Vendors I-Q

New York Education Law §2-d gives parents the right to access certain information about agreements the NYC DOE has entered into with outside entities (such as vendors) who are permitted to receive or to access identifiable student information from the DOE. These entities are required to answer a number of questions about their privacy and data security practices. Responses from such outside entities to these questions are found below. Please note that this page will be updated on a periodic basis with responses from additional outside entities.

PLEASE NOTE: The entities listed below do not comprise a list of “approved DOE vendors” and therefore should not be thought of as such. Some entities listed below may have agreements that have expired or were terminated, but whose information has not yet been moved or removed. Other entities, whose names do not appear below, may have agreements with the DOE, or agreements that are in progress, but their responses are still being processed and have not yet been posted.

Listed in Alphabetical Order:

iChineseEdu

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII is used to set up accounts for teachers and students, and connecting with SSO. [DOE comment: For the product iChineseReader].
  4. Type of PII that the Entity will receive/access: Student PII and Other (teacher’s information, class assignment, and students’ class assignment)
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. “All PII data is stored in the AWS database, which can’t be access directly. Customers need accounts to use the app. The APIs relative to PII data need to be called with authtoken, which can be got by login successfully. SchoolAdmin account can access teachers and students PII data in the school, teacher account can access teacher and students PII data in the class, student account can access his/her PII data, parent account can access his/her children’s PII data.”
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Illuminate Education, Inc.

1. The exclusive purposes for which PISI will be used: The provision, implementation, administration, and/or maintenance of K-12 education technology products and services related thereto.

2. How you will ensure that the subcontractors, persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements: Any and all subcontractors or other authorized persons or entities that Illuminate shares data with will be required to enter into strict confidentiality provisions in accordance with similar terms contained herein, and Illuminate retains the right to demand certification of compliance to said terms.

3. When the agreement expires and what happens to PISI upon expiration of the agreement: There is no one set term for the non-disclosure agreement, as individual schools may purchase Illuminate’s products or services at different times and for different periods. Within thirty (30) days of the termination of any license or data sharing agreement, Illuminate destroys all PISI. The data privacy and security terms of Illuminate’s agreement with NYC DOE will remain in effect for as long as Illuminate is in possession of NYC DOE confidential information.

 [NYC DOE additional information: The current agreement became effective starting on January 24, 2020 and remains effective through the period during which Illuminate Education, Inc. possesses or otherwise is in control of covered protected information, which varies depending on the services a given school purchased from Illuminate Education, Inc.]

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. Challenges should be emailed to studentprivacy@schools.nyc.gov or mailed to the attention of the Chief Privacy Officer Rm 308, NYC Department of Education, 52 Chambers Street, New York, NY 10007.

[NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

5. Where the PISI will be stored (described in such a manner as to protect data security), and the security protection taken to ensure such data will be protected, including whether such data will be encrypted: All PISI data is hosted primarily with Amazon Web Services, and there are select products hosted with Google Cloud Platform, which are being migrated to AWS. AWS hosts the data in the United States. Either provider’s SOC2 report is available upon request or can be accessed by contacting AWS or GCP directly.

6. How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at both rest and in transfer in accordance with NIST Cybersecurity Framework requirements.

Imagine Learning LLC

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Imagine Learning provides digital K-12 core, supplemental and intervention courses for each grade level. Our innovative teaching solutions use insights from real-time data to meet each student where they are and enable their success in class today and for a lifetime of learning. Users must create an account to access the product site. We use PII to create these accounts for students and teachers. Products include:

    Core
    • Imagine EL- A comprehensive, content-based K-8 core language arts program that utilizes real-world compelling texts to engage and excite learners.
    • Illustrative Math- Offers the highest quality core math curricula for grades K–12, powered by a best-in-class integrated learning experience.

    Supplemental
    • Edge (Courseware)- Dynamic courses help students in grades 6–12 maximize their potential. Initial credit and credit recovery courses adapt to each student's unique learning journey.
    • Purpose Prep- A CASEL-aligned social and emotional learning program for your primary and secondary students, as well as for your faculty and staff.
    • Imagine Galileo-A forward-thinking ELA, SLA, math, science, and College Prep benchmark and formative assessment system for K–12 that offers a powerful blend of convenience and flexibility.
    • Imagine Espanol- A rigorous and personalized program for Spanish language and literacy development in grades K–2, building the foundational skills of bilingualism, biliteracy, and cultural competency.
    • Imagine Language & Literacy- Accelerate reading and language development in PreK-6 with our personalized learning solution designed to complement any core literacy program.
    • Imagine Lectura- Empower bilingual students in grades 3–5 to unlock comprehension of authentic Spanish texts and succeed with grade-level learning tasks.
    • Imagine Math- A supplemental math program that builds students' aptitude to solve problems and justify reasoning both inside the classroom and in day-to-day life, ultimately moving them beyond computation to real comprehension.
    • Imagine Math Facts- With award-winning gamification, make practicing fluency in addition, subtraction, multiplication, and division fun, fast, and effective for elementary students.
    • Imagine Reading- Scaffold learning for students in grade 3–8 using a library of exemplary genre texts to pique interest and deepen comprehension and conversation.

    Intervention
    • MyPath- An intervention solution for math that delivers targeted, age-appropriate learning paths for all students, and targets achievement gaps using our intuitive Smart Sequencer™ technology.
    • Pathblazer- Is a personalized intervention program for K–6 designed to accelerate struggling learners in math and reading toward grade-level achievement using data-driven learning paths.

    Instructional Services
    • Imagine Learning virtual instructors are highly qualified, certified teachers who prioritize student success in K–12. They work across time zones and devices to provide students with the personalized instruction and the support they need to learn, grow, and reach their full academic potential.
  4. Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Other: Upon the earliest of any of the following (i) whenever requested by the BOE, (ii) whenever the Processor no longer needs the Confidential Information to provide the Services to the BOE, (iii) whenever a BOE school or office ceases use of a product or service of the Processor, with respect to the Confidential Information Processed for the school or office with respect to that product or service, or (iv) no later than upon termination of this Agreement, the Processor shall promptly (a) with respect to physical copies of Confidential Information, surrender, or if surrender is not practicable, securely delete or otherwise destroy Confidential Information and (b) with respect to digital and electronic Confidential Information, securely delete or otherwise destroy Confidential Information remaining in the possession of the Processor and its Authorized Users, including all hard copies, archived copies, electronic versions or electronic imaging of hard copies of such data.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS and Microsoft Azure.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In addition to the protections afforded by our cloud hosting providers, practices employed at Imagine Learning to protect personal data include, but are not limited to:
    • Data encryption. Data is encrypted in transit and at rest.
    • Access. Access to personal information is restricted to a limited number of Imagine Learning employees who need such access to perform their job.
    • Data Systems Monitoring. Imagine Learning employs several third-party services that continuously monitor and scan our online services for vulnerabilities and misconfigurations. Employees dedicated to operating our services monitor these services and receive automated alerts when performance falls outside of prescribed norms.
    • Incident Response Plan. Imagine Learning regularly reviews and maintains an incident response plan.
    • File Transfer Protocol. Data is securely transferred to Imagine Learning using File Transfer Protocol (FTP) over secure (SSL/TLS) cryptographic protocol.
    • Firewalls. Anti-virus software and firewalls are installed and configured to scan our systems. The firewall is periodically updated and configured so that users cannot disable the scans.
    • Security audits. Imagine Learning conducts security audits and code reviews, both by outside providers and by executive summary.
    • Secure programming practices. Imagine Learning software developers are aware of secure programming practices and strive to avoid introducing errors in our applications (such as those identified by OWASP and SANS) that could lead to security breaches.
    • Account protection. Each user of Imagine Learning is required to create an account with a unique account name and password. Single Sign-On (SSO) users are authenticated with secure tokens.
    • Facility security. Imagine Learning is located inside the continental United States. Physical access is protected by electronic access devices, with monitored security and fire/smoke alarm systems.
    • Security Breach. In the event of a security breach that results in unauthorized release of personal data, Imagine Learning will notify affected customers of such breach, will investigate, and will restore the integrity of its data systems as soon as possible. We will fully cooperate and assist with required notices to those individuals affected by such breach.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Instructure, Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: Multiple dates depending upon the relevant Services Agreement(s).
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Instructure is providing MasteryConnect which is a software-as-a-service K-12 digital assessment management system. We limit our collection and use of personal information only to those elements required to operate our Products. Please note that if we process your personal information for a purpose other than the purpose for which it was collected, we will provide you with notice in advance of the new processing and obtain consent if required. We do not engage in automatic decision making, advertising to students, or profiling. We use the information described above to provide, analyze, and improve our products, including to:
    • Create and maintain your account
    • Identify you as a user
    • Notate and assign support tickets
    • Provide, operate, maintain, and improve our Products
    • Personalize and improve your experience
    • Contact you and communicate with you, including to respond to your comments or inquiries
    • Provide customer support
    • Solicit feedback about our Products, including by asking you to respond to surveys or questionnaires (with your permission)
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Instructure takes student privacy seriously. Instructure’s Mastery Connect SaaS product has robust administrative and technical controls to make sure that their information stays private. We've built our operations around international standards such as ISO 27001 and are audited by third parties to make sure that we're actually doing what we say we're doing. We use Amazon Web Services to host our software and they have technical and physical controls designed (and audited) to store everything from students’

    homework to top secret documents at the FBI. We take security and privacy seriously and you can learn more on our website (https://www.instructure.com/products/canvas/security).

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Jigsaw Learning LLC (dba TeachTown)

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TeachTown provides standards-based core curriculum for students with moderate to severe disabilities. The student emails and names are needed in order to make them individual accounts to track progress.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS in the US.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TeachTown is committed to maintain strong privacy and security protections. The privacy and security of this information is a significant responsibility, and we value the trust of our students, parents, and staff. TeachTown secured a Chief Information Security Officer (CISO) and Chief Data Privacy Officer in 2021. TeachTown’s Privacy Program is responsible for creating, maintaining, communicating, and enforcing a comprehensive privacy control environment to ensure the company meets its legal, contractual and other organizational requirements for Processing Personal Information. TeachTown complies with its responsibilities under all applicable state and federal laws and regulations that protect the confidentiality of personally identifiable information and Student Data, including the Federal Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 12329(g); Children’s Online Privacy Protection Act (COPPA), 15 U.S.C 6501-6502; Protection of Pupil Rights Amendment (PPRA), 20 U.S.C 1232; and applicable State laws governing the protection of personally identifiable information from students’ educational records (“Student Data”), including New York Education Law Section 2-d and Part 121 of the Commissioner’s Regulation.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Jupiter Ed, Inc.

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Jupiter Ed is an online Gradebook, Learning Management System (LMS) and Student Information System (SIS). Our LMS includes our gradebook, remote learning features, online assignments and tests, including an online essay grader. There are messages (email and text) and discussion forums for teacher/parent and student communication. The student information system module also includes report cards, transcripts, attendance, discipline records and scheduling. Schools can also select online enrollment and online payment modules. Our products can be used with students from pre-school through high school levels. We also offer both in-person and online teacher and administrator trainings. Schools have the option to enter PII into Jupiter but it is not required. See a detailed list of each module here: https://jupitered.com/modules.php.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. [DOE comment: In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement

      In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.]

  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted-solution.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
    • Jupiter stores PII on dedicated servers, not shared infrastructure.
    • Jupiter encrypts PII in transit using industry standard SSL technology.
    • Jupiter encrypts data at rest using industry standard HDD encryption.
    • Jupiter employs intrusion detection software to safeguard critical infrastructure.
    • Employee access to Jupiter servers is managed via VPN.
    • PII is transmitted across infrastructure using encrypted channels, never via “thumb drive”, email, or other insecure method.
    • Jupiter uses automated systems to destroy PII when a customer has not renewed their contract. No manual action by staff is required.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Kaplan K-12 Learning Services

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:

    The agreement has a start date: 1/1/2022

    The agreement has an end date: 12/31/2028

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Kaplan works with the NYC DOE Office of Equity and Access to support the DREAM program, and its students and teachers. For the SHSAT prep program beginning early July 2022, Kaplan will SHSAT prep books, Kaplan SHSAT Practice Test kits and assessment reporting.

    PII (i.e. OSIS number) will be used for reporting assessment results.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. [DOE comment: In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement

      In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.]

  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor: Amazon (AWS)
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    1) Kaplan will maintain compliance with all state, federal, and local data security and privacy requirements through implementation of security controls governed by an Information Security Management System (ISMS) that is based on ISO 27001 requirements.

    2) The following security controls, governed by the ISMS, are in place to protect the Pl it will receive under the contract:

    (a) Strong access controls, including utilization of unique usernames (in this case, the student number), strong password requirements, and requirements for heightened privileges (which are reviewed on a regular basis) to access the backend system for in-scope activities;

    (b) Protection of data at rest within the AWS environment using best practices encryption standards and algorithms in compliance with ISO 27001 standards. Such data encryption includes use of 2048-bit RSA encryption, utilization of AWS KMS for key management (creation, management, and destruction), and protection of key exchange standard integrity through the use of security certificates created and maintained within the AWS environment using AWS's CMS;

    (c) Protection of data in transit using similar industry-recognized best practice encryption standards and algorithms in compliance with ISO 27001 standards. This includes strict usage of TLS 1.2 or better with HTTPS. Data that is in transit within Kaplan's environment (e.g., from the AWS instance to Kaplan employees) is protected through use of an encrypted-tunnel VPN;

    (d) Protection of network and other communication channels through a zero-trust network design with micro-segmentation principles; such design is created through utilization of Zscaler's zero trust network technologies, implementation of advanced firewalls (including web application firewalls and NGFWs), and creation and use of DMZs (using Zscaler's proxying technologies coupled with installed firewalls); Kaplan also requires use of an encrypted-tunnel VPN (AES-256 encrypted P2P tunnel) with MFA for remote access;

    (e) Physical and environmental controls managed by AWS that are in compliance with ISO 27001, SSAE 18 SOC 2 Type 1 and Type 2, and other industry standard requirements; and

    (f) Constant vigilance over its systems through use of in-depth logging and monitoring practices, utilities, and software. Kaplan's assets, networks, and users are monitored through collection and analysis of log data in Alertlogic SIEM and other utilities, including Orea, Qualys, and Crowdstrike. Kaplan also uses AlertLogic, Orea, Qualys, and Crowdstrike socs to monitor Kaplan's environment and alert Kaplan's information security teams to potential malicious activity. Alerts from these organizations are reviewed by Kaplan's SecOps team immediately; logs collected are reviewed on a daily basis as well.

    3) Kaplan's ISMS serves as the framework for implementing security controls that ensures compliance with New York State Education Law§ 2-D and the NYC DOE's Parents' Bill of Rights for Data Privacy and Security. In general, maintaining a data security and information privacy program that is based on ISO 27001 controls ensures that Kaplan maintains compliance with all major international, national, state, and local laws, regulations, and standards. More particularly, the ISMS and associated security controls listed above as well as the further security controls placed on Kaplan's systems, networks, and data ensure that the rights prescribed in the Parents' Bill of Rights for Data Privacy and Security are protected and provided to NYC DOE. Beyond the security controls listed above, Kaplan also maintains a data privacy mailbox through which data access requests can be made. Kaplan privacy officers will review the requests against what is allowed by the Parents' Bill of Rights for Data Privacy and Security as well as what is allowed by New York state law, US federal law, and international law, and provide access, allow for changes and/or deletion, and other activities permitted by these legal and regulatory sources.

     

    4) Kaplan's use of AWS and the security controls in place as governed by Kaplan's ISMS allows for continual data backups placed in hot standby for immediate availability within the AWS environment. Snapshots of Kaplan's applications and data are taken throughout the day and stored concurrently in multiple secondary/fallback AWS data center locations. Confidentiality, integrity, and availability are therefore ensured through this backup and immediate availability scheme taken together with Kaplan's access controls, encryption protocols, and other security measures.

    5) Kaplan requires extensive training for its personnel who will be interacting with or handling in­ scope data or systems. Such training covers, inter alia, the following topics: proper data labeling and handling; proper use of Kaplan assets (including use of Kaplan workstations, remote access to Kaplan's systems, and general acceptable use policies); maintaining compliance with applicable international, national, and local information security, data privacy, and other laws, regulations, industry standards, and contractual obligations. Such training is provided in general form during the onboarding process and thereafter throughout the year in more particular form per subject/topic area, culminating in requirements to retake the general course at the two year mark.

    6) Kaplan maintains strong access controls on all aspects of its environment and ensures such controls are implemented through a vigorous and well maintained user rights management program. The user rights management program is managed, reviewed, updated, and overseen by an internal Identity and Access Management (1AM) team; the 1AM team is in turn responsible for access provisioning and deprovisioning (implemented through AD/Azure AD), privilege reviews (performed through Archer URM software), and ensuring compliance with Kaplan's strict password requirements, amongst other responsibilities. Of particular note, access to in-scope systems that host client data is tightly controlled by Kaplan's 1AM team, with any provision of access privileges reviewed on at least a quarterly basis for heightened privileges and twice a year for all other access.

    7) Only a select few organizations, third-party contractors, and subcontractors have access to the in­ scope data. The primary subcontractors that will be used in this relationship are used for hosting purposes and legitimate business, legal, and technical activities within Kaplan's environment. They are contractually restricted from accessing the data without explicit authorization from Kaplan.

    8) Subcontractors for the in-scope relationship are limited to those used to host Kaplan services (e.g., AWS) and those required for internal critical business functions (e.g., legal, business, and technical activities). They are all contractually restricted from accessing in-scope data without explicit written permission from Kaplan.

    9) In the event of a data security incident, Kaplan follows an incident management procedure that is part of its ISMS. This procedure includes steps for internal alerts, investigations, remediation, and, importantly, communicating information concerning the breach to affected third parties. Such external communications will be performed at the direction of the Vice President of Information Security and Privacy, or as applicable, the NYC DOE, within the time periods required by applicable laws and regulations.

    1. Kaplan's systems, ISMS policies and procedures, and security controls are tested multiple times throughout the year through external audits, internal audits, penetration tests, and vulnerability assessments. This includes external audits for ISO 27001 purposes; internal audits for purposes of ISO 27001 certification, PCI and SOX compliance, and sound risk management practices; and penetration tests and vulnerability assessments to identify vulnerabilities in Kaplan's systems and remediate those vulnerabilities immediately.
    2. Data will either be returned to NYC DOE or permanently deleted in accordance with the Agreement.
      1. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Khan Academy, Inc

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:

    Contract Start Date: Coincides with the start date of the contract entered into by the

    DOE (or school within the NYC DOE school system) for MAP Accelerator service

    Contract End Date: Expires at the end of the school/school district’s subscription to the

    MAP Accelerator service

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Khan Academy is a non-profit organization that provides access to a free website located at http://khanacademy.org and related mobile applications (together “Website”), through which it provides educational services, including, but not limited to, educational content, products, and services (together, the "Services"). The Services include a wide range of content and learning activities, including instructional content and exercises aligned to core curriculum, test practice courses, a personalized learning dashboard, and other learning activities and education programs. Access to the Website and educational content is made available for free. Standard features, including account creation and the ability to assign lessons to and monitor learning progress, are also available for free. Content can be viewed without creating an account; however, for most school use, individual user accounts are created for each individual student, teacher, or other user. The accounts may be used for work in the classroom or for at-home learning.

     

    In addition to free standard features, Khan Academy offers supplemental services to school districts and educational agencies to facilitate implementation by the district or agency, under paid subscriptions. These supplemental services include MAP Accelerator, which uses scores from a standardized assessment (known as MAP Growth scores) and the Khan Academy personalized learning system to give each student custom learning paths, while educators get real-time data to inform instruction. In order to provide MAP Accelerator each student is registered with an individual user account on the Website. In addition to providing personalized learning plans specific to the MAP Accelerator, user accounts provide access to all of Khan Academy's content and standard features.

     

    Khan Academy’s use of personally identifiable information may vary based on the services or programs selected, but generally includes use (i) to provide students with individual Website accounts; (ii) to provide adaptive and/or customized learning features of the Service and educational programs offered through the Service; (iii) to allow teachers and other school personnel, and parents and coaches associated with students, to review and evaluate student educational achievement and progress on the Service; (iv) to provide school personnel with insights regarding student learning and (v) to communicate with users regarding use of the Service and provide information regarding educational and enrichment programs.

     

    Parents may learn more about Khan Academy’s services by viewing our terms of service and privacy policy, each of which are available on the Website. Parents are able to establish parent accounts on the Website and to associate the parent account with their child’s account in order to view their child's progress and assist them with at-home learning.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Khan Academy has established technical and administrative safeguards designed to help protect personally identifiable information from unauthorized access, disclosure, use or acquisition by an unauthorized person, including when transmitting and storing such information. A summary of Khan Academy’s security safeguards are set forth below:

    Technical Safeguards

    • Khan Academy knows that encryption is key to protecting data. We use industry standard encryption technology to protect data transmitted over the internet. The Khan Academy website is hosted on the Google Cloud Platform, and we rely on Google for server and datacenter security. All data on the Google Cloud Platform is encrypted at rest in accordance with Google’s security practices.
    • We limit access to data on a need-to-know basis. Khan Academy uses role-based permissions to limit access to sensitive data and systems to our personnel who need it for a legitimate business purpose.
    • We follow industry best standard practices in developing our software.
    • Laptops provided to our employees for work purposes are managed to ensure that they are properly configured, regularly updated, and tracked. Our default configuration includes full-disk encryption of hard drives, on-device threat detection and reporting capabilities, and lock when idle for a specified amount of time. All laptops are securely wiped before we re-issue or dispose of them.

      Administrative Safeguards

      • All personnel are required to follow our Information Security Policy, which specifies how we protect data and comply with our security commitments.
      • We employ a variety of methods to assess and manage risk, including policies, procedures, and use of industry standard tools to monitor and protect data and systems.
      • Khan Academy has established a vendor management program which includes review of the security controls, privacy and data protection policies, and contract terms of our service providers upon initial engagement and periodically thereafter.
      • Khan Academy has an incident response plan in place to identify and address any potential data or security incident.

        Personnel

        • Our employees are required to complete information security awareness training upon hire and periodically thereafter. Personnel are required to acknowledge and agree to our written information security policy and our employee handbook which, among other things, highlights our commitment to keep Student Education Records and confidential information secure.
        • Employees that have access to Student Education Records receive training on applicable federal and state privacy laws.
        • Khan Academy employees are screened with background checks prior to their employment with us.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Kinvolved, Inc.

  1. The exclusive purposes for which Protected Information will be used: KiNVO is an app that is used by educators and administrators to inform parents of a student’s attendance. Educators and administrators can also send contacts information relevant to a student’s education, such as homework assignments, school event, and so forth.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:  Kinvolved requires subcontractors or other authorized persons or entities to sign non-disclosure agreements and abide by company-driven privacy and security protocols.  
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI is permanently deleted from Kinvoled’s database, Kinvolved does not maintain a record of PISI. Note: Data may exist in backups for a period of 35 days after the data is deleted from the database.  [NYC DOE comment: The current agreement became effective starting on August 22, 2019 and terminates when all NYC DOE schools and/or offices cease using Kinvolved, Inc.’s products/services. The terms of the agreement remain effective through the period during which Kinvolved, Inc. possesses or otherwise is in control of covered protected information.]    
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data and the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI is stored in the United States.
  6. How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted in transit and at rest.

KneoWorld, Inc.

1. The exclusive purposes for which Protected Information will be used: The Protected Information will be used in connection with the services identified in Attachment A.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The subcontractors or other authorized persons or entities that will share the student data or teacher or principal data with, if any, will be required to provide an Affidavit confirming that they will abide by data protection and security requirements required by the NYC DOE non-disclosure agreement.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The NYC DOE non-disclosure agreement with the NYC DOE starts and ends as stipulated in the agreement, and any Protected Information will be deleted and/or destroyed upon expiration of the agreement.
 
[NYC DOE comment: The current agreement became effective starting on June 9, 2020 and terminates when all NYC DOE schools and/or offices cease using KneoWorld, Inc.’s products/services. The terms of the agreement remain effective through the period during which KneoWorld, Inc.’s possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the KneoWorld Inc. will work with the NYC DOE in
processing challenges to the accuracy of student data in the custody of KneoWorld.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The Protected Information will be stored in the US, and the security protections taken to ensure such data will be protected by necessary, reasonable and appropriate means to maintain confidentiality.
 
6. How the data will be encrypted (described in such a manner as to protect data security): The Protected Information will be encrypted, stored and safeguarded by utilizing necessary, reasonable and appropriate state-of-the-art technologies to assure confidentiality

KPMG LLP 

1. The exclusive purposes for which Protected Information will be used: The exclusive purposes for which PISI will be used is not known at this time. KPMG will be providing the deliverables, documents, reports and other materials as required by the DOE under Task Order Request assigned to KPMG during the course of the Agreement.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: KPMG uses third party service providers within and without the United States to provide, at KPMG’s direction, certain administrative and clerical services, including information technology development and support services, to KPMG. For these purposes, KPMG would not provide access to student data or teacher or principal data with the third party service providers. KPMG has contractual terms in place with the third party service providers that dictate policy, procedural and technical controls designed to preserve the confidentiality, integrity and availability of the information to which the third party has access.
 
KPMG Subcontractors or other authorized persons with who we share student data or teacher or principal data would be subject to the same data confidentiality terms and conditions as contained in the Agreement. Please note, NYC DOE has informed us that, the confidentiality section of our Agreement would serve to cover our confidentiality obligations under this Agreement.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: KPMG will return data to the Company at the end of the contract or upon the related Task Order completion, whichever is earlier. KPMG has policies and procedures in place related to the retention and destruction of client data, as described below.
 
KPMG uses commercially reasonable industry practices for destruction of physical documents and, if data destruction occurs as part of KPMG asset disposal and renewal process, will wipe electronic media such that Client data is rendered unreadable and unrecoverable. If laws or professional standards applicable to KPMG do not permit such return or disposal of the Client data, in whole or part, KPMG shall retain such data as required by such laws or professional standards, shall maintain the continued confidentiality and security of such data in accordance with the requirements of the Agreement, and shall not actively process or use Client data for any purpose other than as required by laws or professional standards.
 
KPMG will appropriately wipe or degauss storage media used to store or process client
Information prior to media reuse, at the end of its life, and prior to transfer of such media offsite to a third party for maintenance or destruction. Information stored on routine back-up media for the purpose of disaster recovery will be subject to destruction in due course.
 
[NYC DOE comment: The current agreement became effective starting on December 11, 2019 and terminates when all NYC DOE schools and/or offices cease using KPMG LLP’s products/services. The terms of the agreement remain effective through the period during which KPMG LLP. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to the Agreement, KPMG will work with the NYC DOE where such data is expected to be collected under a specific Task Order Request to put appropriate processes in place to address any such challenges to the accuracy of student data or teacher or principal data that is collected in the course of performing the scope of work under that Task Order Request.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): If a task order request will involve us receiving PISI, PISI will only be stored in the US. KPMG has legal, regulatory, professional, contractual, and ethical obligations to protect all confidential information including Personally Identifiable Information (PII) that is entrusted to us by our clients, during the provision of professional services, as well as by our own employees and vendors. KPMG’s information security framework aligns with a number of authoritative sources and industry standards (e.g. ISO27001, NIST, COBIT, HIPAA, etc.) which cover physical and environmental security, logical access, incident management, business continuity management, system development, and compliance. Our framework consists of comprehensive IT policies, procedures, baselines and standards used to secure information resources and protect confidential information entrusted to us by our clients. Our system of internal controls is consistent with professional standards promulgated by AICPA for public accounting firms. KPMG complies with all applicable data protection and privacy laws and regulations.
 
6. How the data will be encrypted (described in such a manner as to protect data security): KPMG all sensitive data (PII/PHI/PISI) at rest, and some KPMG applications – including KPMG workstations – encrypt all data at rest. KPMG’s encryption standard is AES-256, and technologies used will vary based on the application. For example, we use Bitlocker to encrypt workstations, and TDE to encrypt databases. For data travelling over public networks, we encrypt using TLS 1.2

Learning A-Z, LLC

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:
    Contract State Date: 1/19/2022
    Contract End Date: 1/19/2023
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The following Personally Identifiable data is captured by our system:
    • Teacher first name, last name (required)
    • Grade (optional) Teacher email (required)
    • Student Class Chart name (required)
    • Student first name, last name (optional)
    • Parent first or last name (optional)
    • Parent email (required for parent access)
    Additional Data Collected. Certain activities on certain services allow children to create or manipulate content and save it on our services. Some of these activities do not require children to provide any personal information. If a service requests or allows a child to provide personal information in their created content, we will seek prior verifiable parental consent in order to collect that information. Examples of created content that constitute or may include Personal Information include the following:
    • Student voice recordings (Raz–Kids, Raz-Plus and Headsprout only): Children may record themselves reading texts, they may play the recordings back, and they may send the recordings to their teachers
    • Open-text fields (Raz-Kids, Raz-Plus and Writing A–Z only): Children may draft and submit written responses to various prompts
    • Message sent to students by parents or teachers
    We do not use student voice recordings or the information provided by children in open-text fields for any internal purpose; we only transmit the voice recordings and the content provided in open-text fields to the child’s teacher, where it can be reviewed or downloaded. Students may not share student voice recordings or the information provided in open-text fields with anyone else, and they cannot privately communicate with anyone using the service.

    Additional educational information is collected as the child progresses through the service, such as amount of time logged in, reading rate, and assessment scores. This information allows the service to adapt to the child and inform the teacher on the child’s progress.
  4. Type of PII that the Entity will receive/access: Student PII and Other: Teacher First Name/Last Name (required), Teacher Email (required), Grade (optional), Student First Name/Last Name (optional), Parent First Name/Last Name (optional). Parent Email (required for parent access).
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations.
    Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: The vendor selected “Other: Learning A-Z reporting interfaces provide the ability for clients to export roster information and some aspects Learning of fluency data. Learning A-Z can provide export of additional data upon request. The district can request a purge of all district data and Learning A-Z will provide proof of data purge. Learning A-Z purges data two years after last access by teachers and/or students.”
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Cambium Learning Products are deployed on servers and equipment owned and operated by Cambium Learning. Our servers and all user specific data hosted in a secure tier 4 enterprise data center located in Dallas, TX with a fail-over data center in Ann Arbor, MI.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Cambium Learning products are deployed on servers and equipment owned and operated by Cambium Learning. Our servers and all user-specific data are hosted in a secure Tier 4 enterprise data center located in Dallas Texas with a failover data center in Ann Arbor, Michigan. Technical Security Provisions include:
    • Unique login credentials for each student
    • HTTPS connection with data coming into and out of our applications Firewall technology at each of our enterprise data centers
    • Restricted access to application databases containing student data
    • Physical security to our servers at each of our enterprise data centers
    • Daily backups of student data in local and off-site locations
    • We encrypt all data at rest with AES 256.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Data collected from student interactions with our products is exchanged via encrypted channels using HTTPS. Data is encrypted at AES 128 or higher. Data is encrypted with AES256, AES128 and 3DES in that order depending on client browser support. Our products use asymmetric encryption, so there is no risk of side channel attacks or key holders. We use secure FTP when sharing files with school districts. We encrypt all data at rest with AES256. Backup data is also encrypted.

Lexia Learning Systems LLC

1. The exclusive purposes for which Protected Information will be used: The provision of literacy learning services.
 

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Lexia flows down all data privacy and security requirements to sub-contractors working on services provided to NYC DOE (if any). Employees undergo training and abide by the Data and Security Plan (attached above and in accompanying documents).

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:
 
After 30 days of expiration of the agreement, or upon NYC DOE request, Protected Information is (at NYC DOE’s option) returned or destroyed.
 
[NYC DOE comment: The current agreement became effective starting on July 1, 2020 and terminates when all NYC DOE schools and/or offices cease using Lexia Learning Systems LLC products/services. The terms of the agreement remain effective through the period during which Lexia Learning Systems LLC possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:
 
Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information is only stored within the United States.
 
6. How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted in transit and at rest in accordance with then current best practices with regards to data security and cryptography. For more information, please see attached documents

Lexia Voyager Sopris Inc. (formerly Voyager Sopris Learning, Inc.)

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:

    The Agreement has a Start Date: 05/01/2021

    The Agreement has an End Date: 06/30/2028

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Lexia Voyager Sopris Inc. provides online and print professional development, assessment and educational curricula for students including the following programs:

    Vmath: This program is a targeted math intervention program for struggling students in grades 2–8 that provides additional opportunities to master critical math concepts and skills.

    Vmath Live: This program empowers students in grades K–8 to master math content at their own pace in a motivating online environment.

    LANGUAGE! Live: This program provides foundational and advanced reading intervention including peer-to-peer instruction; for Grades 5–12.

    eSolution: This supplemental program extends timed, paired readings to include complete online vocabulary expansion and comprehension lessons.

    TransMath: This program is a comprehensive math intervention curriculum that targets middle and high school students who lack the foundational skills necessary for entry into algebra and/or who are two or more years below grade level in math.

    REWARDS: This program provides blended reading and comprehension intervention for Grades 4-12 with goals to increase fluency rates, deepen comprehension of informational and content-area texts, and increase precision in sentence writing.

    Step Up to Writing: This comprehensive K-12 program offers multisensory writing strategies that develop ability to create thoughtful, well-written compositions across all content areas.

    LETRS: The LETRS® (Language Essentials for Teachers of Reading and Spelling) Suite is professional learning that provides educators and administrators with deep knowledge to be literacy and language experts in the science of reading. LETRS teaches the skills needed to master the fundamentals of reading instruction—phonological awareness, phonics, fluency, vocabulary, comprehension, writing, and language.

    Voyager Passport: This program provides blended literacy intervention for Grades K-5.

    Reading Rangers: This program provides online reading practice for Grades K-5.

    Only a minimum amount of personally identifiable student data required for the setup of the system is requested. We require student first name, student last name, and student identification number.

    Additional data, not specific to the student, is also required to complete system setup, including the teacher first and last name, class name, grade level, and school name. Student demographic data, for the purposes of optional disaggregated reporting, is requested separately from the initial setup data and is obtained only with written permission from your district. This information is not shared and is used to track student progress and achievement within the proposed solution.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. [DOE comment: In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement

      In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.]

  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted-solution.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We maintain administrative, technical and physical safeguards designed to secure student data, as provided by NYC DOE, both during transmission and while in our custody. These safeguards include technical and operational measures, such as firewalls, routers, encryption (at rest and in‐transit), passwords, and vulnerability testing, as well as training, policies and procedures to limit access to NYC DOE provided data to authorized staff, contractors and agents that have a legitimate need to access such data for purposes of enabling us to deliver and support our products and services to the NYC DOE, and that are under appropriate contractual obligations of confidentiality, data protection and security.

    No student PII is ever public. Our applications are designed to keep this information private and secure. It is never discoverable by the public.

    • Voyager Sopris is ISO-27001 certified.
    • The Company has a formal onboarding and off-boarding procedure where access to database assets are formally granted and revoked respectively; access is only granted to employees who need access to support the online products as we ascribe to the principle of least privilege.
    • The Company provides student data privacy training to all employees and contractors who access our network.
    • The Company employs a 3rd party company to conduct both COPPA and FERPA compliance audits.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

LightSail Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:
    Contract Start Date: July 1, 2022
    Contract End Date: June 30, 2023
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To fulfill the services requested by NYC DOE. Specifically to provide to schools LightSail’s Online literacy platform providing initial and ongoing Lexile and standards aligned assessment, full book/novel reading experience, accommodations for struggling readers and data and reporting on reading performance and engagement. The platform comprises a patented educational e-reader and an adaptive e-book library.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “will not share PII with subcontractors, outside persons, or third party entities.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. Microsoft Azure Cloud.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Here is a summary of controls in place:
    • Information Security Governance
      • A comprehensive set of Information Security Policies
      • A governance structure with defined roles and responsibilities
      • Periodic security assessments (internal/ external)
    • Operational Security
      • Role-based access controls following the least privileged principal
      • Strict password controls with multi-factor authentication
      • Incident management for responding to and containing incidents
      • Backups and disaster recovery plans for resilience
      • Physical security for accessing corporate assets/ facilities
      • Comprehensive vulnerability management program with automated assessments
      • Secure system development approach with OWASP compliance
      • Centralized logging and monitoring with automated alerts
      • Network segmentation with firewall protection
    • Data Security
      • Data classification scheme
      • Data encryption at rest with AES256bit or higher keys and in transit using TLS 1.2or higher
      • Data retention schedules
    • People Security
      • Background checks and code of conduct acceptance before employment
      • Continuous security awareness training
      • Employment termination/ change of responsibilities processes
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Lilo Consulting, LLC (DBA Sync Grades)

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

    Contract Start Date: not listed

    Contract End Date: not listed

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Sync Grades is a software service, providing schools with a dynamic platform to track student attendance and other related and approved data over different periods in time.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
    • The Sync Grades platform is hosted by Amazon Web Services (AWS). AWS facilities are guarded by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit.
    • Access to Sync Grades servers and hosting services is controlled by a two-factor authentication, and only accessible using a secure VPN.
    • Sync Grades requires passwords to have a minimum 8 characters, must contain alpha, numeric

      and punctuation. Active monitoring will deny access after multiple failed attempts (firewall and

      account suspension).

    • The Sync Grades configuration build and system provisioning is executed through version control and a centralized build configuration management tool. The system requires authentication and records the audit log of all infrastructure changes including but not limited to:
      • VM provisioning
      • package versions, identification and installation
      • input and configuration settings
      • application version deployment
      • network segment deployment
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Literably, Inc

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:
    • Contract Start Date: 8/1/2022
    • Contract End Date: 7/31/2023
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Literably is an online elementary reading assessment. We receive PII in order to provide and improve our services to schools.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII is stored on a password protected encrypted database located on a remote server. Literably conducts routine security audits and employs the use of monitoring software to track security risks within the dependencies that are used to build the product. Further, our employees and contractors are required to protect personal information in a manner consistent with our Privacy Policy.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Literacy Resources, LLC

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:

    Contract Start Date: March 1, 2022

    Contract End Date: June 30, 2025

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Literacy Resources, LLC, through the NYC DOE’s “Core Curriculum” program and purchasing agreement, is providing the NYC DOE teachers and staff with access to the online resource program, “myHeggerty”. myHeggerty provides teachers and staff with tools and resources necessary to implement the Heggerty Phonemic Awareness curriculum with fidelity. myHeggerty includes access to the use of an online assessment tool, where teachers and staff may voluntarily enter student assessment scores and observational data for analysis purposes.
  4. Type of PII that the Entity will receive/access: Student PII and NYC DOE staff basic demographic data (First name, Last name, Email address).
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or to a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.  Student and teacher data is encrypted, all communication is encrypted, malware scans are performed daily, web application firewall is in place, secure daily offsite backups with 90-day history are performed. Literacy Resources, LLC administrator access is restricted to approved IP addresses. All data is stored in a MySQL database powered by Google Cloud SQL. The security of this data will be ensured by encryption while in motion by using TLS 1.2 or greater and at rest by Google Cloud SQL Encryption with keys managed by Google.

     

    Processor maintains compliance with federal and state laws regarding data privacy and security, and is in compliance with PCI DSS Security Standards with regards to the processing and handling of sensitive data.

     

    Processor employs a series of protection measures to protect both internal infrastructure and cloud-based data processing resources, and regularly conducts tests to ensure the security, including regular penetration tests, vulnerability scans, etc.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Littera Education Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Littera’s Academic Support Platform is designed to enable schools and districts to design, deliver, and monitor tutoring programs that are customized to address the needs of their students. Information we receive includes student name, email address and/or unique identifier. This information is used for assigning students to tutoring sessions inside the platform.

    Within the platform, an identified staff member can easily assign students to tutoring sessions and monitor their progress by viewing student attendance and tutor feedback. Sessions can either be centrally assigned or classroom teachers can be given the ability to assign their students to tutoring sessions once they identify a need. Once students are receiving tutoring, the platform provides program managers, teachers, administrators, and other stakeholders with access to real-time tutoring delivery data, including attendance, number of sessions completed, student feedback, and tutors’ notes on student progress.

    The Littera platform also provides districts with exclusive access to a new literacy tutoring curriculum created specifically for high dosage tutoring models by Columbia Teachers College Reading and Writing Project (TCRWP). This K-6 literacy tutoring curriculum is designed to be delivered through the Littera tutoring management platform, in order to ensure that students receive instruction according to the research-based principles of high dosage tutoring.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Littera Education places the utmost importance on privacy, safety, and security. All transmission of files or data to organization roster systems is done securely via HTTPS, using industry standards. When files are uploaded, they are stored in encrypted, non-publicly accessible databases. Littera uses Amazon Web Services (AWS) as its cloud hosting provider. The database along with all the cloud infrastructure is hosted inside a private virtual cloud (AWS VPC). Only a limited number of personnel have access to this VPC.

    Development and staging environments each have their own environment, so they are completely isolated from the production infrastructure. Littera does not copy data from production to staging or development for the purpose of testing. The development environment suits all of developers' needs, so they do not have access to production infrastructure and data.

    Our cloud hosting provider, AWS, is responsible for all physical data safeguards. AWS is a reliable and scalable platform that hosts many of the world’s largest companies. From an administrative standpoint, when new employee accounts are created, they are based on the principle of least privilege. Modifications to access must be approved by an authorized employee. All employees are required to undergo information security training and adhere to Littera’s information security policies. Littera has a detailed security policy which can be shared upon request.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. 
    Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

MaiaLearning, Inc.

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Student information is added so that school educators and counselors may access and guide them through the college and career planning platform. Students use the SSO to login to the platform and plan for their potential careers, develop their academic plans, research, and build college lists that they plan to apply to. Students ask for recommendation letters from teachers. Teachers write and submit recommendation letters in the platform for students. Counselors will prepare additional documents in support of applications [and] upload their transcripts and send them electronically to colleges where students have applied. Students eventually record their admission decisions which is stored as outcomes data for analysis in the future to guide other students. Parents have access to the platform and can view their child’s progress in read-only mode. Student information is not visible or accessible from any person or entity outside of the school and the parents. Students may opt-in to provide their contact information to colleges where they are interested to apply.
  4. Type of PII that the Entity will receive/access: Student PII and Other: Educators First Name, Last Name, Email.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS WebServices.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
    Safeguards In all aspects, MaiaLearning maintains a least-privilege model of access to data. This applies to administrative, operational and technical safeguards alike. Permission to access systems, whether it is Custom Support, CRM, Systems Administration tools, User Provisioning, or the product internal permissions are controlled and provisioned according to our Application Use Policy and approved by the MaiaLearning CTO or delegated administrator.

    Administrative Safeguards
    Access permissions to all systems are approved prior to granting.
    Employee and Contractor Onboarding and Offboarding Policy ensure that granted permissions are documented and ensures that all rights are revoked on offboarding.
    All policies are reviewed annually to ensure they meet the security needs they are designed to protect and to ensure they are in compliance with applicable law and contractual obligations.
    Risk assessments are performed annually on all processes, and as required for new processes and systems.

    Operational Safeguards
    MaiaLearning Security staff conduct periodic role appropriate training to all staff. Additionally, staff are required to take annual refresher security training appropriate to their role.
    The Data Transfer Policy governs how protected information is handled by MaiaLearning staff to ensure that due care is taken when transfer data from a customer representative to the system, when usage of automated systems cannot yet be utilized by the customer.
    MaiaLearning System Maintenance Policy governs all production and managed system to require they are upgraded in a timely and appropriate manner. Where an automated update system is available it should be used, unless an exception is documented, i.e. an untimely system outage would result. Automated updates are set on schedules appropriate to our users.
    MaiaLearning Disaster Recovery Procedure covers how we manage a complete failure of our primary systems provider. All configuration that can be, is maintained as infrastructure as code and committed to source code control. Source code control is not with our primary systems infrastructure provider.
    MaiaLearning Backup and Recovery Procedure requires all data to be backed up outside the region of service. For instance, data primarily served from the wester United States is backed up in the eastern United States, in accordance with contractual obligations and data location restrictions.

    Technical Safeguards
    Under least access permissions all access to systems requires prior approval. Access to system command line is restricted to individual login and requires VPN access with MFA. Command line access is granted only to operations staff that have a need to access.
    Administrative access to systems is generally managed through web interfaces. These are also least privilege and access controlled to individual users and require MFA. Access to administrative applications is granted by approval of the CTO or delegated administrator.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Mastery Coding, Inc.

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. All potential PI is provided within our platform merely to access [the] platform. The PI is limited to the discretion and imagination of the instructor whereby no PI that Mastery Coding receives or retains has unique value outside the Enterprise and is not in any way verified to be accurate or identifiable and is merely used as a login identifier for a course. Additionally, from students we only collect first name, last name, and classroom ID number. The concatenated integrity of this information is up to the teacher’s discretion. This information is primarily required to create student accounts that in the platform provide teachers the visibility to monitor individual student progress and is not used outside the platform.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.” Vendor adds “We utilize an internal and proprietary Learning Management System/Platform (LMS). The platform provides protections for students and teachers at levels set forth by local, state, federal, and school district laws/policy. We have no subcontractors that will receive student data. All student data is controlled and managed by Mastery Coding exclusively. No one outside Mastery Coding has access to student data.
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement

    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Mastery Coding has adopted a set of policies and safeguards that cover all aspects (administrative/technical/physical) of student and teacher PI. All student data is securely stored in an encrypted database. The data is only transferred securely on request using https requiring an authentication token that our platform creates.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. 
    Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Mathletics 3P Learning Inc.

1. The exclusive purposes for which Protected Information will be used: To enable teachers, students and customer admin users to access 3P Learning’s online learning resources and associated professional development.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Employment contracts contain provisions in relation to confidentiality and employees are trained in privacy compliance requirements. To the extent subcontractors have access (which is not expected), contractual obligations would be imposed.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI is retained for the life of the agreement and for a minimum period of two years after agreement expiration, unless otherwise explicitly requested by the DOE.
 
[NYC DOE comment: The current agreement became effective starting on August 14, 2019 and terminates when all NYC DOE schools and/or offices cease using 3P Learning Inc.’s products/services. The terms of the agreement remain effective through the period during which 3P Learning Inc. possesses or otherwise is in control of covered protected information.]
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The primary server where PISI is located is in the US. A disaster recovery site in located in Western Europe. The same controls and security protections apply to both the primary and disaster recovery site.
 
6. How the data will be encrypted (described in such a manner as to protect data security): At reset and in transit

McGraw Hill LLC

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:
    Agreement has a Start Date: 4/1/2022
    Agreement has an End Date: 3/31/2029
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII.
    McGraw Hill offers multiple digital platforms that will collect Personally Identifiable Information (PII):
    • ConnectED: A digital platform for delivering our PreK-12 content to teachers and students
    • Connect: A digital platform for delivering content and learning tools for the higher education market.
    • Open Learning: Provides K-12 and higher education instructors the opportunity to customize their McGraw-Hill courses by integrating their own content, open educational resources (OER), and other sources within a McGraw-Hill digital environment.

    McGraw Hill will use personally identifiable information (“PII”) to provide the requested service or to process transactions such as information requests or purchases in order to meet our contractual obligations to the DOE institution that has subscribed to our products and services. We will also process DOE PII to meet our legitimate interests, for example to personalize your experience and to deliver relevant content to DOE; to maintain and improve our services to the DOE; to generate and analyze statistics about DOE use of the services; and to detect, prevent, or (if permitted by law) to respond to fraud, intellectual property infringement, violations of law, violations of our rights or our terms of use for McGraw Hill online products and services, or other misuse of the services. Except as described in this notice, we limit the use, collection, and disclosure of DOE PII to deliver the service or information requested by the DOE. We do not collect, use, or disclose PII that is not reasonably related to the purposes described within this notice without prior notification. Your information may be combined in an aggregate and de-identified manner in order to maintain and/or improve our services.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.
    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. McGraw Hill utilizes the most up-to-date security systems and 24/7 monitoring. McGraw-Hill also has very strict internal processes to safeguard customers’ data, and all applications are built in compliance with federal regulations including FERPA. System penetration testing, vulnerability management and intrusion prevention is managed in conjunction with our third-party infrastructure provider. The application logs security-relevant events, including information around the user, the date/time of the event, type of event, success or failure of the event, and the seriousness of the event violation. User authentication communication and storage is protected by 256-bit advanced encryption standard security.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.
    Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Metis Associates, Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:
    Contract Start Date: August 1, 2022
    Contract End Date: July 31, 2027
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Metis conducts evaluation research for numerous entities, including the NYCDOE, to determine the impact and efficacy of strategies/programs/efforts to improve school and student-level outcomes such as academic achievement, behavior (e.g., attendance, discipline), and socio-emotional development. Most of these evaluations utilize data analyses that require additional information to control for possible confounding factors to “isolate” the treatment effect, including student characteristics such as sex, race/ethnicity, poverty status, and the like.

    As the unit of measurement for these efforts is typically at the student level, these evaluations require student-level data to appropriately determine intervention effectiveness, particularly for longitudinal models wherein baseline data is used to comparatively determine growth after treatment. All data are typically requested without any direct student identifiers (i.e., without NYC BOE – Non Disclosure Agreement student names or OSIS ID numbers), but are considered PII due to data elements required to carry out the studies properly (e.g., DBN, poverty status, student with disability flag).
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using an entity-owned and/or internally-hosted solution.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Metis Associates’ technologies, safeguards, and practices align with the NIST Cybersecurity Framework. Our administrative, technical and physical structures ensure PII is protected and that we mitigate all data privacy risks. Sensitive data are stored in file servers, databases, and on temporary storage.

    For data at rest scenarios, we use a shared mapped drive and a SQL database server:
    • A Windows server is used to host the shared drive. Data access is controlled by domain group policy and NTFS permissions.
    • A Windows server hosting a Microsoft SQL instance is also used to store sensitive data.
    • Data access is controlled by domain group policy.

    For data in motion scenarios, we use two file share web applications:
    • A Linux Ubuntu server hosting a Secure FTP application is used to share sensitive data with clients. User access is controlled by local accounts and complex passwords. Once the data is collected, it is then moved to our shared drive. All data is subsequently deleted from the SFTP server.
    • A Linux Ubuntu server hosting a web file-sharing application is also used to share sensitive data with clients. User access is controlled Domain Group Policy. Once the data is collected, it is then moved to our shared drive. All data are subsequently deleted from the server.

    Individually identifiable data are processed expeditiously and stored on a secure server. Once processed, all data are maintained in a Microsoft SQL Server database with differential security access to confidential data elements (e.g., student name, student ID) restricted to authorized personnel. All backup data files - Including media upon which data were transferred from the originating agency - when not in use are maintained in a locked facility. Strict controls are maintained with respect to the location of removable disks and the identification of the data files stored on them. For larger projects requiring a centralized data repository, the repository itself is managed by a small group of data analysis specialists and individual data are only released to internal staff when necessary. Individual-level data are never transmitted electronically, nor permitted to be stored on removable media (e.g., usb thumb drives, magnetic media) - except for the aforementioned backups. At the end of project life, data will either be destroyed or returned when it is no longer needed or at the end of the agreement. Finally, unless consent Is specified by the originating agency, raw unit-record data are never released to clients, nor are any data that would contain information that could possibly link analysis results to individuals.

    We have a detailed Data Security Action Plan in place that guides our activities to ensure we implement all state, federal and local data security and privacy contract requirements over the life of our data-sharing agreements. Furthermore, we have an independent cybersecurity firm conduct quarterly external and internal vulnerability scans to ensure our network is secure.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Microsoft

 
1. The exclusive purposes for which Protected Information will be used: PISI will be used or otherwise processed only to provide the NYC DOE Online Services including purposes compatible with providing those services:
 
  • Processing of Customer Data: Ownership
Customer Data will be used or otherwise processed only to provide Customer the Online Services including purposes compatible with providing those services. Microsoft will not use or otherwise process Customer Data or derive information from it for any advertising or similar commercial purposes. As between the parties, Customer retains all right, title and interest in and to Customer Data. Microsoft acquires no rights in Customer Data, other than the rights Customer grants to Microsoft to provide the Online Services to Customer. This paragraph does not affect Microsoft’s rights in software or services Microsoft licenses to Customer.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Microsoft is responsible for its Subprocessor’s compliance with Microsoft’s obligations as
outlined in the Online Services terms as follows:
 
  • Notice and Controls on use of Subprocessors
Microsoft may hire third parties to provide certain limited or ancillary services on its behalf. Customer consents to the engagement of these third parties and Microsoft Affiliates as Subprocessors. The above authorizations will constitute Customer’s prior written consent to the subcontracting by Microsoft of the processing of Customer Data and Personal Data if such consent is required under the Standard Contractual Clauses or the GDPR Terms. 
 
Microsoft is responsible for its Subprocessor’s compliance with Microsoft’s obligations in the OST. Microsoft makes available information about Subprocessors on a Microsoft website. When engaging any Subprocessor, Microsoft will ensure via a written contract that the Subprocessor may access and use Customer Data or Personal Data only to deliver the services Microsoft has retained them to provide and is prohibited from using Customer Data or Personal Data for any other purpose. Microsoft will ensure that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required of Microsoft by the OST. 
 
From time to time, Microsoft may engage new Subprocessors. Microsoft will give Customer notice (by updating the website and provide Customer with a mechanism to obtain notice of that update) of any new Subprocessor at least 14- days in advance of providing that Subprocessor with access to Customer Data or Personal Data. However, with respect to Core Online Services, Microsoft will give Customer notice (by updating the website and provide Customer with a mechanism to obtain notice of that update) of any new Subprocessor at least 6-months in advance of providing that Subprocessor with access to Customer Data. 
 
If Customer does not approve of a new Subprocessor, then Customer may terminate any subscription for the affected Online Service without penalty by providing, before the end of the relevant notice period, written notice of termination that includes an explanation of the grounds for non-approval. If the affected Online Service is part of a suite (or similar single purchase of services), then any termination will apply to the entire suite. After termination, Microsoft will remove payment obligations for any subscriptions for the terminated Online Service from subsequent invoices to Customer or its reseller.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Microsoft’s Data Retention and Deletion terms are outlined in the Online Services Terms as follows:
 
  • Data Retention and Deletion
At all times during the term of Customer’s subscription, Customer will have the ability to access, extract and delete
Customer Data stored in each Online Service.
 
Except for free trials and LinkedIn services, Microsoft will retain Customer Data that remains stored in Online Services in a limited function account for 90 days after expiration or termination of Customer’s subscription so that Customer may extract the data. After the 90-day retention period ends, Microsoft will disable Customer’s account and delete the Customer Data and Personal Data within an additional 90 days, unless Microsoft is permitted or required by applicable law to retain such data or authorized in this agreement.
 
The Online Service may not support retention or extraction of software provided by Customer. Microsoft has no liability for the deletion of Customer Data or Personal Data as described in this section.
 
[NYC DOE comment: The current agreement became effective starting on July 1, 2019 and terminates when all NYC DOE schools and/or offices cease using Microsoft’s products/services. The terms of the agreement remain effective through the period during which Microsoft possesses or otherwise is in control of covered protected information.]
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to studentprivacy@schools.nyc.gov or to your child’s school.] 
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Microsoft’s storage protocols for data at rest are outlined in the Online Services Terms as
follows:
 
  • Location of Customer Data at Rest
For the Core Online Services, Microsoft will store Customer Data at rest within certain major geographic areas (each, a
Geo) as follows:
  • Office 365 Services. If Customer provisions its tenant in Australia, Canada, the European Union, France, India, Japan, South Korea, the United Kingdom, or the United States, Microsoft will store the following Customer Data at rest only within that Geo: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint Online site content and the files stored within that site, (3) files uploaded to OneDrive for Business, and (4) project content uploaded to Project Online.
  • Microsoft Intune Online Services. When Customer provisions a tenant account, Customer selects an available Geo where Customer Data at rest will be stored. Microsoft will not transfer the Customer Data outside of Customer’s selected Geo except as noted in the “Data Location” section of the Microsoft Intune Trust Center.
  • Microsoft Business Application Platform Core Services. If Customer provisions its tenant in Australia, Canada, Asia Pacific, India, Japan, the European Union, United Kingdom, or the United States, Microsoft will store Customer Data at rest only within that Geo, except as noted in the data location section of the Microsoft Business Application Platform Trust Center.
  • Microsoft Azure Core Services. If Customer configures a particular service to be deployed within a Geo then, for that service, Microsoft will store Customer Data at rest within the specified Geo. Certain services may not enable Customer to configure deployment in a particular Geo or outside the United States and may store backups in other locations, as detailed in the Microsoft Trust Center (which Microsoft may update from time to time, but Microsoft will not add exceptions for existing Services in general release).
  • Microsoft Cloud App Security. If Customer provisions its tenant in the European Union or the United States, Microsoft will store Customer Data at rest only within that Geo.
  • Microsoft Dynamics 365 Core Services. When Customer provisions a Dynamics 365 Core Service to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo, except as described in the Microsoft Dynamics 365 Trust Center (which Microsoft may update from time to time).
  • Windows Defender Advanced Threat Protection Services. When Customer provisions a tenant account, Customer selects an available Geo where Customer Data at rest will be stored. Microsoft will not transfer the Customer Data outside of the Customer’s selected Geo except as noted in the “Data Location” section of the Microsoft Trust Center.
Microsoft does not control or limit the regions from which Customer or Customer’s end users may access or move
Customer Data.
 
6. How the data will be encrypted (described in such a manner as to protect data security): Microsoft encrypts, or enables Customer to encrypt, Customer Data that is transmitted over public networks.
 

MobyMax

1. The exclusive purposes for which Protected Information will be used: To deliver software services, including supplemental instruction, intervention, assessment, and adaptive practice. To provide technical support, coaching, professional development, and/or troubleshooting for authorized users, including parents, teachers, and administrators.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: MobyMax does not share data with subcontractors or other third parties in its normal course of doing business. Should MobyMax partner with a third-party for scientific research or integration of any kind, MobyMax will do so in accordance with district and NYC DOE policies, and only with the authorization of the district or NYC DOE.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The agreement will be considered “in effect” as of the signing date. Upon expiration of the agreement, PISI will be disposed of according to the guidelines as stated in the agreement, including full removal of all relevant data nodes.
[NYC DOE comment: The current agreement became effective starting on October 23, 2019 and terminates when all NYC DOE schools and/or offices cease using MobyMax’s products/services. The terms of the agreement remain effective through the period during which MobyMax possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All MobyMax data is stored in secure servers managed by Rackspace. The physical data center is located outside of Chicago, IL.
6. How the data will be encrypted (described in such a manner as to protect data security): All network traffic happens over encrypted channels (SFTP or HTTPS). The private keys for encryption/decryption are password-protected and accessible only to a limited number of systems engineers under tightly constrained conditions. All user passwords are encrypted in storage

myOn Renaissance Learning, Inc.

1. The exclusive purposes for which Protected Information will be used: For Recipient to fulfill the services requested by NYC DOE (e.g., to provide Renaissance educational products to NYC DOE school customers).
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Contractual obligation and periodic vendor compliance review.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Effective 11/12/2019 and continues until expiration/termination of underlying service agreement. PISI is disposed of per Exhibit D.
[NYC DOE comment: The current agreement became effective starting on November 12, 2019 and terminates when all NYC DOE schools and/or offices cease using Renaissance Learning, Inc.’s products/services. The terms of the agreement remain effective through the period during which Renaissance Learning, Inc. possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI is stored in the United States; PISI is encrypted at rest and hosted in the cloud by Amazon Web Services (AWS). PISI transferred on the Internet is over HTTPS. Backups are also handled by AWS and backups are also encrypted at rest.
6. How the data will be encrypted (described in such a manner as to protect data security): PISI is encrypted at rest (no less than AES128) and hosted in the cloud by Amazon Web Services (AWS). PISI transferred on the Internet is over HTTPS (TLS 1.2). Backups are also handled by AWS and backups are also encrypted at rest

N2Y LLC

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To provide the contracted services which include delivery and support of Software as a Service solutions for use by teacher and their students with special needs in the K-12 classroom.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. US-based Microsoft Azure data centers with cloud providers that are audited and certified for secure handling of data.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. n2y maintains safeguards to protect the security, confidentiality and integrity of PII received from the customer including encryption, administrative, technical and physical measures.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Nagarro Inc.

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

Contract Start Date: 7/10/2021
Contract End Date: 6/30/2023

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Nagarro will be responsible for day-to-day IT Help desk and transportation support operations providing the following type of services. The Level 1 support will include, receiving initial calls, engaging translation services as needed, logging of calls into IT Service Management (ITSM) tool, basic troubleshooting and escalation to the DOE support teams. The Level 2 support includes second level troubleshooting, escalating to vendors and field support. Additionally, common support functions include but not limited to; Troubleshooting services for the Hardware and Software related issues; Providing assistance to parents, students and teachers for inquiries related to student remote devices, such as connectivity, break-fix, and procurement processes etc; Providing assistance to parents and students for inquiries related to student remote applications.
  2. Type of PII that the Entity will receive/access: Protected information like records of student ID, address, DOE provided assets, proprietary & confidential records concerning DOE students and employees, will be only referred and used in context of the incoming calls and their associated resolution flow/path by the authorized Nagarro team personnel on this DOE project engagement. Any Protected Information we might have access to will only be on NYC DOE systems and not stored or accessible on company’s equipment.
  3. Subcontractor Written Agreement Requirement: In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Any PII information accessed by Nagarro to address calls are stored in DOE managed and hosted environment and Nagarro will not store any PII information on its infrastructure and making changes to any PII.
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In the event DOE needs any assistance from us to facilitate correction we agree to full transparency and will work with NYC DOE on any issues that arise as part of providing the contracted services.
  6. Security and Storage Protections. Describe where PII will be stored or hosted: No PII will be stored or hosted by Entity.
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Nagarro will not store PII information on its hosted products and solutions.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor’s response: “No NYC DOE data will be stored or available to Nagarro or any of the sub-contractors other than that resides on NYC DOE systems itself.”

NCS Pearson, Inc. (Periodic Assessment Program)

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:
    The Agreement has a Start Date: 8/01/2021
    The Agreement has an End Date: 7/31/2026
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Pearson will support NYCDOE by delivering the technology and services to support the NYCDOE’s Periodic Assessment Program. Pearson will receive and access PII to complete the services outlined in the Periodic Assessment contract. Specifically, the data will be used to allow students to access assigned assessments by their classroom teacher in regard to the New York City Periodic Assessments. Student data will also include scored assessments used by classroom teachers and the NYC school district.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.
    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Pearson takes the privacy and security of customer and company information seriously. To protect sensitive assessment data, such as test items and student confidential information, Pearson employs recognized industry standard security measures to safeguard the confidentiality, integrity, and availability of customer data and the services we provide.

    Our information security policies and standards are based on the ISO/IEC 27001 information systems security framework and align with the NIST catalogue of security controls. This ongoing alignment with NIST reflects our commitment to ensure our information security program remains current and appropriate to address the evolving threats to information security and data privacy.

    System Security and Resiliency
    In accordance with security best practices, multiple layers of security exist in the computing environment to reduce the risk of unauthorized exposure of customer data. These protections include not only preventive controls designed to stop security incidents from happening, but also detective controls to inform us in the unlikely event a security control failure occurs. Along with the resilient and reliable design of our assessment platform, Pearson leads the industry in its ability to protect against and mitigate the effects of distributed denial of service (DDoS) attacks.

    Staff Training Requirements
    When employees and staff augmentation resources begin working for Pearson, they must sign an acknowledgement of their obligation to adhere to the Pearson Global Information Security Policies and follow the company’s implementation guidelines and standards. On an annual basis, members of the Pearson workforce must complete information security training that is designed to ensure they not only maintain awareness of their responsibility to protect customer and company information, but also to help ensure they are educated regarding changes in the ever-evolving information risk universe.

    Need to Know and Least Privilege
    Pearson provides access to systems based on need to know and in accordance with the principle of least privilege. If a workforce member does not have a business need for access, they do not get it. And where access is authorized, user accounts are assigned the minimum level of privilege necessary for their role.

    These principles also extend into the assessment services we provide. Customer staff who have been assigned to administration roles in service solutions have the ability to place staff and students into specific roles with privileges appropriate to them. In this way, the administration of the assessment platforms can conform to role-based access needs of each customer.

    Entitlement Review
    A review of users and the permissions assigned to them is performed periodically, as well as when staff change positions and employment statuses change. This helps to ensure on-going adherence to our commitment to grant access based on need to know and according to the principle of least privilege.

    Data Classification
    Pearson’s Global Information Security Policies and Standards define a three-tier data classification level (DCL) scheme. DCL3, the highest classification tier, denotes customer and Pearson intellectual property, data subject to US and International data security and privacy regulations, and data requiring comparable protections as defined in contracts. DCL3 classified data requires the most stringent information security controls. Given the nature of the services we provide to customers, practically all of our systems are designed with the baseline assumption that the data it maintains and processes is DCL3.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Nearpod Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. For the exclusive purpose of delivering and supporting Nearpod's software services, including supplemental instruction, and formative assessment content and activities for authorized school and district users, including parents, teachers, and students.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Nearpod will ensure that only the employees, contractors, and sub-processors who have a “need to know” access to any Protected Data, actually have access to the Protected Data by instituting separate types of user-permissions on the Nearpod platform back-end. Additionally, Nearpod will ensure that all employees, contractors, and sub-processors sign confidentiality agreements and nondisclosure agreements that limit the use of the data that is received in the course of their relationship with Nearpod to the limited purpose of providing the services needed to provide the Nearpod services to district.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

New York City Outward Bound Center, Inc

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:
    Contract Start Date: 07/01/2015
    Contract End Date: 06/30/2023
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NYC Outward Bound Schools receives student level data including names, student number, school, demographic information and performance data such as attendance and end of semester grades directly from the DOE and partner schools. We use this data to assess the impact of specific programs and services that are delivered to schools so that we can ensure that resources are being used effectively. At times we disaggregate the data by gender, race, special education or MLL status to assess impact on sub-groups of students. The programs we study include professional development, coaching and student community building.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
    • 256-bit SSL/TLS encryption is used for files in transit and 128-bit AES keys for files at rest.
    • Access to information is limited to authorized individuals who require it to perform their job functions.
    • Authorized individuals who have access to confidential data receive training on federal and state laws governing the confidentiality of such data.
    • When staff employment is terminated, the employee’s accounts are disabled and passwords are changed.
    • In the unlikely event of a security breach, New York City Outward Bound Center, Inc. will activate an incident handling procedure, conduct a thorough investigation, and contact the appropriate stakeholders as required by law.
    • Third-party partners are vetted for their ability to comply with the security requirements outlined by NY State and NYC DOE.
    • Other safeguards include, but are not limited to, physically secure data centers, up-to-date firewall rules, regular third-party security audits, and logical access controls of data.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

NoRedInk

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NoRedInk provides a comprehensive, online, adaptive, mastery-based writing curriculum for grades 3-12 that is aligned with the New York State Standards. We collect the following PII in order to provide, maintain, and improve NoRedInk:
    • Student name, grade, email (optional), teacher names, school – required to create student accounts and associate them with the correct account and teachers
    • Student assessment data (NoRedInk benchmark, diagnostic and growth assessments – required to assess student skill mastery, monitor progress and growth
    • Student generated content (writing) – required for students to complete NoRedInk writing assignments and activities in order to receive teacher feedback and assignment grades to support their improvement
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
    In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. AWS.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII is stored in a secure environment on servers located in the United States (Amazon Web Services). Only the administrators of the cloud infrastructure provider have physical access to the data centers from which our service is hosted; the cloud infrastructure provider maintains security procedures compliant with a variety of US and international standards to ensure physical security of their data centers. It is our policy to prohibit storing any user data on employee devices.

    Access to the NoRedInk production servers and database is permission controlled. We are able to revoke access remotely for any individual.

    All NoRedInk users require a password-protected login in order to access the application. Teachers and students can register with a unique username and a password, or use Google SSO or Clever SSO.

    All user data, including login credentials, provided in the use of the online service is encrypted in transmission using HTTPS. User data, including passwords, is encrypted at rest in our database.

    We have 24/7 security scanning, monitoring and alerts with a team on call for any required incident support. These systems also detect any required security patches or updates for our system.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

NTT DATA, Inc.

  1. The exclusive purposes for which Protected Information will be used: The New York City (NYC) Department of Education (DOE) has a requirement for supporting the Learn at Home initiative brought about by the Coronavirus pandemic that has caused the DOE to close its schools for the safety of the students and DOE staff. To continue to meet the education needs of its students, the DOE Learn at home program requested that NTT DATA, Inc., manage the distribution of iPads and smart devices to students and teachers who do not have computer access at home. 
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: NTT DATA, Inc., works with Custom Computer Specialists as their sub-contractors. Only authorized personnel from NTT DATA’s sub-contractor will be allowed to access the protected information in order to carry out and perform required services. All authorized users will be contractually bound by an agreement that will include confidential and data security obligations. In addition, all authorized users with access to confidential information will be trained to understand the privacy and data security obligations of this Agreement.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All confidential data and PII will be securely stored and access will only be grated to authorized users for the purpose of providing services to the extent mentioned under the contract. Upon completion of project and/or termination all data will be securely destroyed or returned to DOE. [NYC DOE comment: The current agreement became effective starting on June 18, 2020, and terminates when all NYC DOE schools and/or offices cease using NTT DATA, Inc.’s products/services. The terms of the agreement remain effective through the period during which NTT DATA, Inc. possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be accessed in US and securely on SharePoint. Access to the data is strictly issued based on job requirement and at the minimal to perform the same. The customer data shall be logically and physically separated from other customer data. Data shall be periodically backed up based on the customer requirement. NTT DATA Services encrypts the data at rest which resides in our environment and data in motion which leaves our environment using industry standard cryptographic techniques. In this way confidentiality, integrity and availability of the data in ensured in NTT DATA Services. 
  6. How the data will be encrypted (described in such a manner as to protect data security): NTT DATA Services encrypts the data at rest which resides in our environment and data in motion which leaves our environment using industry standard cryptographic techniques.

NWEA

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:
    • Contract Start Date: 6/30/2022
    • Contract End Date: 7/1/2023
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NWEA receives PII in order to provide educational assessments and associated services.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement
  7. In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
  8. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  9. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS; and using an entity-owned and/or internally hosted-solution.
  10. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. NWEA’s administrative, technical and physical safeguards can be found at: NWEA MAP® Growth™ and MAP® Skills™ Security Whitepaper
  11. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Ookla, Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

Contract Start Date: 2/15/2021
Contract End Date: 8/14/2022

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Ookla is licensing Ookla-owned Cell Analytics data. We are also licensing a Speedtest Powered Mobile SDK. The Mobile SDK may be run by the NYCDOE on its Learn@Home app. The Mobile SDK generates test results of those end users that take a Speedtest. Ookla processes these test results only for the purpose of providing the SDK and providing subsequent data to NYCDOE.
  2. Type of PII that the Entity will receive/access (check all that apply): Student PII and Other. We receive location and IP address of any end user that takes a Speedtest in the app in which the SDK is included.
  3. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  6. Security and Storage Protections. Describe where PII will be stored or hosted: Using a cloud or infrastructure owned tool hosted by a subcontractor.
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is stored in secure datacenter facilities hosted by Amazon Web services. All data is fully encrypted at rest using EBS encryption based on the industry standard AES-256 cryptographic algorithm.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. 

The vendor selected: “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Operoo Inc.

1. The exclusive purposes for which Protected Information will be used: The Processor’s software applications will be used by NYC DOE schools to gather information from families/students and teachers/principals, to store such data, and to make such data available to appropriate individuals within the applicable school. The Processor does not itself use the data in any way.

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: No subcontractors utilized by the Processor are able to see any Protected Information; all Protected Information received by any subcontractor is in encrypted form, not readable by a human. The Processor maintains contracts with all subcontractors that receive protected, encrypted data that require those subcontractors to maintain robust security protocols and to obey applicable federal and state law.

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The current non-disclosure agreement between the Processor and NYC DOE started on October 1, 2020, replacing an earlier non-disclosure agreement. The current nondisclosure agreement will continue indefinitely until terminated by the NYC DOE on notice to the Processor. Following termination, all Protected Information will be deleted by the Processor upon the request of the NYC DOE after giving the NYC DOE (or the applicable school) an opportunity to export the data before deletion.

[NYC DOE Additional Information: Individual schools may have a contract period which varies based on when their agreement with Operoo began, however the NDA in place with this vendor covers the data privacy and security terms between the parties for all student PII. Operoo is obligated to destroy or return data for a particular school once the school’s agreement with Operoo terminates.]

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. The Processor shall make any changes the NYC DOE directs it to make. Requests to amend records should be made to studentprivacy@schools.nyc.gov.

[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All NYC DOE data is stored on Amazon Web Services servers located in the United States. All Protected Information is encrypted both while in transit and while at rest, using protocols that have been validated by an external security audit. The Processor has adopted and adheres to robust internal policies that implement best practices security guidelines, and applies an overall philosophy of only transmitting, processing and storing the minimum amount of Protected Information required to perform the function.

6. How the data will be encrypted (described in such a manner as to protect data security): As indicated in the preceding paragraph, data is always encrypted both at rest and in transit. Processor's security layers include strong cryptographic implementations (such as 256 bit encryption, 256 bit data encrypted TLS systems using AES) and defensive-in-depth network protection including firewalls and active monitoring systems. Processor periodically tests its encryption processes and other security layers to ensure their effectiveness through an ongoing security and compliance program that includes penetration testing, vulnerability testing, and code reviews, all conducted by independent third parties.

Overgrad, Inc

  1. Type of Entity: Commercial Enterprise 
  2. Contract / Agreement Term

    Contract Start Date: 4/1/2022

    Contract End Date: 6/30/2025 

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Overgrad is a college and career readiness platform to support students, schools, and community-based organizations. Overgrad will be supporting the College and Career Planning Team in integrating postsecondary readiness milestones into NYCSA while also supporting platform use at select NYC DOE schools. Student PII is required to create student accounts which will be used to assess academic preparedness for postsecondary pathways and support counseling in streamlining common counselor tasks like student transcript submission to higher education universities.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Overgrad has a number of administrative, technical, and physical safeguards in place to ensure PII will be protected. Only background-checked, key personnel ever have access to any student data at Overgrad, and they are only granted access in specific school- or student-support scenarios. All access activity is logged and can be referenced should there be any questions asked by schools, students, or parents. Data is stored using standard bank-level 256-bit AES encryption. All database connections utilize SSL encryption, meaning that data is secured at all points when utilizing Overgrad. All of Overgrad’s physical servers are located in access-controlled environments. Overgrad mitigates data privacy and security risks with automated application monitoring and patching its code and servers with the most currently available security protocols. Overgrad also contracts with an outside party to contact vulnerability testing in order to identify and remedy any potential security risks in the platform.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Panorama Education, Inc.

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

Contract Start Date: 11/16/2021
Contract End Date: 11/16/2022

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    The administration, production, and reporting of the Student Perception Survey and NYC School Survey. Program services include, but not limited to:

    • A research backed survey instrument and the respective translations into the required languages by the NYCDOE
    • The printing, shipping, and scanning of paper surveys to capture the voices of all stakeholders across the NYCDOE
    • Collaborative project management to ensure a smooth survey taking experience for students, staff, and families
    • Guidance and execution on DOE communication strategies.
    • A robust reporting platform and user accounts for NYC educators, as well as public facing reports
    • Strategic professional development to allow for data driven action planning 
  2. Type of PII that the Entity will receive/access: Student PII
  3. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. 
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  6. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We take data security seriously at Panorama. We have implemented administrative, technical, and physical security measures to protect information stored in our servers, which are located in the United States. We use security safeguards such as physical access controls to buildings and files, data encryption, Secure Sockets Layer (SSL) cryptography, two-factor authentication, and firewalls to help prevent unauthorized access to the information we maintain. For more details, we invite you to take a look at our Privacy Policy at https://www.panoramaed.com/privacy/client-information-policy.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. 

The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ParentSquare, Inc.

  1. The exclusive purposes for which Protected Information will be used: ParentSquare uses PISI for the purposes of school-home communication, as administered by districts, schools, teachers, and parents.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: When ParentSquare contracts with a third party, their organizations must maintain privacy policies as stringent as ours if we share PII with them.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At the end of a customer's usage of the ParentSquare platform, the customer may request that ParentSquare make their data unavailable. At this point ParentSquare will disable access to the customer's data by configuring the software to disallow access. If a customer has other specific requirements, ParentSquare will engage with the customer to define the next steps. Data can be exported in a CSV file and sent to the customer. In the case that a customer has a need to permanently remove a piece of data that was mistakenly entered into ParentSquare, they can engage with ParentSquare's support organization to permanently obfuscate that data item from the live system and all future backups. [NYC DOE comment: The current agreement became effective starting on June 4, 2020 and terminates when all NYC DOE schools and/or offices cease using ParentSquare’s products/services. The terms of the agreement remain effective through the period during which ParentSquare possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): ParentSquare’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. ParentSquare’s primary data center is on the East coast and the backup is on the West coast. We backup our data on AWS S3 and in multiple zones. ParentSquare uses AWS security best practices such as virtual private cloud, firewalls, and recommended intrusion detection. AWS’ highly secure data centers have been accredited under: SOC 1/SSAE 16/ISAE 3402, SOC 2 (formerly SAS70), PCI Level 1, ISO 27001, and FISMA.
  6. How the data will be encrypted (described in such a manner as to protect data security): With ParentSquare, data is encrypted in transit and at rest to provide protection of sensitive data at all critical points in its lifecycle. All data is transmitted over HTTPS connection to and from the ParentSquare application.

Pearson Education Inc.

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:

    Contract Start Date: 11/1/2022

    Contract End Date: TBD

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Exploring Digital Vendor Authorization to provide learning materials to students for English as a Second Language. MyEnglishLab is a brand comprising a suite of online, cutting-edge digital learning & assessment products currently enjoyed by over users in 178 countries (2019 data). Our learning products are aimed at Adult, Secondary and Primary English language teachers and learners offering engaging, motivating, and relevant content. Learners’ name, email, username, country of residence, native language will be used to identify and show the user data as part of the user interface and represent in the application the institution/class organization and relation.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
    • whenever requested by the DOE
    • whenever the entity no longer needs the PII to provide services to the DOE
    • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
    • no later than upon termination of this Agreement
    • In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

    • Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

      All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

    • Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS- Amazon Web Services.
    • Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

      In accordance with security best practices, multiple layers of security exist in the computing environment to reduce the risk of unauthorized exposure of customer data. These protections include not only preventive controls designed to stop security incidents from happening, but also detective controls to inform us in the unlikely event a security control failure occurs. Along with the resilient and reliable design of our assessment platform, Pearson leads the industry in its ability to protect against and mitigate the effects of distributed denial of service (DDoS) attacks.

       

      Administrative safeguards include measures taken to reduce errors associated with human factors whilst increasing the awareness on how user, learner, and customer data must be protected. Primarily this is governed through Pearson's security policies which are aligned to Industry information security standards and frameworks. Additionally, all Pearson Staff are required to complete a mandatory Information Security and Data Privacy training on an annual basis.

       

      The technical safeguards are provided as service offerings from Pearson's Chief Information Security Office to reduce the overall vulnerability landscape to Pearson network and systems hosting PII and proprietary data. These include controls such as Firewalls (Enterprise, Web and Hostbased), Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), Application Security and Infrastructure security scanning tools, Anti-Virus solution, Identity and Access Management, and Encryption for both data in transit and data at rest.

       

      Physical and environmental safeguards are fully inherited from Pearson's Cloud service provider, Amazon Web Services who follow and are certified to industry best practices such as ISO27001, ISO27017 and SOC 2. With regards to mitigating Data Privacy and security risks, risk findings are managed through Pearson's enterprise risk management tool and commitments are obtained from senior management or relevant risk owner to fix such risk findings within an agreed timeline whilst obtaining business sign-off in the form of a risk exception.

    • Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

    Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

    Perfection Learning Corporation

    1. The exclusive purposes for which Protected Information will be used: The Personally Identified Information (PII) access collected for Perfection Next is used exclusively for the purpose of delivering the educational experience for students and teachers. The information collected is to identify the user in the system and ultimately associate progress of assignments.
    2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In the event, that a subcontractor or other authorized persons or entities are provided access to student, teacher, or principal data, the resource(s) will have to have completed a background check and training on handling Personally Identifiable Information.
    3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: When the agreement ends, we will terminate the student/teacher data from our systems. [NYC DOE comment: The current agreement became effective starting on April 22, 2020 and terminates when all NYC DOE schools and/or offices cease using Perfection Learning’s products/services. The terms of the agreement remain effective through the period during which Perfection Learning possesses or otherwise is in control of covered protected information.]
    4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
    5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Perfection Learning has processes and auditing in place to identify breaches and unauthorized disclosures. Should any data breach or unauthorized disclosure be identified by Perfection Learning, NYC DOE will be notified within 24 hours.
    6. How the data will be encrypted (described in such a manner as to protect data security): All data is encrypted via SSL in transit. All Personally Identifiable Information (PII) contained within Perfection Next is stored encrypted in the database at rest state.

    Pitsco Education, LLC (TETRIX Virtual Robotics (VR) Software)

    1. Type of Entity: Commercial Enterprise
    2. Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
    3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Teachers have learning management capabilities within the software, where they can organize and add, remove, or change teacher and student information. They also track students’ progress through an adaptive learning environment, manage, assign and assess individual student tasks, view student data analytics, and usage reports. Teachers can sync the information with Google Classroom or Clever. [DOE Comment: This is specific to TETRIX Virtual Robotics (VR) Software].
    4. Type of PII that the Entity will receive/access: Student PII and Identifiable teacher data (names/email address).
    5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
    6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
      • whenever requested by the DOE
      • whenever the entity no longer needs the PII to provide services to the DOE
      • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
      In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
    7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
    8. Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS WebServices.”
    9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. There are many safeguards in place. We secure managed office space and ensure all office and remote workers operate under the clean desk policy. We ensure all data applications are protected using multi-factor authentication. We also run background checks on incoming hires and ensure all data is secure at all times. Additional information is available on request.
    10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

    PowerMyLearning, Inc.

    1. The exclusive purposes for which Protected Information will be used: PISI consists of basic identifying information (student name, etc.) that is used exclusively to enable access to the PowerMyLearning Application. The Application does not hold any information received from the DOE beyond basic identifying information. For example, the application does not hold teacher personnel data, student grades, student discipline history, student IEP records, or student health data.
    2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: No subcontractors have access rights to the Application containing DOE Information. Per PowerMyLearning’s Information Security Policy, access rights to the Application production system containing DOE Information are granted only to three employees (1) Managing Director of Technology & Architecture, (2) Senior Developer, and (3) Senior Data Analyst.
    3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon expiration of the DOE non-disclosure agreement or upon written request from the DOE, PowerMyLearning will erase from the Application any DOE confidential information. When a Microsoft Azure customer deletes a storage object (e.g., blob, file, queue, table), the pointer to this object is immediately deleted from the storage index used to locate and access the data. This operation is replicated asynchronously for Geo-Redundant Storage, which is the system that PowerMyLearning deploys for redundancy. With the storage index updated, the data is immediately unavailable. Azure Storage interfaces do not permit direct disk reads, mitigating the risk of another customer (or even the same customer) from accessing the deleted data before it is overwritten. [NYC DOE comment: The current agreement became effective starting on August 19, 2019 and terminates when all NYC DOE schools and/or offices cease using PowerMyLearning’s products/services. The terms of the agreement remain effective through the period during which PowerMyLearning possesses or otherwise is in control of covered protected information.] 
    4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
    5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All PISI is stored in the US.
    6. How the data will be encrypted (described in such a manner as to protect data security): All PISI encrypted in transit. All PISI is encrypted at rest at the hard disk level. Encryption methodologies used are HTTPS SSL – SHA 256 with RSA encryption and RSA-SHA1 encryption.

    PruTech Solutions, Inc

    1. Type of Entity: Commercial Enterprise
    2. Contract / Agreement Term:
      Contract Start Date: October 11, 2022
      Contract End Date: October 10, 2025
    3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The entity will be implementing a Next Generation Student Information System to manage, maintain, and support all the student information, as it pertains to student and adult biographical data, attendance, and tests and exams. This new system will consolidate the functions of a modern-day Student Information System into a single integrated, flexible system that will support all student information. This system will be used by the schools, parents, and students and maintain the student information data on a single application and on one central database.

      The NGSIS solution will also include a feature rich portal interface for student and family members of the student to access and gain valuable insight into the student’s progress and school events. The portal will serve as central communication platform between the school and the student, parent/guardian of the student. This portal will be web based and will be accessible to all users on a variety of mobile devices and browsers.

      All student information and PII data will be hosted on DOE’s infrastructure and will follow all of DOE’s security procedures and protocols.
    4. Type of PII that the Entity will receive/access: Other: Entity will only be accessing Student PII data on NYC DOE approved environments. No Student PII data will be stored on the Entity or subcontractor’s environments. Only individuals that who conducted full background checks and fingerprinting will be granted this VIEW ONLY access.
    5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
    6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Other: No PII data will be stored on Entity consultant’s computers or on the Entity’s development environments.
    7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
    8. Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
    9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Entity will ensure security of NYC DOE protected information by completing the following:
      • All development and data storage will only be completed on NYC DOE approved and encrypted environments.
      • No data will be stored outside of NYC DOE environments by the Entity.
    10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”