Vendors R-Z

New York Education Law §2-d gives parents the right to access certain information about agreements the NYC DOE has entered into with outside entities (such as vendors) who are permitted to receive or to access identifiable student information from the DOE. These entities are required to answer a number of questions about their privacy and data security practices. Responses from such outside entities to these questions are found below. Please note that this page will be updated on a periodic basis with responses from additional outside entities.

PLEASE NOTE: The entities listed below do not comprise a list of “approved DOE vendors” and therefore should not be thought of as such. Some entities listed below may have agreements that have expired or were terminated, but whose information has not yet been moved or removed. Other entities, whose names do not appear below, may have agreements with the DOE, or agreements that are in progress, but their responses are still being processed and have not yet been posted. Additionally, there are some entities that do not collect personally identifiable information. Their information may not appear below. 

Listed in Alphabetical Order:

R K Software

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This agreement is for our firm to provide Staffing Augmentation to the DOE for a range of services including Software Development, Network Engineering, Server Deployment and Management, Business Analysis, and Project Management. All of the staff we provide will work with NYC DOE equipment and within DOE systems. No PII will be received or stored by our firm or anyone other than the staff hired to work with the DOE. R K Software Inc.’s staff members, consultants, or subcontractors working with the DOE may need to access PII to troubleshoot issues, develop initiatives, provide adequate support, communicate with relevant parties or other similar reasons.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: R K Software Inc’s staff members, consultants, or subcontractors will only access PII, they will not store, host, or collect any PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below. We will not store, host or collect and PII.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. R K Software Inc.’s staff members, consultants, and subcontractors will be trained to handle Student PII information. They will follow the security practices and protocols described in our Education Security Policy, particularly those listed in Section II on confidential information and privacy.

  • R K Software Inc.’s staff members, consultants, and subcontractors keep all confidential information private through many security measures in compliance with the NIST Cybersecurity Framework. All confidential information is kept in confidence and not disclosed to anyone or any third party, not used for the benefit of R K Software Inc. or another entity, or for any other purpose than that agreed upon with the New York City Department of Education.
  • R K Software Inc.’s staff members, consultants, and subcontractors use commercially reasonable efforts to secure and defend any system housing confidential information against third parties who may seek to breach the security thereof, including but not limited to breaches by unauthorized access or making unauthorized modifications to the system.
  • R K Software Inc.’s staff members, consultants, and subcontractors protect all confidential information when in transit and at rest. When in transit, information and data are encrypted. When at rest, information and data are protected by passwords, firewalls, and other measures. Scripts and queries cannot penetrate the encryption or protections.
  • Confidential information may be in the original format or a copy. Both are equally protected.
  • When R K Software Inc. and its staff members, consultants, and subcontractors no longer need to have confidential information, the information will either be returned (in a secure way) to the New York City Department of Education or destroyed so that the data are unusable and unrecoverable.
  • Any reports or applications which contain confidential information will have prominent confidentiality notices in legible-sized fonts on each page.
  • Web applications containing confidential information will be non-cacheable.
  • Confidential information will not appear in URLs.
  • In development, test, and QA environments test data that is NOT confidential will be used.
  • R K Software Inc and its staff members, consultants, and subcontractors will review and comply with any additional requirements from the New York City Department of Education.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  No PII will be stored or hosted by Entity.

Raj Technologies (also called RTI) (for a Vaccine Tracker)

Type of Entity: Commercial Enterprise

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Contractor will be responsible for the provision of support services for the Vaccine Tracking Enhancements Project to provide information about Covid 19 and test results to ensure the safety of students, staff and communities. Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.

Type of PII that the Entity will receive/access: Student PII. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Rally! Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. RALLY! Education® digital products use advanced encryption technology to protect online data. The purpose of each digital product is to help students understand and master the NY Next Generation Learning Standards and prepare for the spring NY State Tests. Our digital programs stand-alone on secured website servers. There is no need to access all student PII - we only require student, teacher, and admin email addresses and school-created passwords to set up the program - no other confidential information is needed or required. Our programs do not require All transmission of data other than diagnostic student, class, and grade reports using Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational student and teacher names are stored on RALLY! Education® secured servers and are encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access and is monitored daily. All transmission of data utilizes Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational and personal information stored on RALLY! Education® servers is encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access.

Type of PII that the Entity will receive/access: Student PII. The vendor specifies that “NYC DOE is the sole owner of any student and teacher data. The only information that is needed is the student’s name and teacher email/or ID and any passwords that the site or DOE sets up. For example, teachers and students can use their assigned NYC DOE ID number as their passwords or create unique passwords”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor specifies “RALLY! Education® is the sole source provider, and we do not contract with third-party providers.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. The vendor specifies that “All data is deleted on the RALLY! Education® servers. NYC DOE is the sole owner of all reports by student, class, and grade.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All class rosters provided to RALLY! Education® are the sole owner of NYC including the reporting data. Unless directed, there is no link between NYC DOE's website and our digital products. Depending on which products are purchased, each school receives access to a password protected URL unique to each school. We use password protected logins for all access on our secured servers. Administrators, teachers, and students also receive unique passwords to access the specific level of the product. (Administrators have access to all levels purchased, teachers have access only to the students in their class or classes, students can only access their grade level.) Diagnostic Reporting tools can be found within the Administration and Teacher portals. The reports can be downloaded and shared for meetings - no other private information is needed or required. During each semester, additional classes and students can be added or updated, and NYC is the sole owner. At the end of the agreement term, NYC will have copies of the data within the system for the school year. If NYC DOE prefers that RALLY! Education® set-up the school's passwords, we will do it within the confines of what the DOE requires. If NYC DOE uses Class Link®, we follow the secured protocols as stated by Class Link® for PII (although our products do not require complete PII access). In addition, RALLY! Education® uses advanced encryption technology to protect online data. All transmission of data utilizes Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational and personal information stored on RALLY! Education® servers is encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access and is monitored daily.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor specifies “RALLY! Education® encrypts all student and teacher data. All diagnostic reports are available through a unique login. No other confidential information is needed or shared. NYC DOE is the sole owner of any student and teacher data. The only information that is needed is the student’s name and teacher email/or ID and any passwords that the site or DOE sets up. For example, teachers and students can use their assigned NYC DOE ID number as their passwords or create unique passwords.”

Ramapo for Children

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 12/2020 – 6/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Facilitation of a Youth Council for the Office of Community Schools.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Ramapo employees store and access data on a custom salesforce platform with restricted levels of access depending on the staff role. Salesforce is built with security to protect data and applications by limiting exposure of data to the users that act on it. Authentication protocols prevent unauthorized access to data by making sure each logged in user is who they say they are. Careful consideration is given to choosing the data set that each user or group of users can see, thereby limiting the risk of stolen or misused data. Specific objects (such as attendance lists or coaching notes) are only accessed by selected profiles.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Reading Horizons

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Tech-enabled foundational reading instruction that helps all students reach reading proficiency.

PII: IP Addresses of users, Use of cookies, etc., Other application technology meta data, meta data on user interaction with application, standardized test scores, language information (native, or primary language spoken by student), student school enrollment, student grade level, specific curriculum programs, student scheduled courses, teacher names, English language learner information, Local (School district) ID number, Provider/App assigned student ID number, Student First and/or Last name, Program/application performance, Academic or extracurricular activities a student may belong to or participate in.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Azure, AWS, Google.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Reading Horizons enforces role-based access controls, maintain comprehensive data privacy policies, and conduct regular employee training. Technical controls includes encryption, robost network security, and vulnerability assessments.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Reading Plus

The exclusive purposes for which Protected Information will be used: To set up and manage your subscription to use the Reading Plus application. To set up and maintain your individual use account. To administer and protect the Reading Plus application (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). To use data analytics to improve our Reading Plus application and customer relationships and experiences. For research purposes to better understand how we can develop and improve our Reading Plus application and/or create new products to help students become better silent readers and independent learners. To send marketing communications to teachers and administrative users.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All Subcontractors sign binding NDAs that bind them to data protection agreements that Reading Plus LLC is part of. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Following expiration or termination of the agreement under which the Client purchased access to the Reading Plus web-based products or services, and upon receipt of written request from the Client, Reading Plus will destroy or, if agreed, return to the Client, the Student Records in its possession within a commercially reasonable period of time. 

[NYC DOE comment: The current agreement became effective starting on August 30, 2019 and terminates when all NYC DOE schools and/or offices cease using Reading Plus LLC’s products/services. The terms of the agreement remain effective through the period during which Reading Plus LLC possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored within the United States, encrypted in transit and at rest. We have put in place reasonable and appropriate security measures designed to prevent your personal data from being accidentally lost or used or accessed, altered or disclosed accidentally or in an unauthorized way. In addition, we have put in place policies and protocols designed to limit access to your personal data to those employees, agents, contractors and other third parties who have business need to know. 

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted in transit with SHA-256 with RSA encryption. Data is encrypted at rest with AES-256 encryption algorithm.

ReadWorks

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ReadWorks allows students to read our material and submit responses to questions and writing prompts as part of an online class. All data is stored exclusively for educational purposes, primarily to ensure the smooth functionality of the website itself. No student PII is utilized for commercial or marketing purposes, nor is retained after a student’s use of the site is discontinued by that student’s teacher.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ReadWorks stores and processes student data in accordance with industry best practices. This includes encryption and appropriate administrative, physical, and technical safeguards including firewalls to secure Student Data from unauthorized access, disclosure, and use. We conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. We regularly perform system audits and work to ensure all of our software has the latest security-related patches and updates.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Really Great Reading Company

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Really Great Reading’s Products are designed to provide foundational reading skill instruction for students in grades PK‐12 via Teacher Online Tools, Reading Playgrounds, and Virtual Implementation Training Courses for our Phonics Suite Programs. Really Great Reading receives and accesses PII for purposes of providing students with practice opportunities within Really Great Reading’s Reading Playground digital platform and facilitating the monitoring of student performance and progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data in motion is secured with standard HTTPS protocol Transport Layer Security (TLS). Data stored at rest is encrypted, as are its automated backups, read replicas, and snapshots using Amazon AWS RDS encryption. Keys are managed with the AWS Key Management Service (KMS). All data is stored in a password protected database with strong password requirements, server-based firewall limiting data access to those end‐points necessary, and limits to development roles that have access to production data. Only business‐necessary PII will be stored. RGR applications are hosted in Amazon Web Services (AWS). More information about the physical security of AWS data centers may be found on the AWS website. Access to PII and application data will be limited to only those employees who necessarily require access to data in the performance of their role with projects. Employees, who have access to PII must complete Security Awareness Training (Coursera) and demonstrate awareness and discretion in their day‐to‐day practices related to security and handling of sensitive information. Employees must sign or acknowledge these policies as they relate to their role. Background checks are conducted on all employees. In the event of unauthorized access or data breach related to the client's application data, RGR will provide requisite notification in accordance with Section 5(f) of this Agreement.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Red Circle Solutions (for School App Express)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. School App Express is a product that provides custom apps for schools, which schools can operate through a website. The app sends out push notifications, makes mass calls (when schools are closed, etc.), sends mass emails, and sends mass text messages as well. School App Express does not collect or store any data for students or parents that is not related to messaging and communication.

Type of PII that the Entity will receive/access: Student PII and Other: Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is encrypted by Azure Transparent Data Encryption. Employees must use MFA to access cloud services.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rediker Software

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2022 – 2/28/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To provide a Student information System to manage student related data as the system of record.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution; and we use Microsoft Azure to host our teacher, parent, and student products. Microsoft is not a subcontractor but a Cloud service provider which is a company that provides a cloud-based platform, infrastructure, application, or storage services, usually for a fee. We do not provide access or provide consent to any Microsoft Representative to work on our servers or databases that are provisioned to our customers. Access to customer data by Microsoft operations and support personnel is denied by default. Microsoft does not inspect, approve, or monitor applications that customers deploy to Azure. Moreover, Microsoft does not know what kind of data customers choose to store in Azure. Microsoft does not claim data ownership over the customer information that's entered in Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Rediker Software Inc. has implemented security policies and standards that govern and protect customers’ data. Our policies and standards are periodically revised and updated to comply with laws and regulations such as FERPA, COPPA, GDPR, HIPPA, PCI-DSS, NYE DOE Standards, and more. Rediker Software Inc. is committed to safeguarding the confidentiality, integrity, and availability of customers’ data by adopting:

  • Secure Access Control
  • Data Segregation
  • Data Redundancy
  • Encryption
  • Data and Application Security

All platforms are highly secure and are equipped with standardized measures to manage, monitor, and protect our customers’ data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Regents Booster

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We created an online learning program with a controlled environment where each student can advance at his or her own pace. The full high school curriculum on certain Science and history subjects is now being offered in digital format and allows for note-taking, highlighting, audio, bookmarking, encyclopedia lookup for further research, search options, and Translations helping students who have difficulty reading or for those students that English is their second language. The digital eBook copy can also be used together with the printed copy further enabling the retention of the materials taught in class.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, specifically “Amazon secure data centers using AWS and GCP technology.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have a Platform that has implemented industry best in class security, privacy, and compliance controls. Regent Boosters has a platform that is CCPR, GDPR, PCI DSS compliant, with a star level 1 certificate. Our Physical Infrastructure is hosted & managed by the Amazon Secure Data Centers and uses AWS and GCP Technology and is constantly managed for Risk and undergoes recurring assessments to ensure compliance to industry best standards. All student/ user data is hosted in the USA, Data is encrypted in transit (SSL/TLS) and at rest AES 256.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Remind101

The exclusive purposes for which Protected Information will be used: Remind will process Personally Identifiable Student Information (PISI) as necessary to perform the Services pursuant to the Terms of Service (https://www.remind.com/terms-of-service), and as further instructed by relevant parties in its use of the Services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Remind will use a vendor risk management process to evaluate new vendors and monitor existing vendors on an annual basis. The following review areas are considered for vendors with whom personal data is exchanged: Compliance Status, Compliance Report Details, if applicable, Contractual Terms (confidentiality and data protection), Data Retention, and Data Security Controls.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Remind will adhere to the obligations set forth in our Privacy Notice and other Terms and Policies published at https://www.remind.com/terms-of-service.

[NYC DOE comment: The current agreement became effective starting on April 10, 2020 and terminates when all NYC DOE schools and/or offices cease using Remind101, Inc.’s products/services. The terms of the agreement remain effective through the period during which Remind101, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Remind will store data in cloud-based data centers located in the United States.

How the data will be encrypted (described in such a manner as to protect data security): Data transmitted across untrusted networks will be protected in transit using TLS V1.2 and will be stored at rest in an encrypted state using AES-256 bit encryption.

Renaissance Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/1/2021 – 9//14/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To fulfill the services requested by NYC DOE (e.g. to provide Renaissance educational products to NYC DOE school Customers). [DOE comment: The educational products included are Renaissance Accelerated Reader, Freckle, myIGDIs for Preschool, myON, Renaissance Star Assessments, and Lalilo.]

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is stored in the United States for all Renaissance products except Lalilo. Lalilo PII is currently stored on servers located in France but we anticipate moving to US servers for our US Lalilo customers in the near future; PII is encrypted at rest and hosted in the cloud by Amazon Web Services (AWS). PII transferred on the Internet is over HTTPS. Backups are also handled by AWS and backups are also encrypted at rest.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Renzulli Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/1/2021 – 6/30/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Renzulli Learning is an interactive online system that provides students with a personalized learning environment, allowing teachers to easily differentiate instruction to increase engagement and achieve higher academic performance. Renzulli Learning has resources that promote and enable ALL students to pursue their interests, providing equity, innovation and creativity for grades Pre-K through 12. Students are empowered by doing creative, imaginative projects that provide rigorous learning outcomes.

The Renzulli Profiler quickly identifies student strengths, interests, learning and expression styles and then matches each student with thousands of personalized engaging Enrichment Activities. Renzulli Learning features robust student grouping which supports our revolutionary strength-based Project Based Learning (PBL) system.

Research shows that Renzulli Learning benefits all Students including:

  • Gifted and Talented Students
  • High Achieving Students
  • At Risk Students
  • Students with Special Needs
  • English Language Learners (ELL)

Renzulli Learning supports the development of 21st Century Learning Skills for all students, including: critical thinking, creative problem solving, creativity, time management, communication, teamwork, and global competency through our Global Collaboration module. The system has been used by millions of students across the globe, consistently increasing engagement which research demonstrates will lead to higher achievement. Renzulli Learning is available to all students throughout the school year, before, during, and after school, and all throughout the summer as well!

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Renzulli Learning utilizes LightEdge Solutions, Inc. an ISO/IEC 2700:2013 certified company with Corporate Headquarters in Des Moines, Iowa. LightEdge uses several third-party systems to manage data. The systems reside within LightEdge’s internal network and utilizes a web-based application only accessible from the corporate network or through a cloud provider using single sign-on (SSO) to access data. Vulnerability assessments and penetration testing are performed on a monthly and annual basis to identify threats. Any identified security vulnerabilities are triaged by their security team and monitored through resolution. Policies are in place that prohibit the transmission of sensitive information over the internet unless it is encrypted. Risk mitigation activities include the identification, selection, and development of control activities that reduce the assessed risks. LightEdge maintains administrative, technical, and physical safeguards to protect confidential information including provisioning, controlling, and monitoring of physical access into the data centers and office facilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Replications

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/2021 – 1/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are providing Community School Support services that include parent outreach, attendance support, and after school programming. We use PII for the purposes of contacting family members so we can coordinate services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Device Security – EDR deployed on every laptop and workstation to provide security throughout the environment. MFA deployed on M365 accounts storing all relevant data within OneDrive & SharePoint. Document encryption capabilities when sharing sensitive data. Training was provided on best practices. BitLocker encryption enabled on all devices in case of loss or theft. Change Management – Access to additional information not previously approved must be approved by a director or manager prior to release.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rising Ground (for Community Schools services)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024, extended to 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Rising Ground holds two Community School contracts (RFPs 1341 and 1191) A core service of Community School provider is assistance with student attendance. As such, Rising Ground staff will have access to personal biographic information to contact families regarding student’s attendance. Additionally, Rising Ground staff will have access to Individual Education Plan (IEP) and English Language Learner (ELL) information to assist school administration in assuring plans and supportive services are in place.

Information collection is NOT required to receive services, but rather to assist in student engagement. Personal identifying information (such as names, phone numbers and/or email addresses) are solely used to engage students in the services we provide. Information is kept on a securely-saved electronic spreadsheet and not shared with anyone outside of approved program staff.

All Rising Ground staff are required to be trained and attest to confidentiality protocols which are governed by federal, state and local laws. This includes, but not limited to, social service law, child welfare, educational (FERPA), health (HIPAA) laws and regulations.

Data may be aggregated for internal reporting purposes. This information is not used for research purposes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Cloud service provider: Expedient Cloud services solution: IaaS – Infrastructure as a Service (Servers -VMs) DRaaS – Disaster Recovery as a Service Backups for all servers and data.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Rising Ground fully appreciates the importance of sound record management and has strict policies and procedures which ensure that all records are maintained within local, state and federal laws and standards. All personnel, medical, client and financial files are maintained in accordance with our Confidentiality and Document Retention Policies. All records are filed and stored systematically, in fire-proof settings, and only employees in need of access to records are granted such access. Our Confidentiality Policy ensures that employees understand that any personally identifiable information regarding a person’s health, mental health, education, family or employment is considered confidential and that confidential information is protected by the law. Employees are strictly prohibited from inappropriate or unauthorized disclosure of such information. To protect our software, hardware and the confidentiality of staff and client information, all internet access is filtered and monitored using antivirus, anti-spyware programs. Our Documentation Retention Policy ensures that necessary records and documents are adequately protected. Others are safely stored at a record storage facility. All employees are trained in our Confidentiality Policy, and relevant employees are trained in the Document Retention Policy. Both internal and external audits ensure that these standards are observed and that confidentiality is continually maintained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rising Ground (for Crisis Management Services)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As part of City Council’s “Crisis Management Services” initiative, Rising Ground provides trauma-informed therapy and support to teens within two NYC public schools. Our Youth for Change programs offers individual and group counseling on topics such as consent, health relationships, self-image, coping skills, healthy masculinity, mediation, and offer socioemotional support. Additionally, we co-facilitate health classes and offer mediation sessions. We also train staff and administrators regarding strategies to integrate healthy relationships and communication skills.

Rising Ground staff do not have access to student records or school systems. As standard counseling practice, personal contact information is collected, from the students themselves, to remain in contact with students (i.e. should they miss a scheduled appointment). This enables a counselor to contact a student when they miss an appointment to ensure they are okay and reschedule. Information collection is NOT required to receive services, but rather to assist in student engagement. There is no access to educational records. Personal identifying information (such as names, phone numbers and/or email addresses) are solely used to engage students in the therapeutic services we provide. Information is kept on a securely-saved electronic spreadsheet and not shared with anyone outside of approved program staff.

All Rising Ground staff are required to be trained and attest to confidentiality protocols which are governed by federal, state and local laws. This includes, but not limited to, social service law, child welfare, educational (FERPA), health (HIPAA) laws and regulations.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Cloud Service Provider – Expedient Cloud services solution; IaaS – Infrastructure as a Service (Servers -VMs), DRaaS – Disaster Recovery as a Service Backups for all servers and data.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Rising Ground fully appreciates the importance of sound record management and has strict policies and procedures which ensure that all records are maintained within local, state and federal laws and standards. All personnel, medical, client and financial files are maintained in accordance with our Confidentiality and Document Retention Policies. All records are filed and stored systematically, in fire-proof settings, and only employees in need of access to records are granted such access. Our Confidentiality Policy ensures that employees understand that any personally identifiable information regarding a person’s health, mental health, education, family or employment is considered confidential and that confidential information is protected by the law. Employees are strictly prohibited from inappropriate or unauthorized disclosure of

such information. To protect our software, hardware and the confidentiality of staff and client information, all internet access is filtered and monitored using antivirus, anti-spyware programs. Our Documentation Retention Policy ensures that necessary records and documents are adequately protected. Others are safely stored at a record storage facility. All employees are trained in our Confidentiality Policy, and relevant employees are trained in the Document Retention Policy. Both internal and external audits ensure that these standards are observed and that confidentiality is continually maintained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Riverside Assessments (also called Riverside Insights)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Riverside Insights uses PII exclusively for the purposes of delivering and improving educational and clinical assessment services. Examples of such uses include rostering students/examinees, inputing assessment responses, scoring assessments, and providing customer service.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Administrative Safeguards: Riverside follows Role-Based Access Controls, granting access only to authorized individuals who have a need to access information as part of their work responsibilities. Personnel complete regular cybersecurity training, and Riverside conducts social engineering simulations throughout the course of the year, assigning additional training to individuals who fail the simulations.

Technical Safeguards: Riverside conducts quarterly vulnerability scans and annual penetration testing on the application. We are in the process of implementing an end point protection solution provided by SentinelOne and use the Rapid7 suite of products to detect potential incidents and threats. PII is encrypted both at rest and in transit. All data stored on Riverside’s systems is protected with file system, network share, claims, application, or database specific access control lists. Riverside uses email gateway products provided by Sophos to centrally manage spam protection mechanisms, including signature definitions, in order to reduce the introduction of malicious software to client systems.

Physical Safeguards: The application is hosted in SSAE16 SOC 2 Type 2 audited hosting centers. Our third-party managed hosting provider maintains facilities that designed from the ground up to minimize risk of power and climate control failure. Our hosting provider performs periodic testing and auditing of their facilities. All facilities have full battery and generator power, so in case of an outage, power is maintained indefinitely.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Roads to Success

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/07/2023 – 6/26/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Roads to Success is the lead partner at PS/MS 57, the James Weldon Johnson Academy, our only community school located in East Harlem, where we serve 527 students in grades 3K-8. PII is essential for implementing our programs, facilitating targeted interventions through case conferencing, advisement sessions, and data trend observation, ultimately contributing to students' academic success and well-being.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft OneDrive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Roads to Success Community School Contract at MS 57 employs a comprehensive approach to protect Personally Identifiable Information (PII) and mitigate data privacy and security risks. While the full details of our safeguards are sensitive and proprietary, we can provide an overview of our measures:

  • Administrative Safeguards:
    • The executive team and our IT department are responsible for overseeing and implementing our data protection protocols.
    • Regular training programs are conducted for all personnel who handle PII, ensuring awareness of data privacy laws, security practices, and our internal policies.
    • Access to PII is strictly controlled and limited to authorized personnel on a need-to-know basis, with user roles and permissions carefully defined and monitored.
    • We conduct thorough background checks and reference screenings for all employees and contractors who handle PII.
  • Technical Safeguards:
    • PII is stored in secure, encrypted databases with access controls and multi-factor authentication mechanisms in place to prevent unauthorized access.
    • Robust firewalls, intrusion detection systems, and advanced threat detection  technologies are deployed to safeguard against external threats.
    • Regular software updates and patch management ensure that security vulnerabilities are promptly addressed.
    • Data transmission is encrypted using industry-standard protocols to prevent interception and unauthorized access.
  • Physical Safeguards:
    • Physical access to our data centers and server rooms is restricted to authorized personnel only, with strict access controls, surveillance, and security measures in place.
    • Facilities housing PII are equipped with environmental controls to ensure optimal conditions for data storage.
  • Risk Mitigation:
    • We conduct regular risk assessments and vulnerability assessments to identify and address potential security gaps.
    • Incident response plans are developed and regularly tested to ensure swift and effective actions in case of data breaches or security incidents.
    • We maintain strong partnerships with cybersecurity experts and engage in ongoing threat intelligence monitoring.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rockalingua

Type of Entity: Commercial Enterprise

Contract / Agreement Start Date: 2/2/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Rockalingua is an educational website for Spanish teachers and students. Through engaging content (videos, songs, interactive games, short stories and more) students will gain proficiency in the Spanish language. We offer two types of teacher subscriptions. The basic teacher subscription includes access to all of our resources and a generic student account so that students can access from their own devices. The Pro account gives teachers access to all of the resources and our learning management system where they can create classes, assign tasks and monitor student work. We have an integration with Google, Clever and Classlink.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Vercel.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our platform is NIST SP 800-53 certified, data is encrypted, and we are FERPA and COPPA complaint. Penetration test are regularly conducted to ensure the security of our system and all personal are trained annually.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Rosetta Stone

The exclusive purposes for which Protected Information will be used: The exclusive purposes for which “student data” or “teacher or principal data” (as those terms are defined in Education Law Section 2-d and collectively referred to as the “Confidential Data”) will be used by Rosetta Stone, Ltd. (the “Vendor”) are limited to the purposes authorized in the contract between the vendor and the NYC DOE (the “Contract”).

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Vendor will ensure that any subcontractors, or other authorized persons or entities to whom the Vendor will disclose the Confidential Data, if any, are contractually required to abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable state and federal laws and regulations (e.g., Family Educational Rights and Privacy Act (“FERPA”); Education Law §2-d; 8 NYCRR Part 121).

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Contract commences and expires on the dates set forth in the Contract, unless earlier terminated or renewed pursuant to the terms of the Contract. On or before the date the Contract expires, protected data may be exported by the School District in the client facing administrator tool and/or destroyed by the Vendor as directed by the School District. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Confidential Data provided to Vendor by the School District will be stored in the United States and protected as per the Student Records Data Privacy Policy.

How the data will be encrypted (described in such a manner as to protect data security): The Vendor will apply encryption to the Confidential Data while in motion and at rest at least to the extent required by Education Law Section 2-d and other applicable law.

Saga Innovations (Saga Education)

The exclusive purposes for which Protected Information will be used: Protected Information will be exclusively used for the educational purposes intended within the contracted services, to enable and enhance the tutoring experience of the participating NYC DOE students.
 
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All subcontractors and other authorized persons will be subject to data protection and security policies and agreements that encompass, at a minimum, the requirements under the non-disclosure agreement with the NYC DOE.
 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Protected Information will be destroyed, or to the extent requested by NYC DOE and possible, returned to NYC DOE.

 [NYC DOE comment: The current agreement became effective starting on April 15, 2020 and terminates when all NYC DOE schools and/or offices cease using Saga Education’s products/services. The terms of the agreement remain effective through the period during which Saga Education possesses or otherwise is in control of covered protected information.]

 
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored in the US. Data storage, cloud servers and services are located in state-of-the-art Amazon Web Service (AWS) data centers, or comparable cloud-service provider data centers with many years of experience in designing, constructing, and operating large-scale data centers.
 
Our operations team is trained and experienced with respect to state-of-the-art security mechanisms and policies for cloud-based services. We employ engineers and managers who have worked in other domains with critical security and availability concerns including military systems, satellite communications systems, and the website operations of large multinational companies. 
 
We routinely audit our systems for security vulnerabilities, proactively monitor security-related websites and other outlets for information on new vulnerabilities and best practices, and make system updates as needed.
 
AWS data centers (and all of our production servers and services) are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. When a storage device has reached the end of its useful life, data center procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. 
 
Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network used by our systems. We use a wide variety of automated monitoring systems to provide a high level of service performance and availability. These monitoring systems are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. Our systems are extensively instrumented to monitor key operational metrics. Alarms are configured to automatically notify operations and management personnel when early-warning thresholds are crossed on these metrics. AWS security monitoring tools help identify several types of denial of service attacks, including distributed, flooding, and software/logic attacks. Woot Math and AWS have additional protections in place against common attack vectors including Distributed Denial Of Service Attacks, Man in the Middle Attacks, IP Spoofing, Port Scanning, Packet Sniffing, Injection Attacks, and Cross-Site Scripting Attacks.
 
Our systems are architected for high availability; its core systems are deployed in N+1 and N-to-N redundancy configurations; and the system is protected against single points of failure. Servers are maintained across multiple availability zones. Each availability zone are all redundantly connected to multiple tier-1 Internet providers. In addition to discrete uninterruptible power supply and onsite backup generation facilities, each is fed via different grids from independent electrical utilities. Because of this architecture, our services are resilient in the face of most failure modes, including natural disasters or system failures. 
 
We have, in addition, a comprehensive disaster recovery strategy. We have push-button automation to stand-up and tear-down of our entire production server and service environment, and we can quickly and easily build out our infrastructure as needed in new geographical regions. We routinely test our disaster recovery capabilities by standing up new server in a new data center and restoring all data from backup. Nightly backups of all customer data are securely stored in multiple geographic regions within the US. 
 
Changes to Woot Math systems are typically pushed into production in a phased deployment sequence, with careful monitoring and testing throughout the phases. Rollback procedures for production deployments are automated and documented.
 
How the data will be encrypted (described in such a manner as to protect data security): Protected Information in electronic form will be encrypted both in transit and when at rest in databases or similar electronic storage environments. All user data and communicated website data is sent over secure HTTPS and SSL protocols that are designed to protect against eavesdropping, tampering, and message forgery. Password credentials are securely encrypted using cryptographic hashes and protected with variable cryptographic salts. Non-reversible hashes of more sensitive information (email addresses, phone numbers) are used in place of the actual data within our systems to the greatest extent possible.

Sam Labs

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SAM Labs software app “SAM Studio” is an educational coding platform for kindergarten - 8th grade students to learn the basic foundations of coding, allowing students to pair with hardware blocks to bring the code to life. Our lessons range across different focus areas of STEAM and Computer Science, and can be used in specialist courses like STEM Specials, Computer Science Class, general education environments, and Makerspaces.

We are a subscription service. In order for students and teachers to access the platform, we only require an email address. Teachers are currently rostered by our Customer Success team once the subscription date is set. This includes the teacher name and email aligned to the school NCES ID. The teacher’s name can be any chosen username that will appear in their account profile. This does not need to be the teacher’s real name; it can be a chosen username or nickname if desired. Once rostered, then teachers and admin will have instant access.

Teachers can manually create classes and upload student rosters on their own. When rostering, the only PII required from students is a working email. SAM Labs will never send email to these student accounts; this is only to create a unique identifier for the student being rostered. The student’s name can be any chosen username that will appear in their account profile. This does not need to be the student’s real name; it can be a chosen username or nickname if desired as the teacher uploads the roster. Once the .csv is uploaded, the student can access the account with the same email address.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SAM Labs is like a superhero for your data! We understand that your information is precious, and we have a number of ways to keep it safe, just like a superhero protecting the city.

  • Magic Shields (Encryption): We use a sort of magic shield called ‘encryption’ that scrambles your data into a secret code while it’s being sent or stored. Only the right ‘key’ can unscramble it, so it’s safe from bad guys trying to peek!
  • Secret Passcodes (Access Controls & Authentication): Just like a secret superhero base, only people who really need to see your information can access it, and they need special passcodes. We also double-check everyone’s identity before letting them in!
  • Super-Secure Fortresses (Physical Security Measures): We team up with Amazon Web Services (AWS), who provide us with super-secure fortresses (data centers) around the world to store  your information. These fortresses have top-notch security like fences, guards, cameras, and even environmental controls to protect against things like fire.
  • Time Capsules (Data Backup and Retention): We regularly put copies of your data in a digital ‘time capsule’, just in case we need to go back in time and restore any lost information.
  • Security Check-ups (Regular Security Assessments): Like regular health check-ups, our security experts regularly inspect our safety measures to ensure they’re still super strong. At SAM Labs, your data’s safety is our mission. If you have any questions about how we keep your information safe or want to report any issues, feel free to contact us at privacy@samlabs.com. We’re here to help!

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Samuel Field YM & YWHA

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Samuel Field YM & YWHA has worked to identify key PII, as defined in 34 CFR § 99.3, that it must receive to provide contracted services to youth and families. Services provided will include counseling and interventions with key personnel including social workers, to develop and implement afterschool activities, special community events, family engagement and referral to community resources and linkages. The collection of key PII will allow for us to appropriately record and track enrollment, attendance data and facilitate counseling. Where appropriate, PII data collection will be collected through the program’s informed consent application, which include parent consent to disclose student and family names; addresses; and student information including DOB, race/ethnicity gender, disability status, English Language Learners status. The collection of this key PII will allow for the program to efficiently report on key cohort characteristics and to make certain that recruitment and service delivery effectively target/address the populations targeted for this proposal submission. The purpose of the collection of student and family names will be used to ensure record attendance and safe sign-outs of the program daily. This data is essential to ensure that our program provides a safe and secure environment for all students that we serve. Key staff will utilize this data to make sure that students are appropriately accounted for at all times while scheduled to be in programming. It is imperative that attendance data is collected as it directly informs the culmination of key program outcomes, including the number of students that participate in services for the target hours of service as well as attendance performance indicators for specific categories. Due to the nature of the service, it is possible that counseling notes will include PII as defined as “Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.” These notes are necessary to ensure continued, effective mental health support for those receiving the services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Exponent Partners/Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • A child’s PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with state and federal law.
  • A centralized staff person is responsible for supervision and monitoring appropriate safeguards, policies, and practices in place to protect the data.
  • Staff will participate in mandatory 2-part training about applicable laws, policies, and safeguards associated with industry standards and best practices; consistent with NYC DOE’s data security and privacy policy.
  • Encryption, firewalls and password protection will be mandatory for all emails and cloud usage to electronically transmit sensitive PII information.
  • Samuel Field YM & YWHA, Inc. will not maintain copies of participant’s PII once PII is no longer needed for the educational purpose/ for which the DOE has disclosed PII.

Samuel Field YM&YWHA Inc. invested in a highly secure system, Exponent Partners. Exponent Partners is a system that requires unique usernames and passwords that must be changed frequently for protection. Access to programs and permission settings will be determined by staff and administrative usage; staff will only receive access to PII as needed to perform their job responsibilities. All data is naturally encrypted while being stored in a user access system via secure HTTPS connection. In addition, there is regular security code scanning to assess if there are any susceptibilities in the system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Savvas Learning Company

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Savvas provides K-12 instructional materials and related services to the DOE, some of which require PII such as student and teacher names in order to facilitate instruction and to track students’ performance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Savvas will store PII on servers in a secured facility in the United States operated by a world-class hosting provider. Savvas will maintain an information security program of policies, procedures and controls governing the processing, storage, transmission and security of data (the “Security Program”). The Security Program includes industry-standard practices designed to protect data from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. Savvas regularly tests, assesses and evaluates the effectiveness of the Security Program and may periodically update the Security Program to address new and evolving security threats, technology and practices. No such update will materially reduce the commitments, protections and overall level of security provided to customers.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SCAN-Harbor

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SCAN-Harbor provides services under the Community Schools strategy demonstrating the an integrated focus on academics, health and mental health services, social services, expanded learning opportunities (afterschool and summer enrichment activities), positive youth development, and family and community partnership, is critical to improving student achievement and bolstering equitable outcomes for all students, including vulnerable populations.

PII is being accessed to assess need and to track service outcomes. Data is used to identify students with low and chronic attendance, to provide food, clothes and toiletries to those students that live in temporary housing and services to the students in need of mental health counseling.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365 OneDrive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Some physical files used are maintained by SCAN-Harbor, and others are owned by the New York City Department of Education. Physical files managed by SCAN-Harbor are housed in a locked file cabinet in the Program Office. Digital data is stored electronically via a secured cloud-based program whose encryption at rest and in communication uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. This policy only applies to those in SCAN-Harbor's exclusive possession. At the end of the retention period determined by the contract or upon request, SCAN-Harbor will return and securely delete or destroy PII. All information will be returned to the NYC DOE after the agreed retention period, or at such point that the data is no longer needed for the purpose referenced in this agreement, or, at the sole discretion of DOE, securely destroyed. All electronic data purged from the network in a manner that does not permit retrieval of the data following these procedures.

Secure Deletion: Electronic data is securely erased using industry-standard data destruction methods. This may involve overwriting data multiple times or using specialized software to ensure data cannot be recovered.

Deletion Timeline: Once a file in One Drive has been marked for deletion, it is placed in a recycling bin as a means of recovery for accidental deletion. After 30 days the file is securely deleted and cannot be recovered even by IT administrators.

All paper files will be shredded using SCAN-Harbor's secure data shredding system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Scholastic Inc (for digital curriculum)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII.

  • BookFlix: Pairs animated stories from Weston Woods with best-selling nonfiction ebooks from Scholastic to build real-world knowledge and early literacy skills.
  • FreedomFlix: Offers a range of text types and media on more than 70 key social studies topics spanning ten areas of core-curriculum study.
  • LitCamp Powered by Literacy Pro: Combines reading and writing lessons (K-8) with a fully digital summer school approach to accelerate learning. Children are immersed in personalized learning experiences while building their social-emotional skills, knowledge and vocabulary necessary for reading comprehension success.
  • PreK On My Way: A new comprehensive program that welcomes every child into the classroom, celebrating their strengths as they take the next step on their learning adventure!
  • Rising Voices Libraries: Provide students with high interest, culturally relevant texts that give context to today’s world while celebrating the stories of the historically underrepresented. These books, paired with innovative teaching materials aligned to the CASEL framework, build a classroom community that broadens the world for students from all backgrounds and enables deep discussions on inclusivity, social justice, and empathy for others. Each Rising Voices collection includes a digital resource website featuring mentor videos, continued-learning resources, discussion guides, standard correlations, and more to help teachers implement the program.
  • Scholastic F.I.R.S.T.: Foundations In Reading, Sounds & Text, is a highly adaptive, foundational reading program for Grades PreK–2. Through explicit phonemic awareness training and systematic phonics instruction, F.I.R.S.T.’s research-based pedagogy trains the brain to master “speed of listening.” Students become automatic in their decoding skills, preparing them to read fluently and increase their reading comprehension.
  • Scholastic GO!: Offers credible, accurate, reliable content on every core-curriculum topic in a clean, easy to navigate interface.
  • Scholastic Literacy: A unique blended learning approach to standards informed comprehensive literacy instruction with a focus on balancing the rigor and flexibility that educators need to meet today’s high expectations. With unparalleled access to authentic and culturally relevant texts in every area of the literacy block, Scholastic Literacy is designed to engage readers, support social-emotional development, and help students become lifelong independent thinkers, readers, and writers.
  • Scholastic Literacy Pro: A blended solution for Grades K–8 that empowers teachers to ensure effective reading for all students—in and out of school. It provides students with a single resource to read ebooks and track reading progress on both print and digital titles, while giving teachers real-time, actionable data about reading levels, activities, and comprehension.
  • Scholastic Magazines+: A blended, subscription-based solutions that ignites student engagement through relevant, high-interest stories and powerful digital teaching tools. Magazines in print and digital are available for grades PreK-12.
  • Scholastic RISE: A short-term intervention that provides targeted, small-group instruction in reading comprehension, word study and phonics, and guided writing. Based on Jan Richardson’s The Next Step Forward in Guided Reading, the RISE framework offers daily instruction for students who are reading six to 36 months below grade-level benchmarks. With RISE Online, instructors can assign students texts, monitor student progress, and access videos and other resources to easily facilitate remote instruction. Students can access assigned texts for extra reading practice on any device.
  • Scholastic W.O.R.D.: Supercharges vocabulary acquisition and strengthens reading comprehension in a new and engaging way. With a thematic approach, W.O.R.D. prepares students to think critically and creatively about the world around them. By providing deep background knowledge, W.O.R.D. presents vocabulary as a tool for building meaning across all areas of learning—reinforcing students’ retention of skills learned throughout the school year.
  • ScienceFlix: Integrates age-appropriate scientific content, interactive features and intuitive navigation to build knowledge and a lasting interest in scientific discovery.
  • Short Reads Digital: Engages classrooms with access to fiction and nonfiction short texts at every guided reading level, and extends learning with teacher materials to accompany each text.
  • The Scholastic Leveled Bookroom 5.0: A whole-school (K-6), small-group instructional system with over 6,000 books, 780 short reads, 24/7 access to instructional resources with the digital Accelerator, and professional books and services.
  • TrueFlix: Provides thousands of resources to strengthen both educator instruction and student learning of science and social studies content-area knowledge.
  • Watch & Learn Library: Builds learning excitement while providing the background knowledge and vocabulary necessary for reading comprehension success.
  • LitLeague: LitLeague is an exciting new program that provides a joyous and interactive literacy experience for students in an engaging social- emotional literacy learning environment where children participate in book-related activities including read-alouds, group discussions, independent reading, writing activities, games, and songs. Tailored for expanded-learning times, after-school, extended day, English language learners, and more.
  • Next Step Guided Reading: The Next Step Guided Reading Assessment uses proven Assess- Decide-Guide teaching system to determine students’ reading levels and target instructional next steps. From the key text features in the assessment texts to the evidence- based comprehension questions, the Next Step Guided Reading Assessment provides teachers with a way to assess students and teach them the skills to meet higher standards.
  • Scholastic Edge: Using engaging, authentic text, EDGE connects striving readers to relevant and essential content needed for future academic success.
  • Scholastic REAL: REAL (Read, Excel, Achieve, Lead) is a new program devoted to giving school districts the tools needed to recruit, encourage, and equip mentors to inspire students and build literacy skills.

Scholastic collects PII to provide students and teachers with access to its digital education technology products to support the BOE’s educational goals, to benefit its students, and to support product users. More specifically, PII is used, subject to applicable law and any contractual requirements:

  • To support instruction and adaptive, personalized learning o By enabling administrators and educators to tailor and optimize use of the products to the needs of a particular school, classroom or student
    • By permitting educators to review student work and monitor student performance and progress, to facilitate lesson planning
    • By providing reporting capabilities at the district, school or class level (depending on the product), including in some cases cross-product performance data
    • By enabling students to access information shared by their teachers (assignments, content), track their progress, maintain files of their work, create book collections and play educational games
    • By suggesting other content or activities to students (but not for purchase or in the form of advertising)
  • To authenticate users, maintain user sessions and facilitate return access
  • To communicate with Scholastic’s education customers (teachers/BOE personnel only, not students)
  • To ensure products run properly and support optimal user experience
  • To diagnose problems, troubleshoot issues, and provide maintenance and support
  • To detect and investigate unlawful activity and protect the security of Scholastic’s products, systems and customers
  • To calculate royalties

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law. The Entity also states that “In some circumstances, with permission of the education customer, student PII may be retained to facilitate rostering in a subsequent period and/or resumption of product use. Teacher/BOE staff PII may be retained as part of the parties’ business relationship and/or in connection with separate accounts such persons may have with Scholastic. Note, data deletion/destruction may take the form of permanent, irreversible overwriting or de- identification to the extent permitted by law.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. These safeguards include standards that align with the NIST cybersecurity framework. Protected data is encrypted in motion (currently with TLS 1.2 encryption) and at rest (currently with 128-bit AES encryption). Processor conducts periodic risk assessments and keeps audit trails and security logs to assess and remediate vulnerabilities and to protect data from deterioration or degradation. Additional measures include firewalls, anti-virus and intrusion detection, configuration control and automated backups. Data is classified by sensitivity, and access to data is rule- and role-based.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

School Data Corp

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. School Data Corp. helps schools see how well students are performing over the course or the school year. We track how well they are reading, writing, or performing on the tests they take. We put this information in a teacher‐friendly format so teachers and principals can see which students are doing well, and which students need additional help or support. I need to PII so that I can identify individual students by their ID number to generate reports and assign them to their subgroups.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “School Data Corp. uses Dropbox, but the information within Dropbox is encrypted and cannot be accessed or read by anyone at Dropbox. There is no sharing of unencrypted PII.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Dropbox.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All emails are encrypted. All data stored is encrypted. Our network is protected by a firewall. No paper records are maintained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

School Specialty, LLC (for Coach Digital and Catch Up with Coach)

The exclusive purposes for which Protected Information will be used: Coach Digital Platform allows students to access tests and workbook pages online for instruction, practice, or assessments. Teachers will assign content to students and use this data for progress monitoring, assessment reporting, and targeting educational gaps.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: School Specialty maintains the necessary administrative and technical requirements to safeguard the security and privacy. Our teams work on company devices or virtual desktop environments within a secure VPN and two-factor authentication. Only Platform Developers and Support Admin roles can access PII to support customers. School Specialty staff participate in an annual code of ethics certification for protecting company information and data. All data on the platform is either protected via SSH or SSL connections for intraplatform communication and via HTTPS for web communication. School Specialty staff must sign Non-Disclosure Agreements, pass a background check, and participate in a companywide Security Awareness certification annually. All contractors must adhere to company Master Service Agreements and SOWs.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: [DOE comment: School Specialty’s agreement with the DOE is dated March 8, 2021]. Data is encrypted and deleted at the request of school or school district. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: School Specialty, LLC will use Clever Rostering for student and teacher data. Data in Clever is shared at the discretion of NYC DOE. Data shared from NYC DOE SIS. School Specialty, LLC will work with the NYC DOE in processing challenges to the accuracy of student data.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The Coach Digital Platform is hosted on a domestic Amazon Web Service Environment. The Amazon VPC Environment has Enterprise Level Support and 24/7 Managed Services for Security VPC, VPN, Firewall, and endpoint Management.

How the data will be encrypted (described in such a manner as to protect data security): The data in motion is encrypted with TLS 1.2.The Coach Digital Platform collects minimal data and will utilize Clever Secure Sync and SSO [Single Sign On]:

  • Teachers and Administrators: First and Last Name and Clever ID
  • Students: First and Last Name, and Clever ID.

The Coach Digital Platform utilizes AWS SSL and the VPC ELBs have Security Groups with least privileges enabled. Connectria LLC is in the process of finalizing a proposal to be fully compliant with this requirement.

School Specialty (for ThinkLink)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/5/2023 – 10/4/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ThinkLink is an online learning management system in which students use to access content specific to their learning. PII is used to track student performance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administratively, we have robust policies and procedures that are overseen by a team of security professionals, ensuring stringent management and monitoring of access to PII.

Technologically, we utilize state-of-the-art encryption methods and firewalls. We also employ physical measures to secure our premises and data centers, ensuring that only authorized personnel have access.

Additionally, we employ proactive strategies such as intrusion detection systems and vulnerability scans to identify and address potential security risks before they escalate.

Periodic reviews and audits are conducted to ensure that our security measures meet or exceed industry standards and regulatory requirements.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Schoolbinder (also called TeachBoost)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/1/2022 – 9/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TeachBoost is a performance management and educator development platform for K-12 schools. We work with NYCDOE schools and organizations to help them completely manage the evaluation, feedback, coaching, and development process for their staff, educators, and other support personnel. TeachBoost also works alongside the NYCDOE’s ADVANCE reporting system, handling the compliance requirements for DOE administrators.

We request, store, and process DOE employee PII for the sole purpose of providing these performance management and operational services. For instance, we request and store staff rosters and employee names and email addresses for employee user accounts, and we request store and process employee evaluation ratings as entered by DOE staff and administrators.

Type of PII that the Entity will receive/access: APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon AWS and Linode.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We protect PII in number of ways, summarized on our Data Security commitment at https://teachboost.com/terms/data-security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SchoolCNXT 

 
The exclusive purposes for which Protected Information will be used: All PISI will be used to provide the SchoolCNXT family engagement services.
 
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: SchoolCNXT agrees that all subcontractors will be bound to and comply with the requirements set forth herein.
 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: SchoolCNXT will house and maintain the data until the NYC DoE requests in writing that the data be destroyed. Insofar as there may be temporary lapses in the agreement from year to year, SchoolCNXT will abide by the most recent agreement in letter and spirit until a new one is executed. 

[NYC DOE comment: The current agreement became effective starting on September 23, 2019 and terminates when all NYC DOE schools and/or offices cease using SchoolCNXT, Inc.’s products/services. The terms of the agreement remain effective through the period during which SchoolCNXT, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All NYC DoE data is stored in the United States. 
 
How the data will be encrypted (described in such a manner as to protect data security): All data is encrypted both in transit via SSL and at rest at the database and disk levels utilizing encryption services provided by AWS.

SchoolMint (also called SchoolRunner)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Schoolrunner is a comprehensive data management system that simplifies day-to-day operations with straightforward, powerful and actionable data. Schoolrunner makes it easy to track attendance, student behavior, grades, and more. School administrators can easily see where students or teachers are struggling and can provide the support they need. Parents can see how their kids are doing via a real-time feed in the mobile app and can even get notifications when attendance or grades drop below certain thresholds.

The system allows for greater ease of use than current systems and also offers more flexibility so that schools can use data to achieve their goals. For example, some schools want to move to a mastery-based grading system which Schoolrunner supports. Schoolrunner also offers parents communication with built-in automated language translation to any of over 100 languages.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Users and employees are permissioned to access the information they need based on their role in the system while restricting them from accessing information not needed for their role. Data and backups are encrypted in transit and at rest. Access to key infrastructure services are limited to a small number of engineering leaders and are protected by multi-factor authentication. Monitoring, logging, and alerting systems provide additional layers of security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SCO Family of Services (Learning to Work)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SCO’s LTW program is designed to complement the academic component of each transfer high school. The program aims to provide support to over-aged and under-credited students, helping them complete their academic requirements to earn a high school diploma. Our LTW program assists students in acquiring the tools and competencies needed to succeed in their pursuit of postsecondary education, training, and career development. PII is essential for coordinating educational efforts, offering internship opportunities, and monitoring attendance and academic progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SCO has implemented the following safeguards to protect the security of PII:

  • Administrative Safeguards:
    • A designated Security Officer and Privacy Officer responsible for the development and implementation of privacy and security policies and procedures that outline how PII is collected, used, stored, and shared.     
    • Access to PII is limited to authorized individuals on a need-to-know basis and only as permitted under the law.
    • All SCO employees and contractors who access PII receive training on SCO’s policies and procedures and Federal and State laws governing privacy and security of PII.
  • Physical Safeguards:
    • Established rules for authorizing and restricting access to SCO’s computers, network, applications, workstations, mobile devices, and areas where PII is accessible.
    • Policies and procedures to ensure that PII stored or transported on storage devices and removable media is appropriately controlled and managed. 
    • SCO requires the use of keycards to access locations where data is stored.
  • Technical Safeguards:
    • SCO utilizes internal and external systems that are inaccessibly by unauthorized individuals, including assigned User ID and passwords, firewalls, anti-virus protection and multi-factor authentication.  

SCO uses encryption of data in transit and storage, access controls, and implementing regular and encrypted backups.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Scoir

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2022 – 2/28/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Scoir provides a software-as-a-service platform intended to guide high school students in their post-secondary pursuits (the “Services”). The Services enable students to search for and learn about collegiate, scholarship, and career opportunities; to engage with high school counselors and college admissions representatives during the college selection and admissions process; to solicit from high school faculty and administrators the creation and delivery of application-related documents; and to create, manage, and submit their applications for admission to institutions of higher education. The Services include a college guidance management system that enables high schools and their affiliated organizations to monitor and assist students in their post-secondary planning; to engage and collaborate with students, parents and guardians, and college admissions representatives; to manage the creation and delivery of application-related documents to colleges; and to collect, analyze, and report on student engagement, academic achievements, and application outcomes.

Type of PII that the Entity will receive/access: Student PII, and at the discretion of BOE, Processor may also receive/access:

  • Names, title, and email addresses of schools teachers and/or administrators; and
  • Names, addresses, and email addresses of parents and guardians.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Scoir maintains an Information Security program to ensure that we are continuously monitoring and mitigating risk as a company. As part of that Scoir maintains several layers of security around the information we store and process. Scoir will provide security and privacy training for our employees to teach the importance of securing PII. Scoir follows the principle of least privilege for access to our data and systems, and this access is reviewed at least annually. Scoir uses several layers of technical controls such as industry standard encryption, system monitoring, code reviews, automated testing, etc. to protect our data, systems, networks, and other infrastructure. As part of our Information Security program Scoir will reassess risks to all of our systems at least annually and enhance controls as necessary.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Seesaw Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

  • General Description: Seesaw is the most intuitive, robust and easy to use cloud-based K-5 digital portfolio in the education space. Seesaw Lessons are Standards-Aligned, Ready-to-Teach & Flexible supplementary curriculum resources that are design for PK-5th grade classrooms. Lessons adapt to whole class, centers, and independent learning in any setting.
  • Account Information: When teachers, parents, family members, or school administrators create an account on Seesaw we collect their name, email address, password, and profile picture. Seesaw may also collect an adult user phone number if its entered into their Account Settings. Teachers using Seesaw to communicate with Families may add a family member’s email or phone number to Seesaw in order to send messages or updates about school work to the appropriate parent or family member. Students cannot create an account by themselves, but must be invited to a Seesaw class by a teacher or school administrator. Where students have permission to use Seesaw, Seesaw collects personally identifiable information about them including their names, email addresses, and profile picture. This information may be entered by a teacher or the student or populated from the student’s account with a third party sign-in service, such as their Google account.
  • Journal Content: Seesaw collects content that is added to a class or student journal. This content may be photos, drawings, files, notes, hyperlinks, and other ways of documenting student learning. Seesaw regularly add types of information that can be uploaded to a Journal, and these are all covered by this Policy. Comments on posts in a class journal are also collected. These comments may be text, or if Seesaw is allowed to access the microphone on the device, voice recordings. Journal Content that is uploaded by a student or teacher may be considered a student education record as defined by FERPA.
  • Messages: Seesaw collects messages that are sent and received in Seesaw by teachers, family members, and students.
  • Activities: Teachers may use Seesaw to create activities to use with their students. Activities may include text or voice instructions for how to complete the activity, an example of a correct response or a template for students to edit.
  • Activity Author Profiles: Teachers who choose to publish activities to the Community Activity Library or the Activity Library managed by their school or district can also create an Activity Author Profile. This includes the name and profile picture they choose to publish on their Author Profile, as well as their school name and location.
  • Communications: Seesaw collects any information sent to us directly, such as email communications. Information from a users Google Account or other Third-Party Sign-in Service: Seesaw allows teachers, parents, family members, and students (after being invited by a teacher) to sign up for and log into our service using a Google or Clever Account. Teachers can also create student accounts on behalf of students in their class. When Seesaw creates an account using one of these Third-Party Services, we use the name, profile picture, and email address (if available) provided by these services.
  • Log Data: When using Seesaw, log data is received such as IP address, browser type, operating system, device information, and mobile carrier. In addition, information such as the referring web page, referring search terms, and pages visited may be received or collected. If Seesaw is being used by a teacher, parent, or administrator, Seesaw may use that IP address to determine the approximate location for the purposes of sending customized marketing and other information about our products.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Seesaw routinely conducts 3rd party security audits to verify the security and integrity of our systems and internal controls. Data is stored in access-controlled data centers operated by industry leading partners with years of experience in large-scale data centers with 24/7 monitoring. We routinely monitor our systems for security breaches and attempts at inappropriate access. Journal content (e.g. photos, video, audio, and other content added to a Seesaw journal) is encrypted in transit and at rest. Seesaw uses TLS 1.3 security at the network level to ensure account information and journal content is transmitted securely. We have also adopted an internal data access policy that restricts access to personally identifiable information to a limited number of employees with a specific business need (such as for technical support). Data is also accessible to our sub-processors, who are required to sign a Data Processing Agreement that limits their ability to access and use data.  

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Shutterfly Lifetouch

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Shutterfly Lifetouch, LLC ("Lifetouch" or "Entity") is a trusted provider of school photography services throughout North America since 1936. In preparation for Picture Day, Lifetouch collects certain roster data from the school or district, to be used solely as follows:

  • To produce and deliver to schools the products and services as described in the Photography Services Agreement (the "School Deliverables");
  • To deliver Picture Day notices on behalf of the school and provide parents of students photographed opportunities to purchase student and class pictures and yearbooks;
  • To verify parent authorization to order student photographs; and
  • As otherwise specified by the Agreement.

For the avoidance of doubt, this Agreement does not apply to (a) information collected from customers who opt to purchase products directly from Lifetouch and/or establish a Lifetouch family account; or (b) Lifetouch photographs, except as incorporated into the School Deliverables.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Lifetouch has implemented a variety of physical, technical, and organizational security measures to help protect School Data from unauthorized access and use.

  • Facilities. Lifetouch produces portraits and School Service Items within its own U.S.-based photo labs. Lifetouch data, including School Data, is maintained in cloud-based storage or in on-premises data centers that meet or exceed industry standards for cybersecurity. All facilities and systems are protected by strong physical security controls such as restricted role-based access, ID cards, entry logs and video monitoring. We have a secure backup process and utilize high availability systems and equipment to maintain availability.
  • Networks. Devices storing or providing access to School Data are protected with the same multi-layered security strategies that we use to protect Lifetouch's sensitive and confidential business records. Image databases supporting our photo processing labs and websites are separated from associated data files containing identifiable information, and all databases are protected by firewalls, monitoring, vulnerability scanning and authentication procedures. We apply intrusion prevention methods and perform regular network penetration testing and code scanning on a periodic basis using both internal and authorized third party testing services and. Our systems enable secure transmission of School Data from and to the Lifetouch network with encryption technologies. School Data is segregated from other databases in our systems and is securely disposed of when no longer needed. Devices or media containing or accessing School Data are password-protected and encrypted and stored in secure, locked areas when not in use. Laptops and tablets used by our field are also protected by software that, in the event of theft, notifies Lifetouch immediately if the device is connected to any network and allows Lifetouch to remotely erase the device.
  • Personnel. Lifetouch's policy is to collect, use, and disclose personal information only in ways that are consistent with our respect for an individual's privacy. We require Lifetouch employees to sign confidentiality agreements as a condition of employment, and we provide training on the appropriate use and handling of School Data. Access to School Data is limited to those who need it to perform their jobs, and when our employees are instructed to only access School Data secure channels (like the Lifetouch Portal). We also take appropriate measures to enforce these policies.
  • Enterprise. A comprehensive set of IT policies based on ISO 27001/2, PCI-DSS, OWASP and/or NIST frameworks and standards, as applicable, governs information systems practices and procedures throughout the Lifetouch enterprise. Additionally, Lifetouch partners with secure payment processing platforms like PayPal to handle payment card data when the families we serve make their portrait purchases. Additionally, the Lifetouch Portal is designed and maintained to exceed the standards of the Software & Information Industry Association's Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Signal Vine, Inc.

The exclusive purposes for which Protected Information will be used: Segment contacts, personalize and trigger outgoing text messages to students and/or parents. [NYC DOE Comment: Signal Vine is a tool used to engage and communicate with students, families, and staff.]

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: No subcontractors have access to NYC DOE personal data. Signal Vine staff access is limited to the team supporting your account. All access is logged.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Protected Information is removed from the platform within 30 days of the expiration of the agreement, and cycles out of backups 14 days later.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored within the United States. All data is stored on Amazon Web Services and conforms to SOC 2, ISO 27001 and DoD standards.

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest via Amazon’s TDE service and in transit via TLS 1.2+

SimTutor

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SIMTICS is a cloud-based service with simulations and other supporting media, designed for learning how to perform clinical and medical imaging procedures. The Service is provided by SimTutor Inc (SimTutor). Each SIMTICS module covers one procedure, skill or topic. In most cases a module contains the following media: Video demonstration of the procedure; Explanatory text; Anatomy images related to the procedure, in 2D and 3D format; A multi-choice quiz; Simulation scenarios for the user to learn and practice the procedure interactively and test their skill.

The school provides us with student first/last names and a DOE-issued email address, so students have a unique username and their in-app activity can be tracked individually and kept separate from other students’ data. The SIMTICS system tracks the user’s activity in the app (study time, and scores in simulations and quizzes). Each learner’s activity data is recorded in their personal SIMTICS logbook and can be accessed only by that named user and by teachers and administrative users with the necessary privilege.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SimTutor is SOC 2 certified and has robust systems, system architecture, and procedures in place to ensure student data is protected. SOC 2 is a compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. SOC 2 certification is the result of a detailed annual audit by a qualified third party auditor. SimTutor has been SOC 2 certified for three years.

Our information security procedures to protect PII cover the following areas:

  • Data classification – at SimTutor, school/student data is classified at the highest level of confidentiality, above our own company data
  • Selection, documentation, and implementation of security controls
  • Daily security checks of our systems and infrastructure
  • Annual assessments of security controls and updates as necessary
  • Careful authorization, changes to, and termination of information system access
  • Maintenance of restricted access to system configurations, user functionality, master passwords, powerful utilities, and security devices
  • Management of user access and roles – only employees with a job requirement (i.e. customer and technical support) are given access to PII
  • Security training is part of employee onboarding and Maintenance and support of the security system and necessary backup and offline storage
  • An incident response system, tested at least annually, to ensure rapid action in the event of an issue occurring.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Smartest EDU (also called Formative)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: Starting 10/3/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Normal operation and use of Formative’s platform, including reporting on student performance. Formative receives data such as student names, logins, emails, and work generated within the platform. We use this data to allow teachers to assign assessments within the Formative platform, create performance reports, and ensure that rostering within Formative aligns with rostering in Clever, Classlink, or other systems.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Formative’s IT Security and Data Privacy strategy prioritizes detection, analysis, and response to known, anticipated, or unexpected threats; this strategy also emphasizes the effective management of risks as well as resilience against data incidents. Formative continuously strives to meet or exceed the industry’s information-security best practices and apply controls to protect our clients and the organization. Formative reviews of its systems against applicable state, federal, and internal regulations as well as against controls associated with NIST CSF, SOC2, ISO, GDPR, FERPA, CCPA, CPRA, CPA, VCDPA, and UCPA. Formative maintains an Information Security and Privacy Program which, along with security personnel embedded in each of our business units, consists of a centralized group that establishes information security mandates, evaluates adherence to these mandates, and detects & responds to incidents. Formative frequently adjusts this program to ensure ongoing suitability. The Information Security and Privacy Program regularly assesses the sufficiency of Formative’s controls.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SOLVED Consultancy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SOLVED helps school administrators and teachers analyze student data so that they can make better instructional decisions based on this data. Schools have multiple data sources from different assessments administered throughout the year. In order to use data efficiently and effectively to inform instructional practices and the use of resources and to analyze student data, SOLVED developed the Assessment Dashboard, which is a platform built within the NYCDOE servers using Google Data Studio (which is part of the Google Workspace Cloud where all NYCDOE accounts and information live). This platform helps Principals, Assistant Principals, and Teachers to look at all their students’ assessment information in one centralized location. Only staff belonging to individual schools are authorized to access their platform, and never parents, guardians, or students.

SOLVED needs to have access to this PII to build this platform for schools. SOLVED displays the PII received in the Assessment Dashboard and this PII does not leave the NYCDOE servers as it is uploaded to the NYCDOE Google Cloud and SOLVED uses Google Data Studio to display PII to Principals, Assistant Principals, and Teachers who are authorized to log in with their @schools.nyc.gov accounts (which are Google accounts).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “SOLVED uses the NYCDOE’s Google Workspace Cloud to store PII, which are part of the NYCDOE servers. Google Workspace Cloud is a subcontractor for the NYCDOE. The PII does not leave the NYCDOE servers.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “None of the PII that SOLVED is given leaves the NYCDOE servers as it is stored in the Google Workspace Cloud of the NYCDOE. Hence, there is no data return because the data does not leave the NYCDOE servers.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “SOLVED uses the NYCDOE’s Google Workspace Cloud to store PII which are part of the NYCDOE servers. Google Workspace Cloud is a subcontractor for the NYCDOE. The PII does not leave the NYCDOE servers.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The PII is stored in the NYCDOE’s Google Workspace Cloud and the NYCDOE servers. Hence, many of the technical (i.e. data encryption) and physical (i.e. physical servers) safeguards to keep this data safe is controlled by the NYCDOE.

SOLVED as multiple administrative and operational safeguards to ensure the highest rigor of data protection. These are:

  • For all roles within SOLVED, the hiring process ensures the candidate has the necessary competence to perform the role and can be trusted to take on the role, especially for roles related to the use, management, or protection of data or PII. Data protection responsibilities are communicated to employees as part of the on-boarding process.
  • Background checks are required prior to employing SOLVED employees, regardless of if a competitive recruitment process is used.
  • All SOLVED employees are required to sign a Non-Disclosure Agreement before being granted access to any data. Upon termination of employment, staff are reminded of confidentiality and non-disclosure agreements.
  • All new staff must complete an approved Security Awareness training prior to, or within 30 days of, being granted access to any data. In this training, all new staff are provided with relevant data policies and protocols to allow them to properly protect data. All new staff then must acknowledge they have received and agree to adhere to the SOLVED data policies and protocols before being granted access to any data.
  • All staff must complete an annual security awareness training.
  • SOLVED provides all employees an anonymous process for reporting violations of information security policies or procedures.
  • Staff found to have violated SOLVED’s data policy or protocols may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

South Asian Youth Action (SAYA)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As part of SAYA’s Community School programming at Richmond Hill High School, our team monitors program quality and effectiveness in three areas: school attendance, college access support, and social and emotional impact. In order to track data and measure the effectiveness of our offerings, our staff secure student PII and make use of the Department of Education databases, as well as Apricot - Social Solutions, which is a customized database used by SAYA across all of our sites. These databases house and track a number of metrics, including attendance and college enrollment. SAYA staff gather PII data points from our participants, teachers, and other school administrators to measure and gauge youth improvement within these metrics. Through data gathered, our Community School Director and team continually determine how SAYA programming and intervention can best benefit our students and improve their performances.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Workspace, Apricot - Social Solutions.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access control methods to be used shall include:

  • Auditing of attempts to log on to any device on the company network
  • Automatic updates implemented on all systems
  • Server access rights
    • Active file and email intrusion detection (implemented with Google Workspace for Non-Profits)
    • Active Network Intrusion detection and automatic emails to IT team to inform of the situations.
  • Firewall permissions
  • Web authentication rights
  • Database access rights
  • Encryption at rest and in flight
  • Network segregation
  • Yearly user training concerning the handling of sensitive information and PII will be provided. Additionally, this data security policy will be available to any SAYA staff member or contractor. This also applies to contractors and third party vendors who for whatever unforeseen circumstance would need access to sensitive information.

Access control applies to all networks, servers, workstations, laptops, mobile devices, web applications, websites, cloud storages, cloud databases, and any other form of cloud service that contain sensitive or PII data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

 

Sparkler

The exclusive purposes for which Protected Information will be used: To provide the service, directly and in coordination with the BOE. Aggregated non-identifiable data may also be used to improve the service.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Data protection and security requirements that meet or exceed these requirements are a part of Sparkler’s privacy policy and all employment and contracting agreements used by Sparkler.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The agreement starts on signing, and will extend no more than a year, or until terminated by either party. Protected information held by Sparkler will be deleted at any time at the instigation of either users or the DOE, and at any rate under Sparkler’s policies will be deleted no later than one year after the end of the agreement.

[NYC DOE comment: The current agreement became effective starting on April 1, 2020 and terminates when all NYC DOE schools and/or offices cease using Sparkler’s products/services. The terms of the agreement remain effective through the period during which Sparkler possesses or otherwise is in control of covered protected information.] 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US, using the commercially reasonable protections afforded by AWS. Further provisions are described in the Recipients Terms of Use and Privacy Policy.

How the data will be encrypted (described in such a manner as to protect data security): Sparkler is using the industry standard AES-256 encryption algorithm to encrypt all data on the server. For encrypting network communications and establishing the identity of the app, Sparkler is using industry standard SSL/TLS protocols.

 

Speak Agent

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 11/15/2023 – 11/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Speak Agent, Inc. receives PII for the sole purpose of delivering supplemental instruction. "Speak Agent" is an instructional software platform that includes "Math+Language" and "Science+Language" programs for grades K to 12, providing digital lessons and activities that run on its cloud-based platform. These programs supplement the school district's math and science curriculum. Specifically, PII is needed in order to (1) provide secure login through single sign-on; (2) connect students with the correct class sections, teachers, and grade-appropriate instructional materials; and (3) provide students with expressive language opportunities (writing, speaking, and representing) and individualized feedback.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and/or Heroku.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII data are securely stored using cloud hosting facilities that meet ISO 27001 and PCI Level 1 requirements. PII may be viewed only by authorized district and Processor users. Processor secures and manages usernames, passwords, and other means of gaining access to PII at levels recommended by NIST SP800-171 (password complexity, encryption, and re-use).

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Sphero (for Sphero EDU)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Use of Sphero’s Sphero EDU application available at edu.sphero.com, and all related client applications, with which students learn, code, and play with Sphero robots. Depending on if and what type of user accounts are created, PII can contain first name, last initial, email address, and date or birth. Name and email information is used solely for the purpose of creating user accounts. Date of birth is used for the purpose of checking age of consent of the user.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Sphero ensures that data is encrypted both in motion and at rest. The Sphero Edu platform runs in an Amazon Web Services (AWS) facility (please see full details here: https://aws.amazon.com/security/). Personnel are only given access to data on an as-needed basis. AWS provides extensive protection in the form of secure physical facilities, permissions and identity policies, rapid patching and updating of systems, firewalls, network threat detection and response, and scalability to respond to denial of service attacks. PII data is always password protected in addition to being encrypted.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Spruce Technology

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Spruce Technology, Inc. provides information technology consulting services for the New York City Department of Education, including the implementation, integration, customization, testing, and support of technology platforms licensed and hosted by other providers; custom design, development, testing, and support of technology solutions; cybersecurity advisory services; user interface design and development; and provision of specialized technology staff. We require access to PII to develop initiatives, troubleshoot issues, create reports and provide adequate support to all patrons.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII will be stored or hosted by Entity.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All DOE data that is considered private, sensitive, or higher classification will be accessed by Spruce team within DOE environment using DOE issued equipment such VDI / Servers etc. Plus the technical design of the PSAL ensures that the design and architecture conforms with all citywide security standards and will get all necessary approvals prior to go live in production.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

St. John’s University's School of Education (for Project RAISE)

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: 1/31/2022 – 1/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Resilience, Access, and Imagination for Success in Education (henceforth Project RAISE), consists of the following components:

  • Supplemental Instruction
  • Counseling Services
  • Tutoring Services
  • Mentoring Services
  • Parent Engagement Services
  • Professional Development; and
  • Extended Year Program

St. John’s University’s Project RAISE is a program designed to provide Title I supplemental instructional services and related services under the Every Student Succeeds Act (ESSA) for Title I eligible students, parents, and teachers at nonpublic schools in New York City. To this end, all students from Pre Kindergarten through grade 12, as well as their parents and teachers who are eligible for Title I assistance, will benefit from Project RAISE. Pre-Kindergarten to grade-12 students from families in poverty grapple with numerous challenges in terms of their emotional, physical, social, and cognitive development. These challenges adversely affect their academic success. The primary goal of Project RAISE—which is intended to provide Title I nonpublic schools supplemental instructional services—is to afford students from Pre Kindergarten through grade 12 with the opportunity to receive supplemental instruction in the areas of English! language arts/reading, mathematics, English as a Second Language (ESL), social studies, and technology, as well as Pre-Kindergarten services to help them succeed in these subjects. The primary location for services will be in New York City nonpublic schools serving students from pre-kindergarten to twelfth grade, and that select St. John’s University as their service provider

Data collected will be for the purpose of invoicing/billing the participating non-public schools in the City of New York. The data will include the following: Student ID Number; Grade Level; and School Name.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. This correspondence articulates elements of the St. John’s University cyber security and privacy infrastructure as it relates to the academic research infrastructure for the New York State Department of Education grant award supported by faculty in the St. John’s University School of Education.

St. John’s University has taken a risk-based approach to cyber and information security by ensuring the confidentiality, integrity, and availability of its information assets. The University has a viable program that balances the people, processes and technologies and focuses on the management of the security program, user awareness, research platform, and operations. The details are as follows:

Security Program: Our Security Program is comprised of several strategies that include, but are not limited to:

  • A viable IT Governance model and reporting structure
  • University-wide and department-specific Information Technology (IT) and Security policies and standards
  • A Vulnerability and Patch Management (VPM) program (policies, standards, processes, and procedures) to proactively address potential vulnerable and unpatched systems and applications of critical and non-critical information assets.
  • Multi-factor authentication to minimize authentication threats
  • An IT risk management framework based on the NIST Cyber Security framework to manage IT risks consistently and continuously.
  • Adequate security awareness and training of faculty and staff, including staff that handles personally identifiable information (PII)
  • Processes and techniques to address the end-user computing threats
  • Data maps for PII that is transmitted, processed, and stored within the University.
  • Records/data that are classified into three groups
  • Active records that are stored in a primary storage medium
  • Data is retained for a regulated specified period according to the University’s retention schedule

The subcontractor is held to the same standards described above.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

St. Nicks Alliance Corp (Community Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. St. Nicks Alliance (SNA) is a community-based organization contracted by the NYCDOE to provide services at:

  • The Williamsburg High School of Art and Technology, Brooklyn, NY 11206: These services provide integrated student support, expanded and enriched learning time and extended learning time opportunities, active family and community engagement, and collaborative leadership and practices. These supports and programs help to ensure consistent attendance, academic recovery, relationship building and leadership inside and outside the school community.
  • John Ericsson Middle School 126, Brooklyn, NY 11222. These services provide integrated student support, expanded and enriched learning time and extended learning time opportunities, active family and community engagement, and collaborative leadership and practices. These supports and programs help to ensure consistent attendance, academic recovery, relationship building and leadership inside and outside the school community.
  • PS 150 Christopher, Brooklyn, NY 11212. These services provide integrated student support, expanded and enriched learning time and extended learning time opportunities, active family and community engagement, and collaborative leadership and practices. These supports and programs help to ensure consistent attendance, academic recovery, relationship building, and leadership inside and outside the school community.

Protected Information may be collected or accessed by authorized SNA representatives to support students with attendance and credit accumulation. We may examine academic data (i.e. grades on assignments, courses, or exams); daily attendance statistics, demographic and disciplinary history, contact information, survey responses, and/or Other Protected Information. This data is used to track student progress toward attendance and credit accumulation and to tailor services to each student.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data storage can be in electronic or non-electronic formats (such as paper surveys), including data files and databases. Non-Electronic data is stored in the United States in locked cabinets in SNA main office (located at 2 Kingsland Avenue, Brooklyn, NY 11211} or Bushwick Community High School at 231 Palmetto St., Brooklyn, NY 11221)), as required by regulatory agencies (ie. NYS Department of Health). The lock's key or combination is exclusively shared with authorized staff.

For electronic data storage, SNA uses password-protected computers. The password is changed every 60-180 days and is only accessible to SNA staff members responsible for analyzing the data. Data storage requirements are thoroughly discussed with SNA staff both during onboarding of new staff and ongoing during training on Federal and State laws governing confidentiality to any officers, employees, or assignees who have access to student data or teacher or principal data to ensure compliance with our regulations and SNA internal data storage plan that protects confidentiality and safety of PII. Do not use educational records for any other purpose than those explicitly authorized in the contract.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

St. Nicks Alliance Corp (Learning to Work)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/01/2015 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. St. Nicks Alliance (SNA) is the community-based organization contracted by the NYCDOE to provide the Learning-To-Work program at Bushwick Community High School, Brooklyn, NY. These services assist students with attendance improvement and dropout prevention through individual and group counseling, case management, and post-secondary planning, among other evidence-based strategies.

Protected Information may be collected or accessed by authorized SNA representatives to support students with attendance and credit accumulation. We may examine academic data (i.e. grades on assignments, courses, or exams); daily attendance statistics, demographic and disciplinary history, contact information, survey responses, and/or Other Protected Information. This data is used to track student progress toward attendance and credit accumulation and to tailor services to each student.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data storage can be in electronic or non-electronic formats (such as paper surveys), including data files and databases. Non-Electronic data is stored in the United States in locked cabinets in SNA main office (located at 2 Kingsland Avenue, Brooklyn, NY 11211} or Bushwick Community High School at 231 Palmetto St., Brooklyn, NY 11221)), as required by regulatory agencies (ie. NYS Department of Health). The lock's key or combination is exclusively shared with authorized staff.

For electronic data storage, SNA uses password-protected computers. The password is changed every 60-180 days and is only accessible to SNA staff members responsible for analyzing the data. Data storage requirements are thoroughly discussed with SNA staff both during onboarding of new staff and ongoing during training on Federal and State laws governing confidentiality to any officers, employees, or assignees who have access to student data or teacher or principal data to ensure compliance with our regulations and SNA internal data storage plan that protects confidentiality and safety of PII. Do not use educational records for any other purpose than those explicitly authorized in the contract.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ST Math - MIND Research Institute

The exclusive purposes for which Protected Information will be used: Personally Identifiable Student Information (PISI) will be used to enroll/roster students into the ST Math program as well as collect usage and performance data as related to the program (i.e. progression through the program, mastery of standard, time on the program). 

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: MIND Research Institute requires all employees that will handle PISI to agree to and sign our employee handbook which details requirements each employee must adhere to in order to ensure the security of user data. Additionally, MIND Research Institute provides scheduled training and refresher training on best practices in the handling of data and requires employees to participate. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI received from a LEA is de-identified or deleted in a reasonable period of time after the relationship between MIND Research Institute and the LEA has been terminated.

[NYC DOE comment: The current agreement became effective starting on September 18, 2019 and terminates when all NYC DOE schools and/or offices cease using ST Math’s products/services. The terms of the agreement remain effective through the period during which ST Math possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): MIND Research Institute's infrastructure is hosted within the United States. We design and implement our systems to provide resiliency against server, segment, and geographic failure, through the implementation of a clustered redundant architecture that yields highly available service endpoints. which provide resiliency against server, segment, and geographic failure. We utilize service providers whose systems have been certified for compliance with security standards including ISO 27001. 

How the data will be encrypted (described in such a manner as to protect data security): Unauthorized access of User data is a real risk facing the users of today's electronic information services. MIND Research Institute strives to keep informed of these risks, and we work diligently to combat them. One method of protecting User data is to utilize cryptography to prevent data visibility in the event of its unauthorized access. MIND Research Institute leverages cryptography to protect user data in the following two ways:

  • Data in Transit. Our services support Transport Layer Security (“TLS”) to encrypt User communications (TLS 1.0 or greater and only the strongest ciphers). Data transferred between our Site and its end Users (including credential submission, data uploads, and data downloads) are sent over TLS connections, which protect such data using strong encryption, so that data in transit is kept in a private channel between the intended User and our systems.
  • Data at Rest. User data that contains personally identifying information, when “at-rest” (i.e., when in storage) is encrypted using industry standard AES-256. There are two types of "at rest" storage:
  • Database. Database server disk storage is “volume” encrypted (i.e., encrypted at the level of the database).
  • User Files. User files are individually encrypted before being recorded on long-term, secondary storage systems.

STEM Sims

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Great Leaps Digital is a web-based application used by instructors 1-on-1 with K-12 students to improve students’ proficiency in reading fluency and basic mathematics skills. Great Leaps Digital offers: (1) the Reading Program with exercises in Letter Recognition and Letter Sounds, Phonics, High Frequency Word Phrases, and Stories with Depth of Knowledge based comprehension development question and more, and (2) the Math Programs, developed as a simple, multi-sensory approach to teaching basic math facts.

Great Leaps Tutoring offers 1-on-1 online tutoring using the Great Leaps Digital Reading and Math Programs. Data collected is used for system access and progress tracking.

Student PII is required for account creation and performance tracking. Performance tracking is used to communicate to instructor(s) how student performance has progressed with their usage of the program. Performance tracking allows instructors to determine if the program is an effective intervention for the student and communicate data on student performance to relevant and authorized individuals (e.g., school administrators).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS, DigitalOcean.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. STEM Sims uses encryption technology to protect this information while in motion or in its custody from unauthorized disclosure and conducts digital and physical periodic risk assessments to remediate any identified security and privacy vulnerabilities in a timely manner. Additionally, STEM Sims incorporates various technical safeguards to protect the collected student information and data. The database servers are behind a firewall so that only their other servers can connect to the database. The program is built to ensure that any user account logged into the system is only able to access data about themselves and any students they are teaching, and each student is isolated from each other throughout the system. STEM Sims also limits access to customer data from employees and uses an internal tool to limit the interactions with customer data for authorized internal users. When generating any internal reports, STEM Sims minimizes the amount of sensitive information to just student performance and runs any necessary information that might identify a user through an anonymizing function so it cannot be linked back to the original student. STEM Sims also uses industry-standard transport layer security protocols on any connections that customers make to the server to make sure the data transmitted back and forth is private. In case of becoming aware of any breaches in the system, STEM Sims will follow the steps outlined by their Data Breach Response Plan, including containing the breach, remediating the access, disclosing to affected users as appropriate, and reviewing and enhancing security measures to prevent further breaches and mitigate privacy and security risks.

STEM Sims limits staff access to customer data through user and permission management to ensure that only authorized staff can interact with PII. Administrative safeguards also include security training within our onboarding process for all new staff and monthly security risk assessments for all staff with access to PII.

Physical safeguards include controlling physical access to our office and ensuring only authorized staff can access our physical servers and computers. Encrypted PII residing in Digital Ocean’s cloud servers is protected by Digital Ocean’s physical infrastructure security safeguards and their networks are MANRS certified (https://www.digitalocean.com/security/infrastructure-security). ’s physical safeguards for further information with regard to our cloud servers.

STEM Sims incorporates various technical safeguards to protect PII. STEM Sims uses encryption technology to protect this information while in motion or in its custody from unauthorized disclosure and conducts digital and physical periodic risk assessments to remediate any identified security and privacy vulnerabilities in a timely manner. The database servers are behind a firewall so that only their other servers can connect to the database. The program is built to ensure that any user account logged into the system is only able to access data about themselves and any students they are teaching, and each student’s PII is isolated from others throughout the system. When generating any internal reports, STEM Sims minimizes the amount of sensitive information to student performance only and runs any  necessary information that might identify a user through an anonymizing function so it cannot be linked back to the original student. STEM Sims also uses industry-standard transport layer security protocols on any connections that customers make to our servers to ensure the data transmitted back and forth is private.

The disclosure of the description on NYC DOE’s website will not compromise the security of the data or our security practices and protocols.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Strategic Inquiry Consulting

Type of Entity: LLC

Contract / Agreement Term: 3/1/2022 – 2/28/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Coaching support for teachers and school leaders in developing student writing skills. PII is received in the form of electronic student work files (showing progress toward skill mastery, which contain student names and handwriting).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google Workspace.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SIC will maintain reasonable technical, administrative and physical safeguards to protect PII including storing in an online portal that provides data encryption and has built-in security designed to detect and block threats like spam, phishing and malware.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

STRIDES Via Transportation 

 
The exclusive purposes for which Protected Information will be used: Scoping for the STRIDES project plan.
 
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: N/A – only Via employees will have access to student, teacher or principal data
 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Starts October 15, 2019 and ends upon execution of the Requirements Agreement by and between the Board of Education of the City School District and the City of New York and Via Transportation, Inc., at which point the confidentiality and information security provisions of that agreement will govern use of NYC DOE Confidential Information. 

[NYC DOE comment: The current agreement became effective starting on October 15, 2019 and terminates when all NYC DOE schools and/or offices cease using Via Transportation, Inc.’s products/services. The terms of the agreement remain effective through the period during which Via Transportation, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The PISI will be stored in the US. Via servers are hosted on AWS. Access to AWS and VIA’s operational tools is granted only through a 2-factor authentication mechanism to authorized personnel. Via requires an authorized account for all network logins, all users have their own credentials and a user in the multi factor Octa system. All network and security devices support Secure Shell (SSH) and / or HTTPS for administration of the devices. All of our services are running in secured VPC’s, with proper network segmentation and stateless firewalls.
 
How the data will be encrypted (described in such a manner as to protect data security): Via uses appropriate encryption technologies to protect data stored on its corporate and production servers based on the sensitivity of the data elements in question. To the extent that Via uses any third-party cloud servers or other storage assets to store sensitive information, the Via information technology and information security teams will configure use of such third-party servers to turn on/enable/use available authentication and encryption technologies. The following minimum encryption protocols will be implemented when creating or storing transmitting sensitive data: 
  • Via shall use 256-bit SSL when transmitting sensitive data over the internet.
  • Wireless network transmissions will be encrypted. 
  • Audit logs that contain sensitive data will be sanitized or removed from the logs.
  • Via uses AWS Key Management Service as the main KMS. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect our keys.
  • AWS KMS is integrated with AWS CloudTrail to provide audit logs of all key usage.
  • All endpoints that connect to Via’s network are disk-encrypted using industry-standard encryption. Personal client information is never stored on the client-side device

Study.com

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Identifying students, communicating assignments, composing classrooms, recording and reporting grades, and tracking progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access to Protected Data is limited only to trained System Administrators within Study.com. Key FOBs are required to enter the facility and servers are locked in a keyed cage. All AWS servers are on a restricted Virtual Private Network. We log any unauthorized attempts to access this network or the Protected Data contained on the network. All analytics, features, and data processing are done internally on physical Study.com owned servers racked in a secure facility.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Sunnyside Community Services

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Community Schools provides programs/services related to attendance, health and wellness, expanded learning time, and family engagement. Some of these programs/services include attendance support check-ins, tutoring, in-class Math support, time management groups, and wellness lunchtime events. PII will be used to:

  • Create student and parent records in Salesforce
  • Log student and parent activity hours and outreach efforts
  • Distribute interest surveys and needs assessments to students and parents
  • Use sign in sheets for events, activities, and incentives.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Only authorized users of the Salesforce system have access to PII, which is protected by Multifactor authentication.

SCS will have full Hard Disk Encryption on Laptops/Desktops implemented with Win 10 Pro Bit-locker. PII

Data sent over email will be encrypted with 0365. Automated Security & Windows patches with anti-virus are updated on a scheduled basis. We hold written policies to ensure the treatment, use, and security controls for data, as well as enforcement to ensure security. This covers access to and storage of data, among other relevant issues. In line with DOE expectations and our own security policy, SCS shall only disclose PII to Contractor's employees and Subcontractors who need to know the PII in order to provide the Services and the disclosure of PII shall be limited to the extent necessary to provide such Services. SCS will ensure that all student data and PII information is secured and will not be shared with any subcontractors without written/approved agreement. SCS will also comply with all regulatory requirements in collection, retention, and destruction of student data and PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Suntex International (also called First in Math)

The exclusive purposes for which Protected Information will be used: We do not absorb, display or store any sensitive data in this process. As part of a typical data sync, the district will provide information regarding the school buildings, the classroom that exist, and the teachers that are assigned to those classrooms. Lastly, a list of students and what classes they belong to is provided. In the most common application, these files are transmitted nightly through Clever. The syncing process will automatically establish accounts, preserving the teacher/student relationship. As this relationship changes, and students move to a different classroom, or school building this change is reflected in vendor’s website. If student no longer appears in the data feed, the student will be held in a reset/deactivated status until they appear again. Teachers that are no longer teaching the classrooms associated with the program will be removed as indicated by the feed. There are some cases where the relationship is not correctly reflected in the SIS, or the student’s classroom assignment is ambiguous. In this case the teacher may use tools to find students that are deactivated or exist in an unassigned pool for that grade level using a drag and drop tool. The teacher may also examine a roster and determine that a student is either no longer in that classroom, or that they no longer exist within that school, or reset a password, though passwords are not relevant when an SSO sign in method is being used. A building level administrator may have additional tools to move students to different classrooms within the building.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:  Suntex does not use subcontractors. Company employees follow proper policy in handling data for initial import of district data, trouble-shooting, customer service. We take reasonable measures to protect the confidentiality of the Data as required by federal and state laws and regulations applicable. We establish technical and physical security measures to ensure the confidentiality, integrity and availability of the Data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Traditionally, we retain the current school year and one-year prior of data. Before each school year we purge any older data. At the end of the contract period or upon request, information will be returned to a NYC DOE, or at such point that the Data are no longer needed for the purpose referenced in this Agreement, or, at the sole discretion of NYC DOE, securely destroyed, and all electronic Data purged from the network in a manner that does not permit retrieval of the data.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov. ]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored within the Atlanta Data Center of Aptum Technologies, 106 Jefferson Street, Suite 300, San Antonio TX 78205 (Formerly Cocego-Peer1), a top-tier and leading hosting provider. Multiple approaches to data security include physical security (CCTV, biometric access control, on-site guards), network and application protection, including DDoS protection, hardware fire, load balancer, and access through VPN only. The next layer of security includes alert logic monitoring and McAfee enterprise anti-virus. Web Site access is only allowed using SSL (2048-bit). The environment is kept clean, installing only the necessary applications and features, and is kept up-to-date with the latest security patches. 

How the data will be encrypted (described in such a manner as to protect data security): All data in motion will be encrypted either via Secure HTTP (HTTPS), SFTP, or another approved encryption mechanism. In general, Email send and receive is protected by TLS in its transmission, but is not generally an acceptable means of passing confidential information.

Sussman Education Company, Inc. for Lightswitch Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Sussman Education Company, Inc., for Lightswitch Learning offers FAMIS e-catalog approved culturally responsive/social emotional, and parent engagement offerings in print and digital format through their textbook contract. 80% of the offerings feature minority authors and subjects. Sussman is applying for a software contract so schools can order site-based one-year subscriptions for their eBook content. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Type of PII that the Entity will receive/access: Entity will not receive or access PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Challenges to Data Accuracy. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

SVAM International (for DOE’s Compliance Systems Modernization Project)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2023 – 7/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Compliance Systems Modernization Project focuses on implementing any modifications and enhancements to support any updated business policies/processes and relevant Federal, State and City mandates.

Type of PII that the Entity will receive/access: Student PII. “Under High Level Enhancements for the OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data. However, SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Under High Level Enhancements for the OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data. However, SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity. “Under High Level Enhancements for the OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data. However, SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Please note that SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure. Under High Level Enhancements for OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Swivl (also called Satarii)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Reflectivity cloud based software service is for teachers’ and administrators’ collaborative work and professional development. In order to properly authenticate educators in the service, we collect some PII, such as name, email, job title. Student PII may be captured in the videos of teachers providing instruction, which shall be uploaded and reviewed by instructional coaches as part of the professional development process.

Type of PII that the Entity will receive/access: Student PII, and teacher name, email, and job title.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Swivl software is hosted on SOC2 compliant data centers provided through Amazon AWS and require multiple factors of authentication to gain access to the data. Swivl uses AES-256 encryption for data storage and TLS 1.2 for data transport). All infrastructure is behind industry leading firewall solutions and require VPN access with secure keys. We restrict access to customer data to a small set of security and operations specialists who need to have access as part of fulfilling their job duties. We have a continuous process of testing our security processes and services and mitigating any issues, if found. We have a dedicated security team which monitors and tests our system continuously using leading software tools.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

TalkingPoints

The exclusive purposes for which Protected Information will be used: To provide a two-way translated messaging platform between school & district administrators, teachers and parents.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: TalkingPoints has implemented strict controls over physical, environmental, and software security for all employees and contractors.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: TalkingPoints will either delete or return, within a commercially reasonable period of time but not to exceed 45 days, all personally identifiable information upon the expiration of any agreement when requested to do so by notification from the contracting party; [NYC DOE comment: The current agreement became effective starting on May 29, 2020 and terminates when all NYC DOE schools and/or offices cease using Talking Points’ products/services. The terms of the agreement remain effective through the period during which Talking Points possesses or otherwise is in control of covered protected information.] 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. Any parent, student, eligible student, teacher or principal may correct inaccurate student data or teacher or principal data that is collected. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored in the U.S. As described in Attachment B of the Agreement, TalkingPoints’s infrastructure is built on industry-tested technology and security practices.

  • TalkingPoints uses encryption, firewall, and network security software.
  • TalkingPoints uses single sign-on (SSO) and twofactor authentication (TFA).
  • Low-level auditing software is supported for all external providers (AWS, Atlas) to record potentially malicious actions that may take place.
  • TalkingPoints runs periodic penetration tests, then logs and resolves discovered issues.
  • All TalkingPoints clients use TLS/SSL when communicating with our servers.
  • TalkingPoints has a host-based intrusion detection system to detect unauthorized access to production hosts.
  • Audit logs are sent to a central location for storage and analysis. Access to production servers and interaction with production systems is audited and logged.

How the data will be encrypted (described in such a manner as to protect data security): All student data or teacher or principal data is stored on cloud servers within the United States and protected with industry standard and best practices procedures, including AES256-CBC encryption when in transit and when stored at rest.

Teachercentric (also called Satchel Pulse)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The products we offer are as follows:

Climate Tool. This is an online platform designed to help school and District Leaders make data driven decisions based on direct feedback given by staff, students, & parents. Built specifically for the education market, Pulse takes feedback and converts it into measurable data and leading indicators, enabling District Leaders to make focused, proactive decisions. Data is delivered in real me and shows information relating to staff, student and family engagement, school culture and improvement across me at a group, school and district level. Using Pulse to monitor feelings and opinions enables School and District Leaders to understand exactly where they need to focus their efforts for improvement. Actions can be created to target issue areas and Pulse used to track the trends in feelings and opinions, highlighting the impact of those actions. Our system uses student information to help track and filter the results of the Climate survey.

Skills Tool. Supports each student by helping them build important social and emotional skills that give them the confidence they need to grow. With Satchel Pulse's SEL Solution, you can efficiently and accurately measure students’ and teachers’ perceptions of SEL skills, identify school-wide, group, and students SEL skill development needs, develop plans for improvement, and monitor progress.

We need to receive/access the staff/students PII information so they can be identified in the application in order to have access to their account and a way to identify who responded to the survey and where to keep their results. Other uses are for grouping or searching for students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services – RDS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is encrypted at rest and in transit. You can find full information on our Information Security Policy that’s been shared.

  • Administrative Safeguards:
    • Data Access Management: We employ a role-based access control system that ensures only authorized personnel with a legitimate business need can access PII.
    • Training and Awareness: We provide regular training and awareness programs to our employees to ensure they are well-informed about the latest data protection practices and understand their roles in protecting PII. The employees receive a yearly training via Zoom to review and discuss the training and awareness around data security.
    • Policies and Procedures: We have comprehensive policies and procedures that outline how PII should be handled and protected, including incident response plans.
  • Technical Safeguards:
    • Data Encryption: We utilize strong encryption standards for data both in transit and at rest to ensure that PII is unreadable to unauthorized users.
    • Network Security: We employ various network security controls including firewalls, and secure configurations to protect our network infrastructure.
    • Regular Security Assessments: Our systems undergo regular security assessments, including penetration testing and vulnerability scanning, to identify and remediate any security vulnerabilities.
    • Disaster Recovery: We have disaster recovery plans in place to ensure data can be recovered in the event of a physical disaster (data is stored in AWS).
  • Mitigating Data Privacy and Security Risks:
    • Continuous Monitoring: We continuously monitor our systems for signs of security incidents or data breaches and have incident response plans to ensure swift action.
    • Data Minimization: We practice data minimization to ensure that only the necessary amount of PII is collected and stored, reducing the potential impact of a data breach.
    • Regular Review of Practices: Our security practices are regularly reviewed and updated to align with emerging threats and best practices in data security and privacy.

Please note that, in the interest of security, this description is intentionally high-level. We take the security of PII very seriously and employ a robust set of safeguards to protect this data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Teachers College, Columbia University (for the Reading and Writing Project)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 12/1/2021 – 11/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Teachers College Reading and Writing Project may review and use student protected information as part of professional development in literacy in schools. Reviewing this information is necessary in order to systematically check to see if and when students have internalized key literacy skills, and to assure that instruction is differentiated in response to student needs. TCRWP staff developers also regularly lead study groups with teachers in order to provide teachers with opportunities to examine student writing, to study patterns in data, and to co-author methods and curricula. Studying student work together in this way enables teachers to thoughtfully plan next steps based on what students are actually doing. This shared work is vital to deepening teachers understanding of conducting formative assessments, and of norming across a school so as to ensure a consistent vision of excellence.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TCRWP Staff Developers may have access to student work as part of leading professional development in literacy in schools. In the event remote work is required, the Teachers College Google Drive instance will be utilized to transfer and store student writing documents. Within Google Drive, a Shared Drive will be created and appropriate access (read-only, edit, or content manager) will be assigned. Those assigned read-only access will not be able to download or share content. Additionally all subcontractors accessing PII data are required to sign a NDA. TC employees are educated and reminded of how to treat PII data and employees with access to PII data are required to sign confidentiality agreements. A copy of the NDA and confidentiality agreements are attached.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Teachers First (for Toddle)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Toddle is a one-stop web-based platform that streamlines the teaching and learning for by educators, students, and family members. It is used for, among other things, curriculum planning, lesson planning, assessments, student portfolios, family communication and progress reports. It is also licensed by the IB.

We receive and access PII for the following purposes:

  • Rostering: PII is essential for the operation of Toddle and for account rostering. All classes and grades have to be setup and we need PII for that purpose.
  • Communication: PII is also essential for teachers to uniquely identify and communicate with students and parents. It is also required for 1:1 communication, class discussions etc.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • All Toddle employees and sub-contractors undergo extensive trainings and background checks at the time of onboarding.
  • We follow the Principle of Least Privilege to restrict access to data and only the account manager and any personnel or sub-contractors considered essential for operation are given access.
  • We have a comprehensive exit policy to ensure access to any and all forms of data is revoked and deleted specifically, redactions are not acceptable as per policy
  • We use the highest standard of encryption and anonymization techniques to ensure deidentification of PII
  • We use industry-standard AES-256 encryption.
  • All data is encrypted at rest and in-transit and hosted on AWS servers in USA
  • We regularly conduct vulnerability and penetration testing
  • We are subject to regular and surprise audits by independent third-party auditors and the access to the audit report can be shared on request.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TeachFX

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/29/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As a general overview: TeachFX provides a software-as-a-service application and reporting tools, powered by artificial intelligence, designed to provide measurements of student engagement and other pedagogical indicators, to educators with respect to dialogue that is occurring in instructional settings. TeacherFX also has a partner success team that designs and implements professional learning experiences for educators to improve their instruction and student engagement. The TeachFX classroom implementation does not collect or store student PII. However, where a teacher opts to use the TeachFX virtual instruction option via Zoom, student names and virtual platform unique identifiers will be collected.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud Platform.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have multiple safeguards in place to protect all sensitive student data, including PII.

  • Authentication: We authenticate users before they can use the application. Email verification is required to access the features of the app.
  • Access control: We use object-level permissions to monitor user access to data.
  • Secure communication and encryption: All our communications happen through HTTPS, secured by strong ciphers. User data is maintained in encrypted storage at rest.

We have multiple monitoring systems in place to mitigate risks, including systems used for codebase scanning, artifact scanning, and monitoring vulnerabilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Teaching Strategies

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Teaching Strategies GOLD® Enhanced supports effective teaching and assessment while providing educators with more time to spend with the children in their program. Student Data is used to set up and maintain user accounts and student portfolios and to grant other Authorized Users the right to access, update, view, and/or modify such portfolios. Portfolio Data can be used to identify and recommend appropriate activities and customize student plans.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS, Google Cloud Platform and Ntirety.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TS implements background checks on all employees, security and privacy training, admin user training, secure development training, NIST policy and procedure alignment, weekly vulnerability scanning, IDS/IPS, file integrity monitoring, central logging and monitoring, secure cloud storage, annual risk assessments, annual 3rd party penetration testing, and annual SOC2 Type II compliance audits by an AICPA accredited organization.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TEAM FIRST, Inc NYGEAR UP Program

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/13/2023 – 9/30/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TEAMFIRST, Inc. NYGEAR UP will provide academic and social support to a cohort of 710 students in Districts 7, 8, and 29 that will increase high school graduation and college enrollment rate. We collect student data (i.e., demographic information, attendance, LEP, and/or IEP designation, grades, standardize test scores, promotion status, grade) to be reported to the US Department of Education to measure student outcomes as required by the federal GEAR UP Program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Measurement Inc. and the Google iCloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data provided will be confidential in nature and will only be reported to the US Department of Education as required by our Annual Performance Report. Access to Personally Identifiable Information (PII) will be limited to the Evaluator and Director of Programming solely as required for reporting purposes. All information will be collected and secured in a locked file cabinet and will be used solely for reporting to New York State Education Department. Passwords will be changed on a regular basis and protocols for deletion and/or destruction of PII will be carried out and written certification will be provided to NYCDOE.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Tech4Learning, Inc.

The exclusive purposes for which Protected Information will be used: To access the Wixie online authoring tool.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: N/A - We will not share student data with subcontractors or other persons or entities.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At agreement start protected data will be uploaded by NYC DOE staff to Wixie. At agreement end protected data will be deleted unless return instructions are provided. [NYC DOE additional information: The current agreement remains effective through the period during which Tech4Line, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected data is stored in our San Diego, CA-based data center. Data is protected via biometric, physical, and logical security.

How the data will be encrypted (described in such a manner as to protect data security): Data transmitted to Wixie and data at rest will be secured using industry best practices.

Territorium

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Territorium will provide NYC employees and learners in K-12 and higher education with an immutable NYC Department of Education-sponsored and transferrable digital record of skills and credentials through the provision of a digital wallet enabling targeted job opportunity, promotion, and educational pathway enrollment. The transferrable digital record of skills and credentials is considered immutable, the issuers of verified skills and credentials (including the NYC Department of Education) can set expiration dates as well as process for revocation of prior awards. The learner (or their parent or guardian, if applicable) ultimately controls access to and sharing of all data in his/her record of skills and credentials.

Territorium uses PII to make user accounts and track student progress and share progress with parents.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Territorium’s data privacy and security program employs a combination of ongoing training, use of processes to review and document authorization to access its data, technology controls specifically employed to safeguard Protected Information.

Territorium employs several best practices including administrative safeguards of limiting all access to NYCDOE data within Territorium and only providing access to PII to NYCDOE staff; requiring confidentiality agreements for all employees of Territorium even despite no access to PII; multifactored authorization to access data with a service log. All storage is maintained with encryption of data in transit and storage, access controls, and implementing regular and encrypted backups; all quality assurance, testing, and development are free of any student data and have separate domains and security keys. All passwords to access requiring production system require a password change every 60 days (about 2 months).

Territorium deploys physical security items (i.e. security cameras, key card access, etc.) that function in our employee offices to make sure that there is no unauthorized entry to our places of work. We have a company headquarters and a second headquarters location as meeting place and executive houses. In addition, we provide company-issued devices to employees that do not have access to any Production data and are monitored for acceptable access points and sites.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TestOut Corporation (LabSim)

The exclusive purposes for which Protected Information will be used: To facilitate the student using our online courseware – LabSim. LabSim is TestOut’s learning platform. It delivers our certification and courses, including our best-of class IT simulations. It also provides tools for educators to manage and assess student learning. The LabSim courses keep students engaged and allow them to monitor their progress. LabSim is a flexible and cost-effective solution for IT education.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Process does not utilize subcontractors which have access to Confidential Information.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon expiration or termination of the Agreement, Processor will securely destroy all Confidential Information within 60 days. All data destruction will follow the NIST SP800-88 guidelines. If requested by DOE, Processor will provide Confidential information to DOE in an agreeable format prior to securely destroying all Confidential Information.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Processer employees industry standard measures to protect Confidential Information from unauthorized access while the data is in transit or at rest which align with the NIST Cybersecurity Framework. Data in transit is encrypted with TLS 1.2 and data at rest is encrypted with AES-256. The servers are hosted in an environment using a firewall that is updated according to industry standards. Passwords are protected following the password guidelines in Article 4.3 of NIST 800-63-3. We only provide access to Confidential Information to employees that are performing the Services. All data stored is on serves located in the United States.

How the data will be encrypted (described in such a manner as to protect data security): Data in transit is encrypted with TLS 1.2, and data at rest is encrypted with AES-256.

Texthelp Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2023 – 3/1/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Read&Write, Equatio, Snap&Read, Co:Writer are Assistive Technology Literacy toolbars for students to scaffold learning and to help them access the general education curriculum. uPAR is a reading accommodation decision making tool to help teachers determine accommodations. OrbitNote is an accessible PDF tool. Again this helps make the curriculum accessible to students with typical PDF tools but also accessibility tools to read text aloud. EquatIO is an Assistive Technology Math toolbar and a math space for students to enter math and solve math problems digitally. Again it is a critical support for students with disabilities to access the general curriculum.

Data minimization is at the core of the design of the company’s products and we only collect the necessary data to provide access and usability of our tools to our users. The core of PII is the student’s email. The student’s email is used for the student to log in to the tools and manage their preferences. In addition we collect usage data and other accommodation data for staff to make decisions about future needs of students in using these tools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS and Google.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Texthelp adhere to the principle of Privacy by Design/Default. Our software solutions are designed to use a minimal amount of PII. Texthelp are a Processor for the purposes of Processing Customer Personal Data; and we are a Controller in relation to any Processing described in our privacy and cookie policies located at www.texthelp.com

All personally identifiable information is used and held in accordance with our privacy and security policies.

Security controls are in place to keep Texthelp systems and data separate from other client’s data.

Policies and procedures exist to satisfy all of the 114 controls contained within Annex A of the ISO 27001 standard. These include, but are not limited to:

  • ISMS 1.2 Information Security Policy
  • ISMS 1.3 Product Analytics Policy
  • ISMS 1.4 Access Request Policy
  • ISMS 1.5 Roles/Responsibilities/Authorisations Register
  • ISMS 1.6 Audit Logging Policy
  • ISMS 1.7 Backup Policy
  • ISMS 1.8 Encryption & Cryptographic Policy
  • ISMS 1.9 Access Control Policy
  • ISMS 1.11 Network Security Policy
  • ISMS 1.12 Privacy Notice for Employees & Job Applicants
  • ISMS 1.13 Record Retention Policy
  • ISMS 1.14 Security Patching Policy
  • ISMS 1.15 Infrastructure Hardening Policy
  • ISMS 1.16 Vulnerability Management Policy
  • ISMS 1.18 Privacy Policy for Texthelp Products
  • ISMS 1.19 Security Incident Response Policy
  • ISMS 1.20 Acceptable Use, Mobile & Teleworking Policy
  • ISMS 1.21 Information Classification & Labelling Policy
  • ISMS 1.22 Password Policy
  • ISMS 1.23 Statement of Applicability
  • ISMS 1.24 Risk Treatment Plan
  • ISMS 1.25 Asset owner Policy
  • ISMS 1.26 Secure Development Policy
  • ISMS 1.27 Social Media Policy
  • ISMS 1.28 Texthelp Web Properties Cookie Policy
  • ISMS 1.29 Data Subject Access Request Policy
  • ISMS 1.30 Texthelp Web Properties Privacy Policy
  • ISMS 1.32 User Removal Policy
  • ISMS 1.34 Security Disclosure Policy
  • ISMS 1.36 AWS Asset Tagging Policy
  • ISMS 1.38 Data Transfers Risk Assessment
  • ISMS 1.40 Finance Data Handling Procedures

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thinking Maps Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our application provides both virtual resources for teachers and a virtual environment for students and teachers to create and share Thinking Maps within their school or classroom. Student First/Last Name and Login ID are the only PII required, and are used to created their accounts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Within 60 days following termination of a school’s license, the PII associated with that school shall be automatically deleted, unless otherwise directed by the school or district at that time.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is protected through standardized encryption and security in compliance with NIST guidelines. Student information is only available to users with appropriate roles and/or privileges within the system. All employees with access to such data are provided with security and privacy training, as well as being required to sign a privacy agreement with Thinking Maps Inc.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thinking Nation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/1/2023 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor will provide students and teachers of the 6th-12th grades of the NYCDOE with its specialized, proprietary history curriculum, assessments, and other related resources. Processor evaluates and grades all assessments and essays of participating students and provides them and their teachers with normed data collected from these assessments and essays. Processor will use classroom rosters provided by NYCDOE to properly aggregate and share the data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

  • All employees have distinct logins so there is a record of all actions and edits when using PII.
  • The least privileged authority is enforced to ensure that PII is used only when necessary.
  • When there is an inactivity during a user's session, the platform automatically logs out the user.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thinkingmap (also called Vocabulary.com)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/8/2023 – 3/8/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Vocabulary.com provides personalized, systematic vocabulary instruction for students from 5th grade through high school, and beyond. Beyond its core purpose of building academic vocabulary knowledge, the platform improves literacy skills in the areas of reading, writing, listening, and speaking. Since 2008, Vocabulary.com has served more than 5.1 billion questions to learners all over the world. Today the platform is used by 3.7 million students in 56,000 schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS (a cloud hosting and data analytics provider), Century Link (used for telecommunications), Google G Suite (a cloud computing, productivity, and collaboration tool) and Salesforce Inc (a Customer Relationship Management (CRM) solution); and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Vocabulary.com has implemented a variety of physical, administrative and technological safeguards designed to preserve the integrity and security of the personal information we collect and to protect against unauthorized access to data. These include internal reviews of our data collection, storage, and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data. We restrict access to personal information to IXL employees, contractors, and agents who need to know that information in order to operate, develop, or improve our services. Vocabulary.com provides encryption for customer data as follows:

  • Network connections to Vocabulary’s production environment utilize Transport Layer Security (TLS) or Secure Shell (SSH);
  • All data stored in Vocabulary ’s production environment is encrypted at rest using AES-256 bit encryption; and
  • All data stored on Vocabulary -owned laptops is encrypted at rest. Vocabulary employs automated log collection and audit trails for production systems.
  • Connections originating from untrusted networks segments will be governed by firewall rules and other security safeguards that grant the minimal access required to access the intended service provided by the company.
  • System passwords and access keys are stored in a privileged location accessible only to Vocabulary security administrators, and all credentials are changed from factory default settings.
  • Production systems receive regular maintenance to apply security patches; and
  • Physical access to systems requires security RFID badges and biometric authentication, and is limited to IT staff performing physical maintenance.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Third Space Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Third Space Learning Inc provide high-impact, high-dosage math tutoring to schools to accelerate math achievement and increase the number of students working at grade level. To do this, Third Space Learning use Littera’s Academic Support Platform. Littera’s Academic Support Platform is designed to enable schools and districts to design, deliver, and monitor tutoring programs that are customized to address the needs of their students.

PII is used to create and manage online accounts, communicate with teachers and students, and ensure that students identified by the school are receiving assistance through the program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Littera Education Inc, Salesforce, Xero.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Third Space Learning Inc use Littera Education Inc’s academic support platform (approved by NYCDoE under ERMA-N2B52030) where PII is protected and stored on US servers. Littera Education and Third Space Learning both place the utmost importance on privacy, safety, and security. All transmission of files or data to organization roster systems is done securely via HTTPS, using industry standards. When files are uploaded, they are stored in encrypted, non-publicly accessible databases. Littera and Third Space Learning uses Amazon Web Services (AWS) as its cloud hosting provider. The database along with all the cloud. infrastructure is hosted inside a private virtual cloud (AWS VPC). Only a limited number of personnel have access to this VPC.

Third Space Learning utilize two-factor authentication on all services (where available). Access will be granted based on the principle of least privilege, and access is removed immediately when no longer required.

Additional safeguards that Third Space Learning has in place include:

  • Third Space Learning carry out extensive checks on our tutors including criminal record checks, checks on proof of id and address, at least two references and face to face interviews;
  • Third Space Learning carry out safeguarding specific training, data privacy, and security training for all staff (including all tutors);
  • Third Space Learning have safeguarding policies and procedures that are reviewed regularly and strengthened by 3 complementary policies: a Whistleblowing Policy, a Safer Recruitment Policy and a Code of Behavior for working with children;
  • Third Space Learning have a designated safeguarding officer (DSO), a deputy DSO and a board level champion for safeguarding; as well as a Data Protection Officer (DPO).

In addition to these measures, Third Space Learning has additional built-in safeguards compared to most organizations that work with children:

  • Tutors never physically meet up with the children: our tutors are based remotely;
  • The only interaction is through Littera's tutoring platform which means the tutor and student can only connect at the predetermined time scheduled by the school using our secure platform;
  • Tutoring is overseen by a member of school staff, or during periods of school closure, by a parent or guardian.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thomson Reuters

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/1/2023 – 12/31/2027.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Thomson Reuters HighQ provides centralized case tracking and management to the Office. HighQ provides storage and access functions that include contact management, document assembly, document and electronic file management along with configurable records management, discovery management, and case status tracking. Out-of-the-box, HighQ secure cloud follows NIST SP800-63b guidelines, is IS)27001 certified, delivers highly available 99.9% uptime, offers banking grade encryption, and is monitored by TR personnel 24/7. With a complete audit trail and workflow stage configurable privacy settings, HighQ delivers enterprise-grade security standards.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

  • whenever requested by the DOE
  • whenever the entity no longer needs the PII to provide services to the DOE
  • whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
  • no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity states “As a data processor, Thomson Reuters cannot access DOE’s data and will pass on any request relating to access or correction to the DOE. The HighQ platform is designed to allow the DOE to fulfill these requests without assistance from Thomas Reuters.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The HighQ platform is fully audited and accredited to meet information security standards. HighQ is ISO27001 certified, which ensures the controls and processes are in place to protect customer data. HighQ uses robust security measures including advanced AES 256 encryption, data back-up and a fully redundant infrastructure to guarantee uptime. HighQ is built around single-tenancy hosting, single jurisdiction hosting and we perform independent penetration tests on the platform. The HighQ platform provides a variety of tools and features that you can use to keep your information safe from unauthorized use. This includes credentials for access control, HTTP endpoints for encrypted data transmission, the creation of separate IAM user accounts using 2FA, and user activity logging for security monitoring.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TinyIvy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TinyIvy&