Vendors M-Z

Mathletics 3P Learning Inc.

1. The exclusive purposes for which Protected Information will be used: To enable teachers, students and customer admin users to access 3P Learning’s online learning resources and associated professional development.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Employment contracts contain provisions in relation to confidentiality and employees are trained in privacy compliance requirements. To the extent subcontractors have access (which is not expected), contractual obligations would be imposed.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI is retained for the life of the agreement and for a minimum period of two years after agreement expiration, unless otherwise explicitly requested by the DOE.
 
[NYC DOE comment: The current agreement became effective starting on August 14, 2019 and terminates when all NYC DOE schools and/or offices cease using 3P Learning Inc.’s products/services. The terms of the agreement remain effective through the period during which 3P Learning Inc. possesses or otherwise is in control of covered protected information.]
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The primary server where PISI is located is in the US. A disaster recovery site in located in Western Europe. The same controls and security protections apply to both the primary and disaster recovery site.
 
6. How the data will be encrypted (described in such a manner as to protect data security): At reset and in transit

McGraw Hill LLC

The exclusive purposes for which Protected Information will be used:  

  1. Processor will use PII to provide the requested service or to process transactions such as information requests or purchases in order to meet our contractual obligations to you. We will also process your PII to meet our legitimate interests, for example to personalize your experience and to deliver relevant content to you; to maintain and improve our services; to generate and analyze statistics about your use of the services; and to detect, prevent, or respond to fraud, intellectual property infringement, violations of law, violations of our rights or Terms of Use, or other misuse of the services. Except as described in this notice, we limit the use, collection, and disclosure of your PII to deliver the service or information requested by you. We do not collect, use, or disclose PII that is not reasonably related to the purposes described within this notice without prior notification. Your information may be combined in an aggregate and de-identified manner in order to maintain and/or improve our services.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Processor requires any and all subcontractors, persons or entities with which the Processor may share the PII to commit contractually that they will abide by the terms of the Agreement and/or the data protection and security requirements set forth in Education Law §2-d.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: When the Agreement terminates between the NYC DOE and the Processor, upon written request, the Processor shall return to the NYC DOE or, if agreed to by the NYC DOE, destroy the remaining PII that the Processor still maintains in any form. [NYC DOE comment: The current agreement became effective starting on August 3, 2020 and terminates when all NYC DOE schools and/or offices cease using McGraw Hill LLC’s products/services. The terms of the agreement remain effective through the period during which McGraw Hill possesses or otherwise is in control of covered protected information.] 
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Processor’s products require a minimal amount of PII to be collected and stored for proper use of the program. Our platform is a hybrid cloud-based and physical data center platform fully hosted by Processor. We utilize Amazon Web Services (AWS) cloud services for delivering our content to customers. Processor maintains two geographically separate data centers (East Windsor, NJ and Secaucus, NJ) which are interconnected via high speed private links. All data is stored in the continental United States.
  6. How the data will be encrypted (described in such a manner as to protect data security): Processor uses encryption technology to protect data while in motion or in its custody from unauthorized disclosure as specified in Education Law §2-d;

Microsoft

 
1. The exclusive purposes for which Protected Information will be used: PISI will be used or otherwise processed only to provide the NYC DOE Online Services including purposes compatible with providing those services:
 
  • Processing of Customer Data: Ownership
Customer Data will be used or otherwise processed only to provide Customer the Online Services including purposes compatible with providing those services. Microsoft will not use or otherwise process Customer Data or derive information from it for any advertising or similar commercial purposes. As between the parties, Customer retains all right, title and interest in and to Customer Data. Microsoft acquires no rights in Customer Data, other than the rights Customer grants to Microsoft to provide the Online Services to Customer. This paragraph does not affect Microsoft’s rights in software or services Microsoft licenses to Customer.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Microsoft is responsible for its Subprocessor’s compliance with Microsoft’s obligations as
outlined in the Online Services terms as follows:
 
  • Notice and Controls on use of Subprocessors
Microsoft may hire third parties to provide certain limited or ancillary services on its behalf. Customer consents to the engagement of these third parties and Microsoft Affiliates as Subprocessors. The above authorizations will constitute Customer’s prior written consent to the subcontracting by Microsoft of the processing of Customer Data and Personal Data if such consent is required under the Standard Contractual Clauses or the GDPR Terms. 
 
Microsoft is responsible for its Subprocessor’s compliance with Microsoft’s obligations in the OST. Microsoft makes available information about Subprocessors on a Microsoft website. When engaging any Subprocessor, Microsoft will ensure via a written contract that the Subprocessor may access and use Customer Data or Personal Data only to deliver the services Microsoft has retained them to provide and is prohibited from using Customer Data or Personal Data for any other purpose. Microsoft will ensure that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required of Microsoft by the OST. 
 
From time to time, Microsoft may engage new Subprocessors. Microsoft will give Customer notice (by updating the website and provide Customer with a mechanism to obtain notice of that update) of any new Subprocessor at least 14- days in advance of providing that Subprocessor with access to Customer Data or Personal Data. However, with respect to Core Online Services, Microsoft will give Customer notice (by updating the website and provide Customer with a mechanism to obtain notice of that update) of any new Subprocessor at least 6-months in advance of providing that Subprocessor with access to Customer Data. 
 
If Customer does not approve of a new Subprocessor, then Customer may terminate any subscription for the affected Online Service without penalty by providing, before the end of the relevant notice period, written notice of termination that includes an explanation of the grounds for non-approval. If the affected Online Service is part of a suite (or similar single purchase of services), then any termination will apply to the entire suite. After termination, Microsoft will remove payment obligations for any subscriptions for the terminated Online Service from subsequent invoices to Customer or its reseller.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Microsoft’s Data Retention and Deletion terms are outlined in the Online Services Terms as follows:
 
  • Data Retention and Deletion
At all times during the term of Customer’s subscription, Customer will have the ability to access, extract and delete
Customer Data stored in each Online Service.
 
Except for free trials and LinkedIn services, Microsoft will retain Customer Data that remains stored in Online Services in a limited function account for 90 days after expiration or termination of Customer’s subscription so that Customer may extract the data. After the 90-day retention period ends, Microsoft will disable Customer’s account and delete the Customer Data and Personal Data within an additional 90 days, unless Microsoft is permitted or required by applicable law to retain such data or authorized in this agreement.
 
The Online Service may not support retention or extraction of software provided by Customer. Microsoft has no liability for the deletion of Customer Data or Personal Data as described in this section.
 
[NYC DOE comment: The current agreement became effective starting on July 1, 2019 and terminates when all NYC DOE schools and/or offices cease using Microsoft’s products/services. The terms of the agreement remain effective through the period during which Microsoft possesses or otherwise is in control of covered protected information.]
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to studentprivacy@schools.nyc.gov or to your child’s school.] 
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Microsoft’s storage protocols for data at rest are outlined in the Online Services Terms as
follows:
 
  • Location of Customer Data at Rest
For the Core Online Services, Microsoft will store Customer Data at rest within certain major geographic areas (each, a
Geo) as follows:
  • Office 365 Services. If Customer provisions its tenant in Australia, Canada, the European Union, France, India, Japan, South Korea, the United Kingdom, or the United States, Microsoft will store the following Customer Data at rest only within that Geo: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint Online site content and the files stored within that site, (3) files uploaded to OneDrive for Business, and (4) project content uploaded to Project Online.
  • Microsoft Intune Online Services. When Customer provisions a tenant account, Customer selects an available Geo where Customer Data at rest will be stored. Microsoft will not transfer the Customer Data outside of Customer’s selected Geo except as noted in the “Data Location” section of the Microsoft Intune Trust Center.
  • Microsoft Business Application Platform Core Services. If Customer provisions its tenant in Australia, Canada, Asia Pacific, India, Japan, the European Union, United Kingdom, or the United States, Microsoft will store Customer Data at rest only within that Geo, except as noted in the data location section of the Microsoft Business Application Platform Trust Center.
  • Microsoft Azure Core Services. If Customer configures a particular service to be deployed within a Geo then, for that service, Microsoft will store Customer Data at rest within the specified Geo. Certain services may not enable Customer to configure deployment in a particular Geo or outside the United States and may store backups in other locations, as detailed in the Microsoft Trust Center (which Microsoft may update from time to time, but Microsoft will not add exceptions for existing Services in general release).
  • Microsoft Cloud App Security. If Customer provisions its tenant in the European Union or the United States, Microsoft will store Customer Data at rest only within that Geo.
  • Microsoft Dynamics 365 Core Services. When Customer provisions a Dynamics 365 Core Service to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo, except as described in the Microsoft Dynamics 365 Trust Center (which Microsoft may update from time to time).
  • Windows Defender Advanced Threat Protection Services. When Customer provisions a tenant account, Customer selects an available Geo where Customer Data at rest will be stored. Microsoft will not transfer the Customer Data outside of the Customer’s selected Geo except as noted in the “Data Location” section of the Microsoft Trust Center.
Microsoft does not control or limit the regions from which Customer or Customer’s end users may access or move
Customer Data.
 
6. How the data will be encrypted (described in such a manner as to protect data security): Microsoft encrypts, or enables Customer to encrypt, Customer Data that is transmitted over public networks.
 

MobyMax

1. The exclusive purposes for which Protected Information will be used: To deliver software services, including supplemental instruction, intervention, assessment, and adaptive practice. To provide technical support, coaching, professional development, and/or troubleshooting for authorized users, including parents, teachers, and administrators.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: MobyMax does not share data with subcontractors or other third parties in its normal course of doing business. Should MobyMax partner with a third-party for scientific research or integration of any kind, MobyMax will do so in accordance with district and NYC DOE policies, and only with the authorization of the district or NYC DOE.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The agreement will be considered “in effect” as of the signing date. Upon expiration of the agreement, PISI will be disposed of according to the guidelines as stated in the agreement, including full removal of all relevant data nodes.
[NYC DOE comment: The current agreement became effective starting on October 23, 2019 and terminates when all NYC DOE schools and/or offices cease using MobyMax’s products/services. The terms of the agreement remain effective through the period during which MobyMax possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All MobyMax data is stored in secure servers managed by Rackspace. The physical data center is located outside of Chicago, IL.
6. How the data will be encrypted (described in such a manner as to protect data security): All network traffic happens over encrypted channels (SFTP or HTTPS). The private keys for encryption/decryption are password-protected and accessible only to a limited number of systems engineers under tightly constrained conditions. All user passwords are encrypted in storage

myOn Renaissance Learning, Inc.

1. The exclusive purposes for which Protected Information will be used: For Recipient to fulfill the services requested by NYC DOE (e.g., to provide Renaissance educational products to NYC DOE school customers).
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Contractual obligation and periodic vendor compliance review.
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Effective 11/12/2019 and continues until expiration/termination of underlying service agreement. PISI is disposed of per Exhibit D.
[NYC DOE comment: The current agreement became effective starting on November 12, 2019 and terminates when all NYC DOE schools and/or offices cease using Renaissance Learning, Inc.’s products/services. The terms of the agreement remain effective through the period during which Renaissance Learning, Inc. possesses or otherwise is in control of covered protected information.]
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI is stored in the United States; PISI is encrypted at rest and hosted in the cloud by Amazon Web Services (AWS). PISI transferred on the Internet is over HTTPS. Backups are also handled by AWS and backups are also encrypted at rest.
6. How the data will be encrypted (described in such a manner as to protect data security): PISI is encrypted at rest (no less than AES128) and hosted in the cloud by Amazon Web Services (AWS). PISI transferred on the Internet is over HTTPS (TLS 1.2). Backups are also handled by AWS and backups are also encrypted at rest

n2y LLC

  1. The exclusive purposes for which Protected Information will be used: To provide the contracted services which include delivery and support of Software as a Service solutions for use by teachers and their students with special needs in the K-12 classroom.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Typically n2y does not provide authorized non-employee resources credentials to access the production environment where a customer’s student and teacher data resides.    In the event an authorized non-employee needed access to the production environment to support the contracted services, they would grated the appropriate role and permissions to access n2y’s tenant, not the customer’s tenant where their student or teacher or principal data resides. 
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:  The data is destroyed within 90 days of termination of the customers subscriptions in accordance with n2y’s Terms of Use and Data Privacy Policy. [NYC DOE comment: The current agreement became effective starting on August 13, 2020 and terminates when all NYC DOE schools and/or offices cease using n2y’s products/services. The terms of the agreement remain effective through the period during which n2y possesses or otherwise is in control of covered protected information.]   
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US in multiple Microsoft Azure data centers. Data is encrypted in transit and at rest in the SQL Server data base. The SaaS applications are built on MS Azure App Services platform as a service which includes several levels of security at the app services operations level. MS Azure monitoring tools are also used to monitor the services used to operate n2y SaaS platform.  
  6. How the data will be encrypted (described in such a manner as to protect data security): Using TLS 1.2 in transit and Azure SQL TDE for encryption at rest. 

Nagarro Inc.

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

Contract Start Date: 7/10/2021
Contract End Date: 6/30/2023

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Nagarro will be responsible for day-to-day IT Help desk and transportation support operations providing the following type of services. The Level 1 support will include, receiving initial calls, engaging translation services as needed, logging of calls into IT Service Management (ITSM) tool, basic troubleshooting and escalation to the DOE support teams. The Level 2 support includes second level troubleshooting, escalating to vendors and field support. Additionally, common support functions include but not limited to; Troubleshooting services for the Hardware and Software related issues; Providing assistance to parents, students and teachers for inquiries related to student remote devices, such as connectivity, break-fix, and procurement processes etc; Providing assistance to parents and students for inquiries related to student remote applications.
  2. Type of PII that the Entity will receive/access: Protected information like records of student ID, address, DOE provided assets, proprietary & confidential records concerning DOE students and employees, will be only referred and used in context of the incoming calls and their associated resolution flow/path by the authorized Nagarro team personnel on this DOE project engagement. Any Protected Information we might have access to will only be on NYC DOE systems and not stored or accessible on company’s equipment.
  3. Subcontractor Written Agreement Requirement: In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Any PII information accessed by Nagarro to address calls are stored in DOE managed and hosted environment and Nagarro will not store any PII information on its infrastructure and making changes to any PII.
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In the event DOE needs any assistance from us to facilitate correction we agree to full transparency and will work with NYC DOE on any issues that arise as part of providing the contracted services.
  6. Security and Storage Protections. Describe where PII will be stored or hosted: No PII will be stored or hosted by Entity.
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Nagarro will not store PII information on its hosted products and solutions.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor’s response: “No NYC DOE data will be stored or available to Nagarro or any of the sub-contractors other than that resides on NYC DOE systems itself.”

NTT DATA, Inc.

  1. The exclusive purposes for which Protected Information will be used: The New York City (NYC) Department of Education (DOE) has a requirement for supporting the Learn at Home initiative brought about by the Coronavirus pandemic that has caused the DOE to close its schools for the safety of the students and DOE staff. To continue to meet the education needs of its students, the DOE Learn at home program requested that NTT DATA, Inc., manage the distribution of iPads and smart devices to students and teachers who do not have computer access at home. 
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: NTT DATA, Inc., works with Custom Computer Specialists as their sub-contractors. Only authorized personnel from NTT DATA’s sub-contractor will be allowed to access the protected information in order to carry out and perform required services. All authorized users will be contractually bound by an agreement that will include confidential and data security obligations. In addition, all authorized users with access to confidential information will be trained to understand the privacy and data security obligations of this Agreement.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All confidential data and PII will be securely stored and access will only be grated to authorized users for the purpose of providing services to the extent mentioned under the contract. Upon completion of project and/or termination all data will be securely destroyed or returned to DOE. [NYC DOE comment: The current agreement became effective starting on June 18, 2020, and terminates when all NYC DOE schools and/or offices cease using NTT DATA, Inc.’s products/services. The terms of the agreement remain effective through the period during which NTT DATA, Inc. possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be accessed in US and securely on SharePoint. Access to the data is strictly issued based on job requirement and at the minimal to perform the same. The customer data shall be logically and physically separated from other customer data. Data shall be periodically backed up based on the customer requirement. NTT DATA Services encrypts the data at rest which resides in our environment and data in motion which leaves our environment using industry standard cryptographic techniques. In this way confidentiality, integrity and availability of the data in ensured in NTT DATA Services. 
  6. How the data will be encrypted (described in such a manner as to protect data security): NTT DATA Services encrypts the data at rest which resides in our environment and data in motion which leaves our environment using industry standard cryptographic techniques.

Ookla, Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

Contract Start Date: 2/15/2021
Contract End Date: 8/14/2022

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Ookla is licensing Ookla-owned Cell Analytics data. We are also licensing a Speedtest Powered Mobile SDK. The Mobile SDK may be run by the NYCDOE on its Learn@Home app. The Mobile SDK generates test results of those end users that take a Speedtest. Ookla processes these test results only for the purpose of providing the SDK and providing subsequent data to NYCDOE.
  2. Type of PII that the Entity will receive/access (check all that apply): Student PII and Other. We receive location and IP address of any end user that takes a Speedtest in the app in which the SDK is included.
  3. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  6. Security and Storage Protections. Describe where PII will be stored or hosted: Using a cloud or infrastructure owned tool hosted by a subcontractor.
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is stored in secure datacenter facilities hosted by Amazon Web services. All data is fully encrypted at rest using EBS encryption based on the industry standard AES-256 cryptographic algorithm.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. 

The vendor selected: “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Operoo Inc.

1. The exclusive purposes for which Protected Information will be used: The Processor’s software applications will be used by NYC DOE schools to gather information from families/students and teachers/principals, to store such data, and to make such data available to appropriate individuals within the applicable school. The Processor does not itself use the data in any way.

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: No subcontractors utilized by the Processor are able to see any Protected Information; all Protected Information received by any subcontractor is in encrypted form, not readable by a human. The Processor maintains contracts with all subcontractors that receive protected, encrypted data that require those subcontractors to maintain robust security protocols and to obey applicable federal and state law.

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The current non-disclosure agreement between the Processor and NYC DOE started on October 1, 2020, replacing an earlier non-disclosure agreement. The current nondisclosure agreement will continue indefinitely until terminated by the NYC DOE on notice to the Processor. Following termination, all Protected Information will be deleted by the Processor upon the request of the NYC DOE after giving the NYC DOE (or the applicable school) an opportunity to export the data before deletion.

[NYC DOE Additional Information: Individual schools may have a contract period which varies based on when their agreement with Operoo began, however the NDA in place with this vendor covers the data privacy and security terms between the parties for all student PII. Operoo is obligated to destroy or return data for a particular school once the school’s agreement with Operoo terminates.]

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. The Processor shall make any changes the NYC DOE directs it to make. Requests to amend records should be made to studentprivacy@schools.nyc.gov.

[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All NYC DOE data is stored on Amazon Web Services servers located in the United States. All Protected Information is encrypted both while in transit and while at rest, using protocols that have been validated by an external security audit. The Processor has adopted and adheres to robust internal policies that implement best practices security guidelines, and applies an overall philosophy of only transmitting, processing and storing the minimum amount of Protected Information required to perform the function.

6. How the data will be encrypted (described in such a manner as to protect data security): As indicated in the preceding paragraph, data is always encrypted both at rest and in transit. Processor's security layers include strong cryptographic implementations (such as 256 bit encryption, 256 bit data encrypted TLS systems using AES) and defensive-in-depth network protection including firewalls and active monitoring systems. Processor periodically tests its encryption processes and other security layers to ensure their effectiveness through an ongoing security and compliance program that includes penetration testing, vulnerability testing, and code reviews, all conducted by independent third parties.

Overgrad, Inc

  1. Type of Entity: Commercial Enterprise 
  2. Contract / Agreement Term

    Contract Start Date: 4/1/2022

    Contract End Date: 6/30/2025 

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Overgrad is a college and career readiness platform to support students, schools, and community-based organizations. Overgrad will be supporting the College and Career Planning Team in integrating postsecondary readiness milestones into NYCSA while also supporting platform use at select NYC DOE schools. Student PII is required to create student accounts which will be used to assess academic preparedness for postsecondary pathways and support counseling in streamlining common counselor tasks like student transcript submission to higher education universities.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Overgrad has a number of administrative, technical, and physical safeguards in place to ensure PII will be protected. Only background-checked, key personnel ever have access to any student data at Overgrad, and they are only granted access in specific school- or student-support scenarios. All access activity is logged and can be referenced should there be any questions asked by schools, students, or parents. Data is stored using standard bank-level 256-bit AES encryption. All database connections utilize SSL encryption, meaning that data is secured at all points when utilizing Overgrad. All of Overgrad’s physical servers are located in access-controlled environments. Overgrad mitigates data privacy and security risks with automated application monitoring and patching its code and servers with the most currently available security protocols. Overgrad also contracts with an outside party to contact vulnerability testing in order to identify and remedy any potential security risks in the platform.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Panorama Education, Inc.

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term

Contract Start Date: 11/16/2021
Contract End Date: 11/16/2022

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    The administration, production, and reporting of the Student Perception Survey and NYC School Survey. Program services include, but not limited to:

    • A research backed survey instrument and the respective translations into the required languages by the NYCDOE
    • The printing, shipping, and scanning of paper surveys to capture the voices of all stakeholders across the NYCDOE
    • Collaborative project management to ensure a smooth survey taking experience for students, staff, and families
    • Guidance and execution on DOE communication strategies.
    • A robust reporting platform and user accounts for NYC educators, as well as public facing reports
    • Strategic professional development to allow for data driven action planning 
  2. Type of PII that the Entity will receive/access: Student PII
  3. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. 
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  6. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We take data security seriously at Panorama. We have implemented administrative, technical, and physical security measures to protect information stored in our servers, which are located in the United States. We use security safeguards such as physical access controls to buildings and files, data encryption, Secure Sockets Layer (SSL) cryptography, two-factor authentication, and firewalls to help prevent unauthorized access to the information we maintain. For more details, we invite you to take a look at our Privacy Policy at https://www.panoramaed.com/privacy/client-information-policy.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. 

The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ParentSquare, Inc.

  1. The exclusive purposes for which Protected Information will be used: ParentSquare uses PISI for the purposes of school-home communication, as administered by districts, schools, teachers, and parents.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: When ParentSquare contracts with a third party, their organizations must maintain privacy policies as stringent as ours if we share PII with them.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At the end of a customer's usage of the ParentSquare platform, the customer may request that ParentSquare make their data unavailable. At this point ParentSquare will disable access to the customer's data by configuring the software to disallow access. If a customer has other specific requirements, ParentSquare will engage with the customer to define the next steps. Data can be exported in a CSV file and sent to the customer. In the case that a customer has a need to permanently remove a piece of data that was mistakenly entered into ParentSquare, they can engage with ParentSquare's support organization to permanently obfuscate that data item from the live system and all future backups. [NYC DOE comment: The current agreement became effective starting on June 4, 2020 and terminates when all NYC DOE schools and/or offices cease using ParentSquare’s products/services. The terms of the agreement remain effective through the period during which ParentSquare possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): ParentSquare’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. ParentSquare’s primary data center is on the East coast and the backup is on the West coast. We backup our data on AWS S3 and in multiple zones. ParentSquare uses AWS security best practices such as virtual private cloud, firewalls, and recommended intrusion detection. AWS’ highly secure data centers have been accredited under: SOC 1/SSAE 16/ISAE 3402, SOC 2 (formerly SAS70), PCI Level 1, ISO 27001, and FISMA.
  6. How the data will be encrypted (described in such a manner as to protect data security): With ParentSquare, data is encrypted in transit and at rest to provide protection of sensitive data at all critical points in its lifecycle. All data is transmitted over HTTPS connection to and from the ParentSquare application.

Perfection Learning Corporation

  1. The exclusive purposes for which Protected Information will be used: The Personally Identified Information (PII) access collected for Perfection Next is used exclusively for the purpose of delivering the educational experience for students and teachers. The information collected is to identify the user in the system and ultimately associate progress of assignments.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In the event, that a subcontractor or other authorized persons or entities are provided access to student, teacher, or principal data, the resource(s) will have to have completed a background check and training on handling Personally Identifiable Information.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: When the agreement ends, we will terminate the student/teacher data from our systems. [NYC DOE comment: The current agreement became effective starting on April 22, 2020 and terminates when all NYC DOE schools and/or offices cease using Perfection Learning’s products/services. The terms of the agreement remain effective through the period during which Perfection Learning possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Perfection Learning has processes and auditing in place to identify breaches and unauthorized disclosures. Should any data breach or unauthorized disclosure be identified by Perfection Learning, NYC DOE will be notified within 24 hours.
  6. How the data will be encrypted (described in such a manner as to protect data security): All data is encrypted via SSL in transit. All Personally Identifiable Information (PII) contained within Perfection Next is stored encrypted in the database at rest state.

PowerMyLearning, Inc.

  1. The exclusive purposes for which Protected Information will be used: PISI consists of basic identifying information (student name, etc.) that is used exclusively to enable access to the PowerMyLearning Application. The Application does not hold any information received from the DOE beyond basic identifying information. For example, the application does not hold teacher personnel data, student grades, student discipline history, student IEP records, or student health data.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: No subcontractors have access rights to the Application containing DOE Information. Per PowerMyLearning’s Information Security Policy, access rights to the Application production system containing DOE Information are granted only to three employees (1) Managing Director of Technology & Architecture, (2) Senior Developer, and (3) Senior Data Analyst.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon expiration of the DOE non-disclosure agreement or upon written request from the DOE, PowerMyLearning will erase from the Application any DOE confidential information. When a Microsoft Azure customer deletes a storage object (e.g., blob, file, queue, table), the pointer to this object is immediately deleted from the storage index used to locate and access the data. This operation is replicated asynchronously for Geo-Redundant Storage, which is the system that PowerMyLearning deploys for redundancy. With the storage index updated, the data is immediately unavailable. Azure Storage interfaces do not permit direct disk reads, mitigating the risk of another customer (or even the same customer) from accessing the deleted data before it is overwritten. [NYC DOE comment: The current agreement became effective starting on August 19, 2019 and terminates when all NYC DOE schools and/or offices cease using PowerMyLearning’s products/services. The terms of the agreement remain effective through the period during which PowerMyLearning possesses or otherwise is in control of covered protected information.] 
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All PISI is stored in the US.
  6. How the data will be encrypted (described in such a manner as to protect data security): All PISI encrypted in transit. All PISI is encrypted at rest at the hard disk level. Encryption methodologies used are HTTPS SSL – SHA 256 with RSA encryption and RSA-SHA1 encryption.

Raj Technologies

The exclusive purposes for which Protected Information will be used:

RTI is providing staffing services of a Full Stack Developer to support The Division of Instructional and Information.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

The authorized employee/subcontractor will be bound to their own Non-Disclosure Agreement and will not collect, store, nor share any protected information.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

RTI does not have any plans to collect nor store Protected Information throughout the duration of this agreement (May 3, 2021-May 2, 2022) with the NYC DOE.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

RTI does not have any plans to collect nor store Protected Information throughout the duration of this agreement (May 3, 2021-May 2, 2022) with the NYC DOE.

How the data will be encrypted (described in such a manner as to protect data security):

RTI does not have any plans to collect nor store Protected Information throughout the duration of this agreement (May 3, 2021-May 2, 2022) with the NYC DOE.

Ramapo for Children, Inc.

  1. Type of Entity: Community Based Organization or Not-for-Profit 
  2. Contract / Agreement Term

Contract Start Date: December 2020
Contract End Date: June 2022

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Facilitation of a Youth Council for the Office of Community Schools.
  2. Type of PII that the Entity will receive/access: Student PII
  3. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  6. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Ramapo employees store and access data on a custom salesforce platform with restricted levels of access depending on the staff role. Salesforce is built with security to protect data and applications by limiting exposure of data to the users that act on it. Authentication protocols prevent unauthorized access to data by making sure each logged in user is who they say they are. Careful consideration is given to choosing the data set that each user or group of users can see, thereby limiting the risk of stolen or misused data. Specific objects (such as attendance lists or coaching notes) are only accessed by selected profiles.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Reading Plus LLC

1. The exclusive purposes for which Protected Information will be used: To set up and manage your subscription to use the Reading Plus application
 
To set up and maintain your individual use account
 
To administer and protect the Reading Plus application (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
 
To use data analytics to improve our Reading Plus application and customer relationships and experiences
 
For research purposes to better understand how we can develop and improve our Reading Plus application and/or create new products to help students become better silent readers and independent learners 
 
To send marketing communications to teachers and administrative users
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All Subcontractors sign binding NDAs that bind them to data protection agreements that Reading Plus LLC is part of. 
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Following expiration or termination of the agreement under which the Client purchased access to the Reading Plus web-based products or services, and upon receipt of written request from the Client, Reading Plus will destroy or, if agreed, return to the Client, the Student Records in its possession within a commercially reasonable period of time
 
[NYC DOE comment: The current agreement became effective starting on August 30, 2019 and terminates when all NYC DOE schools and/or offices cease using Reading Plus LLC’s products/services. The terms of the agreement remain effective through the period during which Reading Plus LLC possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:
 
Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. 
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):
 
Data is stored within the United States, encrypted in transit and at rest. We have put in place reasonable and appropriate security measures designed to prevent your personal data from being accidentally lost or used or accessed, altered or disclosed accidentally or in an unauthorized way. In addition, we have put in place policies and protocols designed to limit access to your personal data to those employees, agents, contractors and other third parties who have business need to know. 
 
6. How the data will be encrypted (described in such a manner as to protect data security):
 
Data is encrypted in transit with SHA-256 with RSA encryption.
 
Data is encrypted at rest with AES-256 encryption algorithm.

Really Great reading Company, LLC

  1. Type of Entity: Commercial Enterprise 
  2. Contract / Agreement Term

Contract Start Date: 7/1/2021
Contract End Date: 6/30/2026

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NYC BOE educators will receive access to Teacher Online Tools, Reading Playgrounds and Virtual Implementation Training Courses for Countdown, Blast and HD Word Curriculums. These curriculums are designed to help students learn to read.
  2. Type of PII that the Entity will receive/access: Student PII
  3. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  6. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. 
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data in motion is secured with standard HTTPS protocol Transport Layer Security (TLS). Data stored at rest is encrypted, as are its automated backups, read replicas, and snapshots using Amazon AWS RDS encryption. Keys are managed with the AWS Key Management Service (KMS). All data is stored in a password protected database with strong password requirements, server based firewall limiting data access to those end-points necessary, and limits to development roles that have access to production data. Only business necessary PII will be stored. RGR applications are hosted in Amazon Web Services (AWS). More information about the physical security of AWS data centers may be found on AWS website. Access to PII and application data will be limited to only those employees who necessarily require access to data in the performance of their role with projects. Employees, who have access to PII, must complete Security Awareness Training (Coursera) and demonstrate awareness and discretion in their day-to-day practices related to security and handling of sensitive information. Employees must sign or acknowledge these policies as they relate to their role. Background checks are conducted on all employees. In the event of unauthorized access or data breach related to the client's application data, email notification will be made within three business days of discovery of this breach.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rediker Software, Inc.

  1. Type of Entity: Commercial Enterprise 
  2. Contract / Agreement Term

    Contract Start Date: 3/1/2022

    Contract End Date: 2/28/2025 

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To provide a Student information System to manage student related data as the system of record.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution; and we use Microsoft Azure to host our teacher, parent, and student products. Microsoft is not a subcontractor but a Cloud service provider which is a company that provides a cloud-based platform, infrastructure, application, or storage services, usually for a fee. We do not provide access or provide consent to any Microsoft Representative to work on our servers or databases that are provisioned to our customers. Access to customer data by Microsoft operations and support personnel is denied by default. Microsoft does not inspect, approve, or monitor applications that customers deploy to Azure. Moreover, Microsoft does not know what kind of data customers choose to store in Azure. Microsoft does not claim data ownership over the customer information that's entered in Azure.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Rediker Software Inc. has implemented security policies and standards that govern and protect customers’ data. Our policies and standards are periodically revised and updated to comply with laws and regulations such as FERPA, COPPA, GDPR, HIPPA, PCI-DSS, NYE DOE Standards, and more. Rediker Software Inc. is committed to safeguarding the confidentiality, integrity, and availability of customers’ data by adopting:

    • Secure Access Control
    • Data Segregation
    • Data Redundancy
    • Encryption
    • Data and Application Security

      All platforms are highly secure and are equipped with standardized measures to manage, monitor, and protect our customers’ data.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Remind101, Inc.

1. The exclusive purposes for which Protected Information will be used: Remind will process Personally Identifiable Student Information (PISI) as necessary to perform the Services pursuant to the Terms of Service (https://www.remind.com/terms-of-service), and as further instructed by relevant parties in its use of the Services.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Remind will use a vendor risk management process to evaluate new vendors and monitor existing vendors on an annual basis. The following review areas are considered for vendors with whom personal data is exchanged: Compliance Status, Compliance Report Details, if applicable, Contractual Terms (confidentiality and data protection), Data Retention, and Data Security Controls.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Remind will adhere to the obligations set forth in our Privacy Notice and other Terms and Policies published at: https://www.remind.com/terms-of-service
 
[NYC DOE comment: The current agreement became effective starting on April 10, 2020 and terminates when all NYC DOE schools and/or offices cease using Remind101, Inc.’s products/services. The terms of the agreement remain effective through the period during which Remind101, Inc. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Remind will store data in cloud-based data centers located in the United States.
 
6. How the data will be encrypted (described in such a manner as to protect data security): Data transmitted across untrusted networks will be protected in transit using TLS V1.2 and will be stored at rest in an encrypted state using AES-256 bit encryption.

Renaissance Learning, Inc.

1. The exclusive purposes for which Protected Information will be used: To fulfill the services requested by NYC DOE (eg to provide Renaissance educational products to NYC DOE school Customers).
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Contractual obligation and periodic vendor compliance review.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Effective upon execution and continues until expiration/termination of underlying service agreement. PISI is disposed of per Exhibit D.
 
[NYC DOE comment: The current agreement became effective starting on September 24, 2020 and terminates when all NYC DOE schools and/or offices cease using Renaissance Learning, Inc.’s products/services. The terms of the agreement remain effective through the period during which Renaissance Learning, Inc. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI is stored in the United States; PISI is encrypted at rest and hosted in the cloud by Amazon Web Services (AWS). PISI transferred on the Internet is over HTTPS. Backups are also handled by AWS and backups are also encrypted at rest.
 
6. How the data will be encrypted (described in such a manner as to protect data security): PISI is encrypted at rest (no less than AES128) and hosted in the cloud by Amazon Web Services (AWS). PISI transferred on the Internet is over HTTPS (TLS 1.2). Backups are also handled by AWS and backups are also encrypted at rest

Renzulli Learning, LLC

  1. Type of Entity: Commercial Enterprise 
  2. Contract / Agreement Term

Contract Start Date: 4/1/2021
Contract End Date: 6/30/2022

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Renzulli Learning is an interactive online system that provides students with a personalized learning environment, allowing teachers to easily differentiate instruction to increase engagement and achieve higher academic performance. Renzulli Learning has resources that promote and enable ALL students to pursue their interests, providing equity, innovation and creativity for grades Pre-K through 12. Students are empowered by doing creative, imaginative projects that provide rigorous learning outcomes.

    The Renzulli Profiler quickly identifies student strengths, interests, learning and expression styles and then matches each student with thousands of personalized engaging Enrichment Activities. Renzulli Learning features robust student grouping which supports our revolutionary strength-based Project Based Learning (PBL) system. Research shows that Renzulli Learning Benefits All Students including:

    • Gifted and Talented Students
    • High Achieving Students
    • At Risk Students
    • Students with Special Needs
    • English Language Learners (ELL)

Renzulli Learning supports the development of 21st Century Learning Skills for all students, including: critical thinking, creative problem solving, creativity, time management, communication, teamwork, and global competency through our Global Collaboration module. The system has been used by millions of students across the globe, consistently increasing engagement which research demonstrates will lead to higher achievement. Renzulli Learning is available to all students throughout the school year, before, during, and after school, and all throughout the summer as well!

  1. Type of PII that the Entity will receive/access: Student PII.
  2. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  3. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
  4. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  5. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  6. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Renzulli Learning utilizes LightEdge Solutions, Inc. an ISO/IEC 2700:2013 certified company with Corporate Headquarters in Des Moines, Iowa. LightEdge uses several third-party systems to manage data. The systems reside within LightEdge’s internal network and utilizes a web-based application only accessible from the corporate network or through a cloud provider using single sign-on (SSO) to access data. Vulnerability assessments and penetration testing are performed on a monthly and annual basis to identify threats. Any identified security vulnerabilities are triaged by their security team and monitored through resolution. Policies are in place that prohibit the transmission of sensitive information over the internet unless it is encrypted. Risk mitigation activities include the identification, selection, and development of control activities that reduce the assessed risks. LightEdge maintains administrative, technical, and physical safeguards to protect confidential information including provisioning, controlling, and monitoring of physical access into the data centers and office facilities.
  7. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. 

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rosetta Stone Ltd

1. The exclusive purposes for which Protected Information will be used: The exclusive purposes for which “student data” or “teacher or principal data” (as those terms are defined in Education Law Section 2-d and collectively referred to as the “Confidential Data”) will be used by Rosetta Stone, Ltd. (the “Vendor”) are limited to the purposes authorized in the contract between the vendor and the NYC DOE (the “Contract”).
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Vendor will ensure that any subcontractors, or other authorized persons or entities to whom the Vendor will disclose the Confidential Data, if any, are contractually required to abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable state and federal laws and regulations (e.g., Family Educational Rights and Privacy Act (“FERPA”); Education Law §2-d; 8 NYCRR Part 121).
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Contract commences and expires on the dates set forth in the Contract, unless earlier terminated or renewed pursuant to the terms of the Contract. On or before the date the Contract expires, protected data may be exported by the School District in the client facing administrator tool and/or destroyed by the Vendor as directed by the School District.
 
[NYC DOE comment: The current agreement became effective starting on October 1, 2019 and terminates when all NYC DOE schools and/or offices cease using DreamBox Learning, Inc.’s products/services. The terms of the agreement remain effective through the period during which DreamBox Learning, Inc. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:
 
Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Confidential Data provided to Vendor by the School District will be stored in the United States and protected as per the Student Records Data Privacy Policy.
 
6. How the data will be encrypted (described in such a manner as to protect data security): The Vendor will apply encryption to the Confidential Data while in motion and at rest at least to the extent required by Education Law Section 2-d and other applicable law.

Saga Innovations, Inc. (dba Saga Education)

1. The exclusive purposes for which Protected Information will be used: Protected Information will be exclusively used for the educational purposes intended within the contracted services, to enable and enhance the tutoring experience of the participating NYC DOE students.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All subcontractors and other authorized persons will be subject to data protection and security policies and agreements that encompass, at a minimum, the requirements under the non-disclosure agreement with the NYC DOE.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Protected Information will be destroyed, or to the extent requested by NYC DOE and possible, returned to NYC DOE.
 
[NYC DOE comment: The current agreement became effective starting on April 15, 2020 and terminates when all NYC DOE schools and/or offices cease using Saga Education’s products/services. The terms of the agreement remain effective through the period during which Saga Education possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. 
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored in the US. Data storage, cloud servers and services are located in state-of-the-art Amazon Web Service (AWS) data centers, or comparable cloud-service provider data centers with many years of experience in designing, constructing, and operating large-scale data centers.
 
Our operations team is trained and experienced with respect to state-of-the-art security mechanisms and policies for cloud-based services. We employ engineers and managers who have worked in other domains with critical security and availability concerns including military systems, satellite communications systems, and the website operations of large multinational companies. 
 
We routinely audit our systems for security vulnerabilities, proactively monitor security-related websites and other outlets for information on new vulnerabilities and best practices, and make system updates as needed.
 
AWS data centers (and all of our production servers and services) are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. When a storage device has reached the end of its useful life, data center procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. 
 
Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network used by our systems. We use a wide variety of automated monitoring systems to provide a high level of service performance and availability. These monitoring systems are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. Our systems are extensively instrumented to monitor key operational metrics. Alarms are configured to automatically notify operations and management personnel when early-warning thresholds are crossed on these metrics. AWS security monitoring tools help identify several types of denial of service attacks, including distributed, flooding, and software/logic attacks. Woot Math and AWS have additional protections in place against common attack vectors including Distributed Denial Of Service Attacks, Man in the Middle Attacks, IP Spoofing, Port Scanning, Packet Sniffing, Injection Attacks, and Cross-Site Scripting Attacks.
 
Our systems are architected for high availability; its core systems are deployed in N+1 and N-to-N redundancy configurations; and the system is protected against single points of failure. Servers are maintained across multiple availability zones. Each availability zone are all redundantly connected to multiple tier-1 Internet providers. In addition to discrete uninterruptible power supply and onsite backup generation facilities, each is fed via different grids from independent electrical utilities. Because of this architecture, our services are resilient in the face of most failure modes, including natural disasters or system failures. 
 
We have, in addition, a comprehensive disaster recovery strategy. We have push-button automation to stand-up and tear-down of our entire production server and service environment, and we can quickly and easily build out our infrastructure as needed in new geographical regions. We routinely test our disaster recovery capabilities by standing up new server in a new data center and restoring all data from backup. Nightly backups of all customer data are securely stored in multiple geographic regions within the US. 
 
Changes to Woot Math systems are typically pushed into production in a phased deployment sequence, with careful monitoring and testing throughout the phases. Rollback procedures for production deployments are automated and documented.
 
6. How the data will be encrypted (described in such a manner as to protect data security): Protected Information in electronic form will be encrypted both in transit and when at rest in databases or similar electronic storage environments. All user data and communicated website data is sent over secure HTTPS and SSL protocols that are designed to protect against eavesdropping, tampering, and message forgery. Password credentials are securely encrypted using cryptographic hashes and protected with variable cryptographic salts. Non-reversible hashes of more sensitive information (email addresses, phone numbers) are used in place of the actual data within our systems to the greatest extent possible.

Savvas Learning Company LLC (f/k/a Pearson)

  1. The exclusive purposes for which Protected Information will be used: To facilitate the use of the enVisionmath 2.0 program by the NYC DOE’s students.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Savvas employees with access to customer data receive training regarding data privacy best practices and applicable legal requirements. Subcontractors are bound to process data only for the purpose for which it was provided and not to disclose such data without Savvas’ permission, and are required to implement industry standard procedures and safeguards for the protection of data.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: March 1, 2019 to June 30, 2024. If, within thirty days of termination of this Agreement, the BOE has not requested surrender or destruction of Confidential Information, Savvas shall request in writing that the BOE inform Savvas whether it should continue to hold Confidential Information, or whether it should surrender or destroy it. If the BOE has failed to reply with further instructions to Savvas’ written request within sixty days of it being sent, Savvas shall destroy all Confidential Information.
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be stored solely in the United States. Customer data will all be contained within the United States. The PISI is contained within an individual service, isolated from other mechanisms that make up the software. Those mechanisms refer back to the service using a unique identifier that minimizes the exposure of PISI. Furthermore, the PISI is encrypted at rest, encrypted in transmission, and firewall contained to specific systems that may require access to it, within our Virtual Private Cloud (VPC) in AWS. Access to this VPC is also restricted through a bastion system with strictly limited role based access and auditable. AWS uses FIPS 140-2 validated HSM's (Hardware Security Module). Separation of duties and rolebased access control limits AWS employees to only monitor, maintain the health and provide audit logs. AWS employees are not able to export or use our encryption keys. In addition, AWS complies with ISO 27018, a code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance about ISO 27002 controls that is applicable to personally identifiable information (PII) processed by public cloud service providers. For more information, please visit this link: https://aws.amazon.com/compliance/iso-27018-faqs/
  6. How the data will be encrypted (described in such a manner as to protect data security): Beginning with data at it's stored (rest) state, it is encrypted using database Transparent Data Encryption (TDE). The data is restricted to and accessed only by the dedicated service tasked with mapping relations from the unique identifier to an individual. All data in this transmission to and from the service is also secured.

Scholastic Inc.

 

The exclusive purposes for which Protected Information will be used:

Scholastic only uses personally identifiable student information to provide students and teachers with access to digital educational products to support NYC DOE’s educational goals and to benefit its students.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

Scholastic only shares personally identifiable student information with subcontractors who provide services Scholastic needs to deliver its digital educational products to its customers. Scholastic requires its subcontractors to agree contractually to protect personal information and to use it only as needed to provide services for Scholastic, not for their own commercial purposes. Scholastic reviews the technical capabilities of its subcontractors before engaging them and conducts ongoing oversight, periodic tests, scans and other assessments to ensure subcontractors are meeting Scholastic’s data privacy and security standard and commitments.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

Start date: May 4, 2021

End date: N/A. This questionnaire concerns a confidentiality/data security agreement that is meant to protect any student PII the NYC DOE discloses to the Entity currently and in the future, and helps ensure that PII will remain protected for as long as it is needed to render the covered products or services to the NYC DOE. Individual end dates may apply depending on the product, service, or the current or future contractual relationship.

The NDA starts on signing and remains in effect for as long as the agreement continues, but in any event the security and privacy terms of the agreement will remain in effect for so long as Scholastic has any personally identifiable student information of the NYC DOE in its control. Scholastic will delete or permanently de-identify personally identifiable student information at any time upon written request of the NYC DOE, when it is no longer needed for providing the services, but in any event no later than ninety days after the end of the agreement..

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Parents, eligible students, teachers or principals can contact studentprivacy@schools.nyc.gov to ask for copies of student data. Scholastic will direct any requests it gets from students or parents about student data to the NYC DOE at the same email address. Scholastic will cooperate with the NYC DOE in responding to any student or parent requests. Teachers and principals may have the ability to access data directly within Scholastic’s digital educational products. 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

Student data is stored in the United States in Amazon Web Services using appropriate administrative, physical and technical safeguards to protect it against unauthorized access, disclosure, alteration or use.

How the data will be encrypted (described in such a manner as to protect data security):

These safeguards include standards that align with the NIST cybersecurity framework. Protected data is encrypted in motion (currently with TLS 1.2 encryption) and at rest (currently with 128-bit AES encryption). Processor conducts periodic risk assessments and keeps audit trails and security logs to assess and remediate vulnerabilities and to protect data from deterioration or degradation. Additional measures include firewalls, anti-virus and intrusion detection, configuration control and automated backups. Data is classified by sensitivity, and access to data is rule- and role-based.

SchoolCNXT, Inc. 

 
1. The exclusive purposes for which Protected Information will be used: All PISI will be used to provide the SchoolCNXT family engagement services.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: SchoolCNXT agrees that all subcontractors will be bound to and comply with the requirements set forth herein.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: SchoolCNXT will house and maintain the data until the NYC DoE requests in writing that the data be destroyed.  Insofar as there may be temporary lapses in the agreement from year to year, SchoolCNXT will abide by the most recent agreement in letter and spirit until a new one is executed.
 
[NYC DOE comment: The current agreement became effective starting on September 23, 2019 and terminates when all NYC DOE schools and/or offices cease using SchoolCNXT, Inc.’s products/services. The terms of the agreement remain effective through the period during which SchoolCNXT, Inc. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All NYC DoE data is stored in the United States. 
 
6. How the data will be encrypted (described in such a manner as to protect data security): All data is encrypted both in transit via SSL and at rest at the database and disk levels utilizing encryption services provided by AWS.

Scoir, Inc

  1. Type of Entity: Commercial Enterprise 
  2. Contract / Agreement Term

    Contract Start Date: 3/1/2022

    Contract End Date: 2/28/2023 

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Scoir provides a software-as-a-service platform intended to guide high school students in their post-secondary pursuits (the “Services”). The Services enable students to search for and learn

    about collegiate, scholarship, and career opportunities; to engage with high school counselors and college admissions representatives during the college selection and admissions process; to solicit from high school faculty and administrators the creation and delivery of application-related documents; and to create, manage, and submit their applications for admission to institutions of higher education. The Services include a college guidance management system that enables high schools and their affiliated organizations to monitor and assist students in their post-secondary planning; to engage and collaborate with students, parents and guardians, and college admissions representatives; to manage the creation and delivery of application-related documents to colleges; and to collect, analyze, and report on student engagement, academic achievements, and application outcomes.

  4. Type of PII that the Entity will receive/access: Student PII, and at the discretion of BOE, Processor may also receive/access:
    • Names, title, and email addresses of schools teachers and/or administrators; and
    • Names, addresses, and email addresses of parents and guardians.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Scoir maintains an Information Security program to ensure that we are continuously monitoring and mitigating risk as a company. As part of that Scoir maintains several layers of security around the information we store and process. Scoir will provide security and privacy training for our employees to teach the importance of securing PII. Scoir follows the principle of least privilege for access to our data and systems, and this access is reviewed at least annually. Scoir uses several layers of technical controls such as industry standard encryption, system monitoring, code reviews, automated testing, etc… to protect our data, systems, networks, and other infrastructure. As part of our Information Security program Scoir will reassess risks to all of our systems at least annually and enhance controls as necessary.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Seesaw Learning, Inc.

1. The exclusive purposes for which Protected Information will be used: We only use this information to provide the Seesaw service.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Our subprocessors have all signed a Data Protection Agreement with us, which stipulates that any data we share with them will be used exclusively to provide services to us and not for any other purposes. 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Students and their schools will always own the work added to seesaw. After the agreement expires, students and families will be provided the option to download student work and take ownership of their accounts. 
 
[NYC DOE additional information: The current agreement became effective starting on October 2, 2020 and terminates when all NYC DOE schools and/or offices cease using Seesaw’s products/services. The terms of the agreement remain effective through the period during which Seesaw possesses or otherwise is in control of covered protected information.]        
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. 
 

[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored in the United States. Seesaw takes protecting your security and privacy seriously and we’ve put a number of measures in place to protect the integrity of your information. 
  • All passwords are salted and hashed using [redacted].
  • Seesaw routinely conducts 3rd party security audits to verify the security and integrity of our systems and internal controls. 
  • Data is stored in access-controlled data centers operated by industry leading partners with years of experience in large-scale data centers with 24/7 monitoring.
  • All user information is stored redundantly and backed up in geographically distributed data centers. We utilize multiple distributed servers to ensure high levels of uptime and to ensure that we can restore availability and access to personal data in a timely manner. 
  • We have adopted an internal data access policy that restricts access to personally identifiable information to a limited number of employees with a specific business need (such as for technical support).
  • All employees undergo a background check before beginning employment at Seesaw, sign a nondisclosure agreement, and immediately lose access to all internal systems and data when terminated. No customer information is stored on individual employee computers. 
  • We routinely monitor our systems for security breaches and attempts at inappropriate access.
  • We use encrypted QR codes for family and student access to journal content. 
 

6. How the data will be encrypted (described in such a manner as to protect data security): 

  • Seesaw uses TLS 1.2 security at the network level to ensure all account information and journal content is transmitted securely. 
  • Journal Content (e.g., the photos, video, audio, and other content you add to your Seesaw journal) is encrypted at rest. 
 

Sparkler

  1. The exclusive purposes for which Protected Information will be used: To provide the service, directly and in coordination with the BOE. Aggregated non-identifiable data may also be used to improve the service.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Data protection and security requirements that meet or exceed these requirements are a part of Sparkler’s privacy policy and all employment and contracting agreements used by Sparkler.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The agreement starts on signing, and will extend no more than a year, or until terminated by either party. Protected information held by Sparkler will be deleted at any time at the instigation of either users or the DOE, and at any rate under Sparkler’s policies will be deleted no later than one year after the end of the agreement. [NYC DOE comment: The current agreement became effective starting on April 1, 2020 and terminates when all NYC DOE schools and/or offices cease using Sparkler’s products/services. The terms of the agreement remain effective through the period during which Sparkler possesses or otherwise is in control of covered protected information.] 
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US, using the commercially reasonable protections afforded by AWS. Further provisions are described in the Recipients Terms of Use and Privacy Policy.
  6. How the data will be encrypted (described in such a manner as to protect data security): Sparkler is using the industry standard AES-256 encryption algorithm to encrypt all data on the server. For encrypting network communications and establishing the identity of the app, Sparkler is using industry standard SSL/TLS protocols.

ST Math - MIND Research Institute

  1. The exclusive purposes for which Protected Information will be used: Personally Identifiable Student Information (PISI) will be used to enroll/roster students into the ST Math program as well as collect usage and performance data as related to the program (i.e. progression through the program, mastery of standard, time on the program). 
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: MIND Research Institute requires all employees that will handle PISI to agree to and sign our employee handbook which details requirements each employee must adhere to in order to ensure the security of user data. Additionally, MIND Research Institute provides scheduled training and refresher training on best practices in the handling of data and requires employees to participate. 
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI received from a LEA is de-identified or deleted in a reasonable period of time after the relationship between MIND Research Institute and the LEA has been terminated. [NYC DOE comment: The current agreement became effective starting on September 18, 2019 and terminates when all NYC DOE schools and/or offices cease using ST Math’s products/services. The terms of the agreement remain effective through the period during which ST Math possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): MIND Research Institute's infrastructure is hosted within the United States. We design and implement our systems to provide resiliency against server, segment, and geographic failure, through the implementation of a clustered redundant architecture that yields highly available service endpoints. which provide resiliency against server, segment, and geographic failure. We utilize service providers whose systems have been certified for compliance with security standards including ISO 27001. 
  6. How the data will be encrypted (described in such a manner as to protect data security): Unauthorized access of User data is a real risk facing the users of today's electronic information services. MIND Research Institute strives to keep informed of these risks, and we work diligently to combat them. One method of protecting User data is to utilize cryptography to prevent data visibility in the event of its unauthorized access. MIND Research Institute leverages cryptography to protect user data in the following two ways:
  • Data in Transit. Our services support Transport Layer Security (“TLS”) to encrypt User communications (TLS 1.0 or greater and only the strongest ciphers). Data transferred between our Site and its end Users (including credential submission, data uploads, and data downloads) are sent over TLS connections, which protect such data using strong encryption, so that data in transit is kept in a private channel between the intended User and our systems.
  • Data at Rest. User data that contains personally identifying information, when “at-rest” (i.e., when in storage) is encrypted using industry standard AES-256. There are two types of "at rest" storage:
  • Database. Database server disk storage is “volume” encrypted (i.e., encrypted at the level of the database).
  • User Files. User files are individually encrypted before being recorded on long-term, secondary storage systems.

STRIDES Via Transportation, Inc. 

 
1. The exclusive purposes for which Protected Information will be used: Scoping for the STRIDES project plan
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: N/A – only Via employees will have access to student, teacher or principal data
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Starts October 15, 2019 and ends upon execution of the Requirements Agreement by and between the Board of Education of the City School District and the City of New York and Via Transportation, Inc., at which point the confidentiality and information security provisions of that agreement will govern use of NYC DOE Confidential Information.
 
[NYC DOE comment: The current agreement became effective starting on October 15, 2019 and terminates when all NYC DOE schools and/or offices cease using Via Transportation, Inc.’s products/services. The terms of the agreement remain effective through the period during which Via Transportation, Inc. possesses or otherwise is in control of covered protected information.]
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The PISI will be stored in the US. 
 
Via servers are hosted on AWS. Access to AWS and VIA’s operational tools is granted only through a 2-factor authentication mechanism to authorized personnel. Via requires an authorized account for all network logins, all users have their own credentials and a user in the multi factor Octa system. 
 
All network and security devices support Secure Shell (SSH) and / or HTTPS for administration of the devices. All of our services are running in secured VPC’s, with proper network segmentation and stateless firewalls.
 
6. How the data will be encrypted (described in such a manner as to protect data security): Via uses appropriate encryption technologies to protect data stored on its corporate and production servers based on the sensitivity of the data elements in question. To the extent that Via uses any third-party cloud servers or other storage assets to store sensitive information, the Via information technology and information security teams will configure use of such third-party servers to turn on/enable/use available authentication and encryption technologies. The following minimum encryption protocols will be implemented when creating or storing transmitting sensitive data: 
 
Via shall use 256-bit SSL when transmitting sensitive data over the internet. 
 
Wireless network transmissions will be encrypted.
 
Audit logs that contain sensitive data will be sanitized or removed from the logs. 
 
Via uses AWS Key Management Service as the main KMS. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect our keys. 
 
AWS KMS is integrated with AWS CloudTrail to provide audit logs of all key usage. 
 
All endpoints that connect to Via’s network are disk-encrypted using industry-standard encryption. Personal client information is never stored on the client-side device

Suntex International Inc. (First in Math)

  1. The exclusive purposes for which Protected Information will be used: We do not absorb, display or store any sensitive data in this process. As part of a typical data sync, the district will provide information regarding the school buildings, the classroom that exist, and the teachers that are assigned to those classrooms. Lastly, a list of students and what classes they belong to is provided. In the most common application, these files are transmitted nightly through Clever. The syncing process will automatically establish accounts, preserving the teacher/student relationship. As this relationship changes, and students move to a different classroom, or school building this change is reflected in vendor’s website. If student no longer appears in the data feed, the student will be held in a reset/deactivated status until they appear again. Teachers that are no longer teaching the classrooms associated with the program will be removed as indicated by the feed. There are some cases where the relationship is not correctly reflected in the SIS, or the student’s classroom assignment is ambiguous. In this case the teacher may use tools to find students that are deactivated or exist in an unassigned pool for that grade level using a drag and drop tool. The teacher may also examine a roster and determine that a student is either no longer in that classroom, or that they no longer exist within that school, or reset a password, though passwords are not relevant when an SSO sign in method is being used. A building level administrator may have additional tools to move students to different classrooms within the building.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:  Suntex does not use subcontractors. Company employees follow proper policy in handling data for initial import of district data, trouble-shooting, customer service. We take reasonable measures to protect the confidentiality of the Data as required by federal and state laws and regulations applicable. We establish technical and physical security measures to ensure the confidentiality, integrity and availability of the Data.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Traditionally, we retain the current school year and one-year prior of data. Before each school year we purge any older data. At the end of the contract period or upon request, information will be returned to a NYC DOE, or at such point that the Data are no longer needed for the purpose referenced in this Agreement, or, at the sole discretion of NYC DOE, securely destroyed, and all electronic Data purged from the network in a manner that does not permit retrieval of the data.
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored within the Atlanta Data Center of Aptum Technologies, 106 Jefferson Street, Suite 300, San Antonio TX 78205 (Formerly Cocego-Peer1), a top-tier and leading hosting provider. Multiple approaches to data security include physical security (CCTV, biometric access control, on-site guards), network and application protection, including DDoS protection, hardware fire, load balancer, and access through VPN only. The next layer of security includes alert logic monitoring and McAfee enterprise anti-virus. Web Site access is only allowed using SSL (2048-bit). The environment is kept clean, installing only the necessary applications and features, and is kept up-to-date with the latest security patches. 
  6. How the data will be encrypted (described in such a manner as to protect data security): All data in motion will be encrypted either via Secure HTTP (HTTPS), SFTP, or another approved encryption mechanism. In general, Email send and receive is protected by TLS in its transmission, but is not generally an acceptable means of passing confidential information.

TalkingPoints

  1. The exclusive purposes for which Protected Information will be used: To provide a two-way translated messaging platform between school & district administrators, teachers and parents.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: As described in Attachment B, TalkingPoints has implemented strict controls over physical, environmental, and software security for all employees and contractors.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: TalkingPoints will either delete or return, within a commercially reasonable period of time but not to exceed 45 days, all personally identifiable information upon the expiration of any agreement when requested to do so by notification from the contracting party; [NYC DOE comment: The current agreement became effective starting on May 29, 2020 and terminates when all NYC DOE schools and/or offices cease using Talking Points’ products/services. The terms of the agreement remain effective through the period during which Talking Points possesses or otherwise is in control of covered protected information.] 
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. Any parent, student, eligible student, teacher or principal may correct inaccurate student data or teacher or principal data that is collected. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored in the U.S. As described in Attachment B of the Agreement, TalkingPoints’s infrastructure is built on industry-tested technology and security practices.
    • TalkingPoints uses encryption, firewall, and network security software.
    • TalkingPoints uses single sign-on (SSO) and twofactor authentication (TFA).
    • Low-level auditing software is supported for all external providers (AWS, Atlas) to record potentially malicious actions that may take place.
    • TalkingPoints runs periodic penetration tests, then logs and resolves discovered issues.
    • All TalkingPoints clients use TLS/SSL when communicating with our servers.
    • TalkingPoints has a host-based intrusion detection system to detect unauthorized access to production hosts.
    • Audit logs are sent to a central location for storage and analysis. Access to production servers and interaction with production systems is audited and logged.
  6. How the data will be encrypted (described in such a manner as to protect data security): All student data or teacher or principal data is stored on cloud servers within the United States and protected with industry standard and best practices procedures, including AES256-CBC encryption when in transit and when stored at rest.

Tech4Learning, Inc.

1. The exclusive purposes for which Protected Information will be used: To access the Wixie online authoring tool.

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: N/A - We will not share student data with subcontractors or other persons or entities.

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At agreement start protected data will be uploaded by NYC DOE staff to Wixie. At agreement end protected data will be deleted unless return instructions are provided.

[NYC DOE additional information: The current agreement remains effective through the period during which Tech4Line, Inc. possesses or otherwise is in control of covered protected information.]

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor. 

[NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected data is stored in our San Diego, CA-based data center. Data is protected via biometric, physical, and logical security.

6. How the data will be encrypted (described in such a manner as to protect data security): Data transmitted to Wixie and data at rest will be secured using industry best practices.

TestOut Corporation

The exclusive purposes for which Protected Information will be used:

To facilitate the student using our online courseware – LabSim. LabSim is TestOut’s learning platform. It delivers our certification and courses, including our best-of class IT simulations. It also provides tools for educators to manage and assess student learning. The LabSim courses keep students engaged and allow them to monitor their progress. LabSim is a flexible and cost-effective solution for IT education.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

Process does not utilize subcontractors which have access to Confidential Information.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

Upon expiration or termination of the Agreement, Processor will securely destroy all Confidential Information within 60 days. All data destruction will follow the NIST SP800-88 guidelines. If requested by DOE, Processor will provide Confidential information to DOE in an agreeable format prior to securely destroying all Confidential Information.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

Processer employees industry standard measures to protect Confidential Information from unauthorized access while the data is in transit or at rest which align with the NIST Cybersecurity Framework. Data in transit is encrypted with TLS 1.2 and data at rest is encrypted with AES-256. The servers are hosted in an environment using a firewall that is updated according to industry standards. Passwords are protected following the password guidelines in Article 4.3 of NIST 800-63-3. We only provide access to Confidential Information to employees that are performing the Services. All data stored is on serves located in the United States.

How the data will be encrypted (described in such a manner as to protect data security):

Data in transit is encrypted with TLS 1.2, and data at rest is encrypted with AES-256.

TPR Education LLC

The exclusive purposes for which Protected Information will be used:

To fulfill TPR’s obligations under its agreement with the DOE, including but not limited to test preparation and tutoring services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

Subcontractors do not have access to confidential data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

For the term of the underlying agreement. At contract end, Protected Information will be deleted as provided in the underlying agreement between the DOE and TPR.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

All data resides in the United States. Systems are protected using industry standard security practices by using a combination of encryption, role/group-based permissions, firewalls, and passwords.

How the data will be encrypted (described in such a manner as to protect data security):

Data will be encrypted at rest using AES-256 at the disk level. SQL encryption on certain fields, and TLS 1.2 SSL for encryption in transit.

Vanguard Direct, Inc.

  1. The exclusive purposes for which Protected Information will be used: To communicate information to students and/or parents/guardians on behalf of different DOE divisions.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All subcontractors are required to sign an equivalent NDA with the Processor.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All information used for the mailing will be purged from Processor’s system and a destruction certificate will be provided to the NYC DOE.
    • [NYC DOE additional information: The current agreement became effective starting on January 13, 2021 and remains effective through the period during which Vanguard Direct, Inc. possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Stored only in the US.
  6. How the data will be encrypted (described in such a manner as to protect data security):
    • Data in transit will use either Secure Shell (SFTP) or TLS over FTP (FTPs).
    • Data at rest are encrypted using 256-bit SSL (Secure Sockets Layer)

Worked, Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term
    Contract Start Date: 5/16/2022
    Contract End Date: 5/27/2022
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. WorkED is creating a 20 hour Cybersecurity Externship which is a Work Based Learning Program for NYC DOE high school students to engage with Cyber careers.
  4. Type of PII that the Entity will receive/access: Student PII
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. 
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.
  8. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  9. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  10. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We collect the minimum amount of data required to successfully operate our programs. In the case where information is obtained from a student that is under the PII label, we only keep that sensitive within our lead teacher, leadership, and lead host team members. Everyone is trained on the right practices. All sensitive data collected in our service is encrypted and aligned with best practices and we have controls which support this collection and data use.
  11. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

WSD Digital LLC (dba ReFrame Solutions)

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:

    Contract State Date: 7/19/2021

    Contract End Date: 7/19/2022

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    The ReFrame system is housing student first name and last name. The ReFrame System is housing parent or guardian phone number only. The system receives updated student first name and last name from school Principal. Parent phone numbers are received from school Principal. This PII data is used for communication purposes only for the Bronx Technology and Engineering Academy.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ReFrame Engage is delivered on a SaaS (Software as a Service) basis, with Cloud hosting supplied by a secure, highly reliable, and redundant AWS Cloud (using geographically diverse data backup). The application is designed to provide access to data on a need-to-know basis, always protecting PII and privacy including the segregation or suppression of sensitive data where appropriate based on Role Permissions. All data is encrypted in transit and at rest. Employees undergo annual cybersecurity training as part of HR policy.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Xello Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: [NYCDOE Comment: Agreement with Xello Inc was signed on 11/3/2021]
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Xello provides college & career readiness software that allows students to discover relevant college, university, trade, military and career options based on their personality, skills, and knowledge. Xello requires certain PII in order to provision accounts for teachers and students, and for teachers to be able to interact with their students.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Physical Controls:

    • Environmental control (constant temperature and humidity maintenance, particulates filtration), fire suppression systems, redundant power sources and UPS backup.
    • Round the clock physical security (card entry, video monitoring of the facilities).
    • Data center access logs (Azure).

    Administrative Controls:

    • Utilization of the principle of least privilege.
    • Vulnerability testing.
    • Security awareness training (including FERPA and COPPA).
    • Criminal background checks on all employees.
    • Employee NDAs.

    Technical Controls:Logging and auditing of network access.

    • Continuous monitoring (SIEM)
    • Firewall & endpoint protection.
    • Network segregation.
    • Encrypted data in transit through the use of TLS 1.2
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Zoobean LLC

The exclusive purposes for which Protected Information will be used:

Students’ first and last name will be used to personalize the experience when logged into our application. Their email address or school district username will be used for authentication purposes in the instances where SSO [NYCDOE comment: single sign on] isn’t available. Their age and/or grade level will be used to place them into the appropriate reading challenges for their age group. Finally, their section enrollment will be used to allow their teachers access to their reading history and achievement data.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE

We do not share student data with subcontractors or anyone outside of full-time employees directly supporting our work with NYC DOE. All Zoobean emloyees are required to complete a background check including social security number trace, nationwide criminal database search, sex offender registry search, county criminal court search, and domestic watchlist search. Employees attend semiannual company training and performance reviews that may include, but or not limited to, abiding by all current data protection and security requirements.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

When the agreement expires and NYC DOE no longer wishes to utilize our application, all data related to their district will be fully deleted from the database and all stored backups. Once the data is fully destroyed, the application will disconnect from the preferred NYC DOE SSO & Rostering service and their sites fully decommissioned.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov. We obtain our student/teacher data directly from 3rd party vendors like Clever and Classlink, or custom integrations. In all of those instances, we have the means to import the data so it matches the data found in those services.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

All information will be stored in the US.

How the data will be encrypted (described in such a manner as to protect data security):

The data in the database is encrypted at rest and all data is encrypted end-to-end while in transit via TLSv1.2.

Zoom

1. The exclusive purposes for which Protected Information will be used: To provide the Services as described on Attachment A.
The personal data transferred may be subject to the following basic processing activities:
 
• account configuration and maintenance;
• facilitating conferences and meetings between data subjects and third party participants;
• hosting and storing personal data arising from such conferences and meetings solely for the purposes of providing the services;
• customer/ client technical and operational support
 
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Zoom shall ensure that each subcontractor is contractually bound by an agreement that includes confidentiality and data security obligations equivalent to, and no less protective than, those found in Zoom’s agreement with the NYC DOE.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Within thirty (30) days of contract termination, Customer may download any stored Protected Information. After that thirty (30) day window, Zoom will delete in accordance with its data deletion protocols.
 
[NYC DOE comment: The current agreement became effective starting on May 1, 2020 and terminates when all NYC DOE schools and/or offices cease using Zoom's products/services. The terms of the agreement remain effective through the period during which Zoom possesses or otherwise is in control of covered protected information.]
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 

[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All content stored by Customer will be stored in the US via Amazon Web Services (“AWS”).
 
Zoom uses a network of co-located data centers to provide the real-time communications service to our customers. Customers/End Users are connected to the co-location that is nearest to their geographic location. At the customer request certain datacenters can be disabled on the account. Data does not permanently reside in the co-located datacenters. Zoom leverages AWS in the U.S. for persistent storage of Customer Content (i.e., cloud recordings, chat logs, meeting reports)
 
Zoom has data centers in the following locations:
New York
San Jose, California
Denver
Toronto
Amsterdam
Sydney
Melbourne
Frankfurt
Tokyo
Sao Paulo
Mumbai
Vancouver
China
 
Zoom follows the recommended security controls established by the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Zoom's security framework includes role based security access controls (RBAC) that enable or prevent access to client data based on the principle of "least privilege" necessary for an employee's job function. Additionally, technologies are in place to protect against outside threats, including controls such as network perimeter firewalls, security groups, intrusion detection systems/next-generation firewall (advanced threat protection), file integrity monitoring (FIM), security information and event management (SIEM), endpoint anti malware protections, and company-wide multi-factor authentication to Zoom IT resources, to mention a few.
 
Additionally, Zoom is working towards incorporating compliance with NIST 800-53 standards and leveraging these standards for the further development and maintenance of its overall, strategic security plan.
 
6. How the data will be encrypted (described in such a manner as to protect data security): For Zoom client (application):
By default, Zoom encrypts in-meeting and in-webinar presentation content at the application layer using TLS 1.2 with Advanced Encryption Standard (AES) 256-bit algorithm.
 
For dial-in participants joining by phone, the audio is encrypted until it leaves Zoom's data centers and is transferred to the participant's phone network.
 
Encryption can be required for H.323 and SIP devices joining Zoom meetings. This setting is configured at the account level, group, or user level. Once enabled, encryption will need to been abled on these devices when joining your Zoom meeting or they will receive an error and be unable to join.
 
Note: You can also enable or disable encryption for chat.
 
For more details, please refer to the article: https://support.zoom.us/hc/en-us/articles/201362723- Encryption-for-Meetings
 
Data at rest is protected leveraging Amazon Server Side Encryption (SSE) using 256-bit Advanced Encryption Standard (AES-256)
Back to Top