary pathways and support counseling in streamlining common counselor tasks like student transcript submission to higher education universities.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Overgrad has a number of administrative, technical, and physical safeguards in place to ensure PII will be protected. Only background-checked, key personnel ever have access to any student data at Overgrad, and they are only granted access in specific school- or student-support scenarios. All access activity is logged and can be referenced should there be any questions asked by schools, students, or parents. Data is stored using standard bank-level 256-bit AES encryption. All database connections utilize SSL encryption, meaning that data is secured at all points when utilizing Overgrad. All of Overgrad’s physical servers are located in access-controlled environments. Overgrad mitigates data privacy and security risks with automated application monitoring and patching its code and servers with the most currently available security protocols. Overgrad also contracts with an outside party to contact vulnerability testing in order to identify and remedy any potential security risks in the platform.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Panorama Education, Inc.

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

Contract Start Date: 11/16/2021
Contract End Date: 11/16/2022

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    The administration, production, and reporting of the Student Perception Survey and NYC School Survey. Program services include, but not limited to:

    • A research backed survey instrument and the respective translations into the required languages by the NYCDOE
    • The printing, shipping, and scanning of paper surveys to capture the voices of all stakeholders across the NYCDOE
    • Collaborative project management to ensure a smooth survey taking experience for students, staff, and families
    • Guidance and execution on DOE communication strategies.
    • A robust reporting platform and user accounts for NYC educators, as well as public facing reports
    • Strategic professional development to allow for data driven action planning 
  2. Type of PII that the Entity will receive/access: Student PII
  3. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. 
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  6. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We take data security seriously at Panorama. We have implemented administrative, technical, and physical security measures to protect information stored in our servers, which are located in the United States. We use security safeguards such as physical access controls to buildings and files, data encryption, Secure Sockets Layer (SSL) cryptography, two-factor authentication, and firewalls to help prevent unauthorized access to the information we maintain. For more details, we invite you to take a look at our Privacy Policy at https://www.panoramaed.com/privacy/client-information-policy.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. 

The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ParentSquare, Inc.

  1. The exclusive purposes for which Protected Information will be used: ParentSquare uses PISI for the purposes of school-home communication, as administered by districts, schools, teachers, and parents.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: When ParentSquare contracts with a third party, their organizations must maintain privacy policies as stringent as ours if we share PII with them.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At the end of a customer's usage of the ParentSquare platform, the customer may request that ParentSquare make their data unavailable. At this point ParentSquare will disable access to the customer's data by configuring the software to disallow access. If a customer has other specific requirements, ParentSquare will engage with the customer to define the next steps. Data can be exported in a CSV file and sent to the customer. In the case that a customer has a need to permanently remove a piece of data that was mistakenly entered into ParentSquare, they can engage with ParentSquare's support organization to permanently obfuscate that data item from the live system and all future backups. [NYC DOE comment: The current agreement became effective starting on June 4, 2020 and terminates when all NYC DOE schools and/or offices cease using ParentSquare’s products/services. The terms of the agreement remain effective through the period during which ParentSquare possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): ParentSquare’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. ParentSquare’s primary data center is on the East coast and the backup is on the West coast. We backup our data on AWS S3 and in multiple zones. ParentSquare uses AWS security best practices such as virtual private cloud, firewalls, and recommended intrusion detection. AWS’ highly secure data centers have been accredited under: SOC 1/SSAE 16/ISAE 3402, SOC 2 (formerly SAS70), PCI Level 1, ISO 27001, and FISMA.
  6. How the data will be encrypted (described in such a manner as to protect data security): With ParentSquare, data is encrypted in transit and at rest to provide protection of sensitive data at all critical points in its lifecycle. All data is transmitted over HTTPS connection to and from the ParentSquare application.

Perfection Learning Corporation

  1. The exclusive purposes for which Protected Information will be used: The Personally Identified Information (PII) access collected for Perfection Next is used exclusively for the purpose of delivering the educational experience for students and teachers. The information collected is to identify the user in the system and ultimately associate progress of assignments.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In the event, that a subcontractor or other authorized persons or entities are provided access to student, teacher, or principal data, the resource(s) will have to have completed a background check and training on handling Personally Identifiable Information.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: When the agreement ends, we will terminate the student/teacher data from our systems. [NYC DOE comment: The current agreement became effective starting on April 22, 2020 and terminates when all NYC DOE schools and/or offices cease using Perfection Learning’s products/services. The terms of the agreement remain effective through the period during which Perfection Learning possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Perfection Learning has processes and auditing in place to identify breaches and unauthorized disclosures. Should any data breach or unauthorized disclosure be identified by Perfection Learning, NYC DOE will be notified within 24 hours.
  6. How the data will be encrypted (described in such a manner as to protect data security): All data is encrypted via SSL in transit. All Personally Identifiable Information (PII) contained within Perfection Next is stored encrypted in the database at rest state.

PowerMyLearning, Inc.

  1. The exclusive purposes for which Protected Information will be used: PISI consists of basic identifying information (student name, etc.) that is used exclusively to enable access to the PowerMyLearning Application. The Application does not hold any information received from the DOE beyond basic identifying information. For example, the application does not hold teacher personnel data, student grades, student discipline history, student IEP records, or student health data.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: No subcontractors have access rights to the Application containing DOE Information. Per PowerMyLearning’s Information Security Policy, access rights to the Application production system containing DOE Information are granted only to three employees (1) Managing Director of Technology & Architecture, (2) Senior Developer, and (3) Senior Data Analyst.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon expiration of the DOE non-disclosure agreement or upon written request from the DOE, PowerMyLearning will erase from the Application any DOE confidential information. When a Microsoft Azure customer deletes a storage object (e.g., blob, file, queue, table), the pointer to this object is immediately deleted from the storage index used to locate and access the data. This operation is replicated asynchronously for Geo-Redundant Storage, which is the system that PowerMyLearning deploys for redundancy. With the storage index updated, the data is immediately unavailable. Azure Storage interfaces do not permit direct disk reads, mitigating the risk of another customer (or even the same customer) from accessing the deleted data before it is overwritten. [NYC DOE comment: The current agreement became effective starting on August 19, 2019 and terminates when all NYC DOE schools and/or offices cease using PowerMyLearning’s products/services. The terms of the agreement remain effective through the period during which PowerMyLearning possesses or otherwise is in control of covered protected information.] 
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All PISI is stored in the US.
  6. How the data will be encrypted (described in such a manner as to protect data security): All PISI encrypted in transit. All PISI is encrypted at rest at the hard disk level. Encryption methodologies used are HTTPS SSL – SHA 256 with RSA encryption and RSA-SHA1 encryption.
Back to Top