Vendors R-Z

R K Software

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This agreement is for our firm to provide Staffing Augmentation to the DOE for a range of services including Software Development, Network Engineering, Server Deployment and Management, Business Analysis, and Project Management. All of the staff we provide will work with NYC DOE equipment and within DOE systems. No PII will be received or stored by our firm or anyone other than the staff hired to work with the DOE. R K Software Inc.’s staff members, consultants, or subcontractors working with the DOE may need to access PII to troubleshoot issues, develop initiatives, provide adequate support, communicate with relevant parties or other similar reasons.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: R K Software Inc’s staff members, consultants, or subcontractors will only access PII, they will not store, host, or collect any PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below. We will not store, host or collect and PII.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. R K Software Inc.’s staff members, consultants, and subcontractors will be trained to handle Student PII information. They will follow the security practices and protocols described in our Education Security Policy, particularly those listed in Section II on confidential information and privacy.

• R K Software Inc.’s staff members, consultants, and subcontractors keep all confidential information private through many security measures in compliance with the NIST Cybersecurity Framework. All confidential information is kept in confidence and not disclosed to anyone or any third party, not used for the benefit of R K Software Inc. or another entity, or for any other purpose than that agreed upon with the New York City Department of Education.
• R K Software Inc.’s staff members, consultants, and subcontractors use commercially reasonable efforts to secure and defend any system housing confidential information against third parties who may seek to breach the security thereof, including but not limited to breaches by unauthorized access or making unauthorized modifications to the system.
• R K Software Inc.’s staff members, consultants, and subcontractors protect all confidential information when in transit and at rest. When in transit, information and data are encrypted. When at rest, information and data are protected by passwords, firewalls, and other measures. Scripts and queries cannot penetrate the encryption or protections.
• Confidential information may be in the original format or a copy. Both are equally protected.
• When R K Software Inc. and its staff members, consultants, and subcontractors no longer need to have confidential information, the information will either be returned (in a secure way) to the New York City Department of Education or destroyed so that the data are unusable and unrecoverable.
• Any reports or applications which contain confidential information will have prominent confidentiality notices in legible-sized fonts on each page.
• Web applications containing confidential information will be non-cacheable.
• Confidential information will not appear in URLs.
• In development, test, and QA environments test data that is NOT confidential will be used.
• R K Software Inc and its staff members, consultants, and subcontractors will review and comply with any additional requirements from the New York City Department of Education.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  No PII will be stored or hosted by Entity.

Radish Education (also called Magma Math)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Magma Math is a supplemental math software for K-12 students. We receive PII through SSO platforms already used by the district in order to create accounts and set up classroom accounts for teachers.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Magma Math has administrative and technical processes to ensure the protection and confidentiality of Personally Identifiable Information (PII). Administrative safeguards include access controls and employee training on data security. Technical measures include data encryption for both stored and transmitted data. Physically, access to facilities housing sensitive data is controlled, and policies are in place for the secure handling and disposal of all devices and media that contain PII. These efforts are supported by ongoing risk assessments that help prioritize security measures and ensure effective resource allocation to mitigate data privacy risks. Together, these strategies form a comprehensive security approach designed to protect PII without compromising the integrity of Magma Math’s security practices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Raj Technologies (also called RTI) (for a Vaccine Tracker)

Type of Entity: Commercial Enterprise

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Contractor will be responsible for the provision of support services for the Vaccine Tracking Enhancements Project to provide information about Covid 19 and test results to ensure the safety of students, staff and communities. Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.

Type of PII that the Entity will receive/access: Student PII. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Rally! Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. RALLY! Education® digital products use advanced encryption technology to protect online data. The purpose of each digital product is to help students understand and master the NY Next Generation Learning Standards and prepare for the spring NY State Tests. Our digital programs stand-alone on secured website servers. There is no need to access all student PII - we only require student, teacher, and admin email addresses and school-created passwords to set up the program - no other confidential information is needed or required. Our programs do not require All transmission of data other than diagnostic student, class, and grade reports using Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational student and teacher names are stored on RALLY! Education® secured servers and are encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access and is monitored daily. All transmission of data utilizes Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational and personal information stored on RALLY! Education® servers is encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access.

Type of PII that the Entity will receive/access: Student PII. The vendor specifies that “NYC DOE is the sole owner of any student and teacher data. The only information that is needed is the student’s name and teacher email/or ID and any passwords that the site or DOE sets up. For example, teachers and students can use their assigned NYC DOE ID number as their passwords or create unique passwords”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor specifies “RALLY! Education® is the sole source provider, and we do not contract with third-party providers.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. The vendor specifies that “All data is deleted on the RALLY! Education® servers. NYC DOE is the sole owner of all reports by student, class, and grade.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All class rosters provided to RALLY! Education® are the sole owner of NYC including the reporting data. Unless directed, there is no link between NYC DOE's website and our digital products. Depending on which products are purchased, each school receives access to a password protected URL unique to each school. We use password protected logins for all access on our secured servers. Administrators, teachers, and students also receive unique passwords to access the specific level of the product. (Administrators have access to all levels purchased, teachers have access only to the students in their class or classes, students can only access their grade level.) Diagnostic Reporting tools can be found within the Administration and Teacher portals. The reports can be downloaded and shared for meetings - no other private information is needed or required. During each semester, additional classes and students can be added or updated, and NYC is the sole owner. At the end of the agreement term, NYC will have copies of the data within the system for the school year. If NYC DOE prefers that RALLY! Education® set-up the school's passwords, we will do it within the confines of what the DOE requires. If NYC DOE uses Class Link®, we follow the secured protocols as stated by Class Link® for PII (although our products do not require complete PII access). In addition, RALLY! Education® uses advanced encryption technology to protect online data. All transmission of data utilizes Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational and personal information stored on RALLY! Education® servers is encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access and is monitored daily.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor specifies “RALLY! Education® encrypts all student and teacher data. All diagnostic reports are available through a unique login. No other confidential information is needed or shared. NYC DOE is the sole owner of any student and teacher data. The only information that is needed is the student’s name and teacher email/or ID and any passwords that the site or DOE sets up. For example, teachers and students can use their assigned NYC DOE ID number as their passwords or create unique passwords.”

Ramapo for Children

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 12/2020 – 6/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Facilitation of a Youth Council for the Office of Community Schools.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Ramapo employees store and access data on a custom salesforce platform with restricted levels of access depending on the staff role. Salesforce is built with security to protect data and applications by limiting exposure of data to the users that act on it. Authentication protocols prevent unauthorized access to data by making sure each logged in user is who they say they are. Careful consideration is given to choosing the data set that each user or group of users can see, thereby limiting the risk of stolen or misused data. Specific objects (such as attendance lists or coaching notes) are only accessed by selected profiles.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Reading Futures

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Reading Futures delivers small-group virtual reading intervention to groups of up to 4 students at a time, for 4-5 days per week, in grades 4-8. The intervention focuses on very basic reading skills for students who are 3-5 grade levels behind on reading. Students will participate in virtual tutoring sessions while at school during the school day or during an after-school program. Reading Futures teaches a program specifically developed for and validated with adolescents with severe reading difficulties. The outcome of this work is that students improve their ability to read individual words, especially multisyllabic words, and improve fluency and comprehension.

Reading Futures uses PII to enable students to sign in to Pearl for tutoring sessions, to provide assessments and evaluate students’ reading ability, to assign students to the correct groups, to track attendance and engagement at those sessions, and to monitor student progress provide reports to students, and their parents and teachers.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Workspace and the Pearl Tutor Management System.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Reading Futures employs the following administrative and technical safeguards to ensure PII will be protected and that data privacy and security risks are mitigated:

• Role-Based Access Control: Employees and Contractors only have access to student data relevant for their specific instructional or administrative purposes.
• Multi-Factor Authentication: All Employee and Contractor Accounts are secured with 2-factor authentication.
• Data Minimization: Only necessary data is collected and managed. Staff use data for educational purposes only. Data is deleted according to NYC DOE requirements.
• Security Culture: Staff are trained annually on data privacy and security requirements, including state legal and regulatory requirements, and commit to following the company’s Privacy and Security plan.
• Secure and Encrypted Storage: All PII is stored in secure systems, encrypted in motion and at rest.
• Data segmentation and classification: Student data is segmented by client and by school site to limit access according to our access control policies. 
• Our employees comply with data security policies including Device Management, Email and Internet Use, Physical Security (including “clean desk”), Social Media, and Remote Work.
• Data transfer to and from NYC DOE participating schools is conducted using access controlled secure Google Drives, with access allocated to site staff as instructionally necessary.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Reading Horizons

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Tech-enabled foundational reading instruction that helps all students reach reading proficiency.

PII: IP Addresses of users, Use of cookies, etc., Other application technology meta data, meta data on user interaction with application, standardized test scores, language information (native, or primary language spoken by student), student school enrollment, student grade level, specific curriculum programs, student scheduled courses, teacher names, English language learner information, Local (School district) ID number, Provider/App assigned student ID number, Student First and/or Last name, Program/application performance, Academic or extracurricular activities a student may belong to or participate in.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Azure, AWS, Google.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Reading Horizons enforces role-based access controls, maintain comprehensive data privacy policies, and conduct regular employee training. Technical controls includes encryption, robost network security, and vulnerability assessments.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Reading Plus

The exclusive purposes for which Protected Information will be used: To set up and manage your subscription to use the Reading Plus application. To set up and maintain your individual use account. To administer and protect the Reading Plus application (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). To use data analytics to improve our Reading Plus application and customer relationships and experiences. For research purposes to better understand how we can develop and improve our Reading Plus application and/or create new products to help students become better silent readers and independent learners. To send marketing communications to teachers and administrative users.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All Subcontractors sign binding NDAs that bind them to data protection agreements that Reading Plus LLC is part of. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Following expiration or termination of the agreement under which the Client purchased access to the Reading Plus web-based products or services, and upon receipt of written request from the Client, Reading Plus will destroy or, if agreed, return to the Client, the Student Records in its possession within a commercially reasonable period of time. 

[NYC DOE comment: The current agreement became effective starting on August 30, 2019 and terminates when all NYC DOE schools and/or offices cease using Reading Plus LLC’s products/services. The terms of the agreement remain effective through the period during which Reading Plus LLC possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored within the United States, encrypted in transit and at rest. We have put in place reasonable and appropriate security measures designed to prevent your personal data from being accidentally lost or used or accessed, altered or disclosed accidentally or in an unauthorized way. In addition, we have put in place policies and protocols designed to limit access to your personal data to those employees, agents, contractors and other third parties who have business need to know. 

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted in transit with SHA-256 with RSA encryption. Data is encrypted at rest with AES-256 encryption algorithm.

ReadWorks

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ReadWorks allows students to read our material and submit responses to questions and writing prompts as part of an online class. All data is stored exclusively for educational purposes, primarily to ensure the smooth functionality of the website itself. No student PII is utilized for commercial or marketing purposes, nor is retained after a student’s use of the site is discontinued by that student’s teacher.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ReadWorks stores and processes student data in accordance with industry best practices. This includes encryption and appropriate administrative, physical, and technical safeguards including firewalls to secure Student Data from unauthorized access, disclosure, and use. We conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. We regularly perform system audits and work to ensure all of our software has the latest security-related patches and updates.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Really Great Reading Company

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Really Great Reading’s Products are designed to provide foundational reading skill instruction for students in grades PK‐12 via Teacher Online Tools, Reading Playgrounds, and Virtual Implementation Training Courses for our Phonics Suite Programs. Really Great Reading receives and accesses PII for purposes of providing students with practice opportunities within Really Great Reading’s Reading Playground digital platform and facilitating the monitoring of student performance and progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data in motion is secured with standard HTTPS protocol Transport Layer Security (TLS). Data stored at rest is encrypted, as are its automated backups, read replicas, and snapshots using Amazon AWS RDS encryption. Keys are managed with the AWS Key Management Service (KMS). All data is stored in a password protected database with strong password requirements, server-based firewall limiting data access to those end‐points necessary, and limits to development roles that have access to production data. Only business‐necessary PII will be stored. RGR applications are hosted in Amazon Web Services (AWS). More information about the physical security of AWS data centers may be found on the AWS website. Access to PII and application data will be limited to only those employees who necessarily require access to data in the performance of their role with projects. Employees, who have access to PII must complete Security Awareness Training (Coursera) and demonstrate awareness and discretion in their day‐to‐day practices related to security and handling of sensitive information. Employees must sign or acknowledge these policies as they relate to their role. Background checks are conducted on all employees. In the event of unauthorized access or data breach related to the client's application data, RGR will provide requisite notification in accordance with Section 5(f) of this Agreement.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Reconstruction US

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Program Overview: Reconstruction provides holistic, supplemental, culturally-relevant curriculum, centered on the Black experience. Our comprehensive solutions create transformative learning experiences that inspire student empowerment and equip teachers to effectively educate on culturally-responsive content. This is done through 4 services:

• LIVE INSTRUCTION - Live tutored, supplemental, culturally relevant courses centered on the Black experience delivered via our proprietary platform for K-12 students. These courses are designed for students and sold directly to school districts and community based organizations.
• CURRICULUM LICENSING - Members of school districts and community based organizations are trained by our staff to teach a set of Reconstruction math and reading courses for K-12 students.
• PROFESSIONAL DEVELOPMENT - We provide a professional learning series for K-12 educators where they will explore best practice for creating engaging and identity affirming spaces for Black scholars. Topics include: Black Boy Joy, Building Aspirational Capital, Creating a Culturally Relevant Classroom, Teaching Culturally Relevant Curriculum, Resistance Capital and more.
• ONYX - A comprehensive platform that empowers teachers to design culturally relevant lesson plans centered on the Black experience through the use of generative AI.

To effectively deliver our programming, Reconstruction requires limited Personally Identifiable Information (PII) for essential operational reasons:

• Account Creation: Student (and sometimes teacher) names and email addresses are needed to set up individual accounts for secure class enrollment and personalized learning experiences.
• Tutor Interaction: Names enable tutors to personalize communication, enhancing the educational connection.
• System Integration: Email addresses allow for integration with single sign-on platforms like Clever, simplifying course access.
• Appropriate Course Placement: Grade levels help in assigning students to courses that match their academic level, ensuring an effective learning pace.

Additional PII, such as gender/pronouns and phone numbers, may be manually entered into our system by students, but is never requested or required.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive, AWS, Hubspot.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our commitment to the protection of Personally Identifiable Information (PII) is upheld through a blend of administrative, technical, and physical safeguards tailored to prevent unauthorized access, disclosure, alteration, and destruction of data.

• Administrative Safeguards: We adhere to data protection policies and procedures that are reviewed and updated in response to changing regulations and emerging threats. Access to PII is limited to key personnel and managed through role-based access controls. Additionally, all employees and subcontractors are required to sign data confidentiality agreements to ensure an understanding and commitment to our privacy and security standards.
• Technical Safeguards: Our technical measures include robust data encryption protocols for PII at rest and in transit, ensuring data integrity and confidentiality. Our development practices are centered around security, incorporating assessments such as penetration testing and vulnerability scanning as needed to identify and remediate potential risks.
• Risk Mitigation: We have a comprehensive incident response plan in place to manage and mitigate the impacts of any data breaches or security incidents efficiently.

Our strategy is to maintain vigilance and adaptability in our security practices, ensuring the ongoing protection of PII within a framework that respects privacy and complies with relevant regulations.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Red Circle Solutions (for School App Express)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. School App Express is a product that provides custom apps for schools, which schools can operate through a website. The app sends out push notifications, makes mass calls (when schools are closed, etc.), sends mass emails, and sends mass text messages as well. School App Express does not collect or store any data for students or parents that is not related to messaging and communication.

Type of PII that the Entity will receive/access: Student PII and Other: Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is encrypted by Azure Transparent Data Encryption. Employees must use MFA to access cloud services.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rediker Software

Reel Stories Teen Filmmaking

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Reel Teen Filmmaking, inc. provides media arts instruction, media arts education professional development, and media arts services. In the event that Reel Teen Filmmaking, inc. instructs New York City public school students, only the names and school email addresses of those students will be attained in order to report attendance and assign/collect media assignments.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and

written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive (under Reel Works secured server and organization account).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Reel Works will classify PII in terms of sensitivity and store that PII in a restricted file that only 1 authorized user can access. Reel Works has established an acceptable usage policy for accessing PII. This policy defines who can access NYC DOE student PII and the acceptable way(s) to use it to reinforce proper PII access and usage. When you upload a file of any type to Google Drive, as Reel Works intends on its secured server, it is stored securely in world-class data centers. Data is encrypted in-transit and at-rest.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Regents Booster

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We created an online learning program with a controlled environment where each student can advance at his or her own pace. The full high school curriculum on certain Science and history subjects is now being offered in digital format and allows for note-taking, highlighting, audio, bookmarking, encyclopedia lookup for further research, search options, and Translations helping students who have difficulty reading or for those students that English is their second language. The digital eBook copy can also be used together with the printed copy further enabling the retention of the materials taught in class.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, specifically “Amazon secure data centers using AWS and GCP technology.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have a Platform that has implemented industry best in class security, privacy, and compliance controls. Regent Boosters has a platform that is CCPR, GDPR, PCI DSS compliant, with a star level 1 certificate. Our Physical Infrastructure is hosted & managed by the Amazon Secure Data Centers and uses AWS and GCP Technology and is constantly managed for Risk and undergoes recurring assessments to ensure compliance to industry best standards. All student/ user data is hosted in the USA, Data is encrypted in transit (SSL/TLS) and at rest AES 256.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Relay Graduate School of Education

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Relay Graduate School of Education will deliver professional development workshops and programs, focusing on enhancing leadership and instructional practices. This includes preparing session materials, coordinating logistics, and facilitating the training sessions to the workshop participants, who are instructional leaders at the NYCDOE. In this workshop, teacher/educator PII used for logistics and communicate regarding workshop administration. Relay will not collect or store NYCDOE student PII data, but may view or access student data in the course of providing professional development services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Student PII is not collected, only accessed. Teacher/educator information is destroyed at termination.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Azure, GCP. “Relay collects information of NYCDOE staff, teachers, and educators who participate in professional development, not student PII.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Administrative Safeguards:

• Access Controls: The Entity employs robust access control measures to limit access to PII to authorized personnel only. This includes role-based access controls (RBAC), ensuring that individuals only have access to the PII necessary to perform their job duties.
• Data Classification: PII is categorized based on sensitivity, and appropriate security measures are applied accordingly. This allows the Entity to prioritize protection efforts based on the level of risk associated with different types of PII.
• Training and Awareness: Regular training sessions are conducted to educate personnel about data privacy and security risks, including the proper handling of PII. This ensures that employees are aware of their responsibilities and understand how to safeguard PII effectively.

Technical Safeguards:

• Encryption: PII is encrypted both during transmission and at rest using strong encryption protocols such as AES-256 for data at rest and TLS 1.2 or higher for data in motion. This ensures that even if unauthorized access occurs, the data remains protected.
• Network Security: The Entity implements firewalls, intrusion detection systems (IDS), and other network security measures to protect against unauthorized access and malicious activities. This helps to prevent unauthorized parties from gaining access to PII stored on the network.
• Endpoint Security: Endpoints, such as computers and mobile devices, are secured using endpoint protection solutions. This includes antivirus software, endpoint detection and response (EDR) tools, and regular security updates to mitigate the risk of endpoint breaches.

Physical Safeguards:

• Secure Facilities: Physical access to facilities where PII is stored or processed is restricted to authorized personnel only. Access control mechanisms such as key cards and biometric authentication are utilized to prevent unauthorized entry.
• Data Center Security: Data centers housing PII are equipped with physical security measures such as surveillance cameras, access logs, and security guards to protect against physical threats. They are also SOC2 compliant .

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Remind101

The exclusive purposes for which Protected Information will be used: Remind will process Personally Identifiable Student Information (PISI) as necessary to perform the Services pursuant to the Terms of Service (https://www.remind.com/terms-of-service), and as further instructed by relevant parties in its use of the Services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Remind will use a vendor risk management process to evaluate new vendors and monitor existing vendors on an annual basis. The following review areas are considered for vendors with whom personal data is exchanged: Compliance Status, Compliance Report Details, if applicable, Contractual Terms (confidentiality and data protection), Data Retention, and Data Security Controls.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Remind will adhere to the obligations set forth in our Privacy Notice and other Terms and Policies published at https://www.remind.com/terms-of-service.

[NYC DOE comment: The current agreement became effective starting on April 10, 2020 and terminates when all NYC DOE schools and/or offices cease using Remind101, Inc.’s products/services. The terms of the agreement remain effective through the period during which Remind101, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Remind will store data in cloud-based data centers located in the United States.

How the data will be encrypted (described in such a manner as to protect data security): Data transmitted across untrusted networks will be protected in transit using TLS V1.2 and will be stored at rest in an encrypted state using AES-256 bit encryption.

Renaissance Learning, Inc.

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Renaissance provides three general categories of services:

• Educational Assessment (including mylGDls, Fundamentals, and Star Assessments)
• Practice and Instruction (AR, Freckle, Lalilo, myON); and
• Insights and Analytics (eSchoolData, Schoolzilla, and Analytics).

PII is used to create user accounts, administer assessments and develop reports, and track student progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is stored in the United States for all Renaissance products, including Lalilo. Renaissance’s information security program implements technical, physical, and administrative controls to safeguard customer data. Renaissance’s information security program implements layered security set of technical, physical, and administrative controls to safeguard customer data. Our Security processes and controls substantially follow industry recognized standards, including the FIPS 200 standard and NIST Special Publication 800-53.

Technical controls include: data loss prevention, encryption (in-transit and at rest), role-based access control, endpoint detection and response, managed detection and response, next-generation firewalls, segmented design, patching, system hardening, vulnerability scanning, dynamic application security testing, penetration testing, network monitoring, system monitoring, and traffic analysis.

Physical controls include: AWS and Azure provided services, a physical security program that is audited as part of the SOC 2 Type 2 examination of controls.

Administrative controls include: risk management program, a standing incident response team, security education and training programs, as well as a compliance program. We monitor systems 24 hours a day, 7 days a week and any suspicious activity is promptly investigated.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Renzulli Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/1/2021 – 6/30/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Renzulli Learning is an interactive online system that provides students with a personalized learning environment, allowing teachers to easily differentiate instruction to increase engagement and achieve higher academic performance. Renzulli Learning has resources that promote and enable ALL students to pursue their interests, providing equity, innovation and creativity for grades Pre-K through 12. Students are empowered by doing creative, imaginative projects that provide rigorous learning outcomes.

The Renzulli Profiler quickly identifies student strengths, interests, learning and expression styles and then matches each student with thousands of personalized engaging Enrichment Activities. Renzulli Learning features robust student grouping which supports our revolutionary strength-based Project Based Learning (PBL) system.

Research shows that Renzulli Learning benefits all Students including:

• Gifted and Talented Students
• High Achieving Students
• At Risk Students
• Students with Special Needs
• English Language Learners (ELL)

Renzulli Learning supports the development of 21st Century Learning Skills for all students, including: critical thinking, creative problem solving, creativity, time management, communication, teamwork, and global competency through our Global Collaboration module. The system has been used by millions of students across the globe, consistently increasing engagement which research demonstrates will lead to higher achievement. Renzulli Learning is available to all students throughout the school year, before, during, and after school, and all throughout the summer as well!

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Renzulli Learning utilizes LightEdge Solutions, Inc. an ISO/IEC 2700:2013 certified company with Corporate Headquarters in Des Moines, Iowa. LightEdge uses several third-party systems to manage data. The systems reside within LightEdge’s internal network and utilizes a web-based application only accessible from the corporate network or through a cloud provider using single sign-on (SSO) to access data. Vulnerability assessments and penetration testing are performed on a monthly and annual basis to identify threats. Any identified security vulnerabilities are triaged by their security team and monitored through resolution. Policies are in place that prohibit the transmission of sensitive information over the internet unless it is encrypted. Risk mitigation activities include the identification, selection, and development of control activities that reduce the assessed risks. LightEdge maintains administrative, technical, and physical safeguards to protect confidential information including provisioning, controlling, and monitoring of physical access into the data centers and office facilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Replications

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Replications staff develop and implement community schools and 21st CLC programs in elementary, middle, and high schools in the Bronx, Brooklyn, and Manhattan. Under the leadership of the Community School Director, and in collaboration with the school’s administration, Replications encourages student participation in academic enrichment and extended learning time activities, combats absenteeism, provides mental health services and supports parent engagement in the activities of the school, and the overall environment and culture of the school is improved.

PII is required to contact students and families to support student attendance and family and community engagement and, track and maintain student progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Veeam.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Replications policies and practices are designed to ensure PII is properly collected, protected, and stored. Specifically, the policy states that:

• Replications’ IT Coordinator will be responsible for setting up and maintaining the electronic PII system using computers and other equipment to be stored in his office.
• Replications’ IT Coordinator will regularly conduct spot checks to ensure that PII data is properly collected, encoded, and stored.
• The IT Coordinator will ensure that the PII electronic data system is segregated from and stored in a different space from other data systems kept by Replications.
• Access to the electronic PII systems will be limited to staff with a need-to-know designation.
• Student files are to be kept in locked filing cabinets in the Community School Director’s offices.
• Access to student and family files and information is limited to staff with a need to have such access.
• Mandatory training will be provided to all staff on the requirements and importance of the agency’s confidentiality PII policy.
• Student information, records, and data are not to be disclosed by any member of Replications to any other organization, agency, other entity or individual except as authorized by law or via signed consent by the person whose PII is being requested.
• The creation of new user accounts and participation in virtual group meetings must also align with the policies regarding collection and distribution of PII.
• Replications is committed to practicing Universal Precautions/Standard Protocol & Procedures and to comply with all Federal, State, City, and DOE confidentiality, privacy, and security laws and practices. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rising Ground (for Community Schools services)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024, extended to 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Rising Ground holds two Community School contracts (RFPs 1341 and 1191) A core service of Community School provider is assistance with student attendance. As such, Rising Ground staff will have access to personal biographic information to contact families regarding student’s attendance. Additionally, Rising Ground staff will have access to Individual Education Plan (IEP) and English Language Learner (ELL) information to assist school administration in assuring plans and supportive services are in place.

Information collection is NOT required to receive services, but rather to assist in student engagement. Personal identifying information (such as names, phone numbers and/or email addresses) are solely used to engage students in the services we provide. Information is kept on a securely-saved electronic spreadsheet and not shared with anyone outside of approved program staff.

All Rising Ground staff are required to be trained and attest to confidentiality protocols which are governed by federal, state and local laws. This includes, but not limited to, social service law, child welfare, educational (FERPA), health (HIPAA) laws and regulations.

Data may be aggregated for internal reporting purposes. This information is not used for research purposes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Cloud service provider: Expedient Cloud services solution: IaaS – Infrastructure as a Service (Servers -VMs) DRaaS – Disaster Recovery as a Service Backups for all servers and data.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Rising Ground fully appreciates the importance of sound record management and has strict policies and procedures which ensure that all records are maintained within local, state and federal laws and standards. All personnel, medical, client and financial files are maintained in accordance with our Confidentiality and Document Retention Policies. All records are filed and stored systematically, in fire-proof settings, and only employees in need of access to records are granted such access. Our Confidentiality Policy ensures that employees understand that any personally identifiable information regarding a person’s health, mental health, education, family or employment is considered confidential and that confidential information is protected by the law. Employees are strictly prohibited from inappropriate or unauthorized disclosure of such information. To protect our software, hardware and the confidentiality of staff and client information, all internet access is filtered and monitored using antivirus, anti-spyware programs. Our Documentation Retention Policy ensures that necessary records and documents are adequately protected. Others are safely stored at a record storage facility. All employees are trained in our Confidentiality Policy, and relevant employees are trained in the Document Retention Policy. Both internal and external audits ensure that these standards are observed and that confidentiality is continually maintained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rising Ground (for Crisis Management Services)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As part of City Council’s “Crisis Management Services” initiative, Rising Ground provides trauma-informed therapy and support to teens within two NYC public schools. Our Youth for Change programs offers individual and group counseling on topics such as consent, health relationships, self-image, coping skills, healthy masculinity, mediation, and offer socioemotional support. Additionally, we co-facilitate health classes and offer mediation sessions. We also train staff and administrators regarding strategies to integrate healthy relationships and communication skills.

Rising Ground staff do not have access to student records or school systems. As standard counseling practice, personal contact information is collected, from the students themselves, to remain in contact with students (i.e. should they miss a scheduled appointment). This enables a counselor to contact a student when they miss an appointment to ensure they are okay and reschedule. Information collection is NOT required to receive services, but rather to assist in student engagement. There is no access to educational records. Personal identifying information (such as names, phone numbers and/or email addresses) are solely used to engage students in the therapeutic services we provide. Information is kept on a securely-saved electronic spreadsheet and not shared with anyone outside of approved program staff.

All Rising Ground staff are required to be trained and attest to confidentiality protocols which are governed by federal, state and local laws. This includes, but not limited to, social service law, child welfare, educational (FERPA), health (HIPAA) laws and regulations.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Cloud Service Provider – Expedient Cloud services solution; IaaS – Infrastructure as a Service (Servers -VMs), DRaaS – Disaster Recovery as a Service Backups for all servers and data.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Rising Ground fully appreciates the importance of sound record management and has strict policies and procedures which ensure that all records are maintained within local, state and federal laws and standards. All personnel, medical, client and financial files are maintained in accordance with our Confidentiality and Document Retention Policies. All records are filed and stored systematically, in fire-proof settings, and only employees in need of access to records are granted such access. Our Confidentiality Policy ensures that employees understand that any personally identifiable information regarding a person’s health, mental health, education, family or employment is considered confidential and that confidential information is protected by the law. Employees are strictly prohibited from inappropriate or unauthorized disclosure of

such information. To protect our software, hardware and the confidentiality of staff and client information, all internet access is filtered and monitored using antivirus, anti-spyware programs. Our Documentation Retention Policy ensures that necessary records and documents are adequately protected. Others are safely stored at a record storage facility. All employees are trained in our Confidentiality Policy, and relevant employees are trained in the Document Retention Policy. Both internal and external audits ensure that these standards are observed and that confidentiality is continually maintained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Riverside Assessments (also called Riverside Insights)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Riverside Insights uses PII exclusively for the purposes of delivering and improving educational and clinical assessment services. Examples of such uses include rostering students/examinees, inputing assessment responses, scoring assessments, and providing customer service.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Administrative Safeguards: Riverside follows Role-Based Access Controls, granting access only to authorized individuals who have a need to access information as part of their work responsibilities. Personnel complete regular cybersecurity training, and Riverside conducts social engineering simulations throughout the course of the year, assigning additional training to individuals who fail the simulations.

Technical Safeguards: Riverside conducts quarterly vulnerability scans and annual penetration testing on the application. We are in the process of implementing an end point protection solution provided by SentinelOne and use the Rapid7 suite of products to detect potential incidents and threats. PII is encrypted both at rest and in transit. All data stored on Riverside’s systems is protected with file system, network share, claims, application, or database specific access control lists. Riverside uses email gateway products provided by Sophos to centrally manage spam protection mechanisms, including signature definitions, in order to reduce the introduction of malicious software to client systems.

Physical Safeguards: The application is hosted in SSAE16 SOC 2 Type 2 audited hosting centers. Our third-party managed hosting provider maintains facilities that designed from the ground up to minimize risk of power and climate control failure. Our hosting provider performs periodic testing and auditing of their facilities. All facilities have full battery and generator power, so in case of an outage, power is maintained indefinitely.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Riveting Results

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/16/2024 – 6/30/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Riveting Results provides a 9th and 10th grade English Language Arts software-based curriculum. The program provides curriculum content to enable teachers to teach their students how to read and write about advanced texts. Schools provide students’ first and last name and emails to enable google sign-on and to access student-level data regarding their performance. No third party is involved in the compilation or analysis of data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Data Storage Location
  • The Riveting Results® platform is a cloud-based application.
  • Our servers that store student information and student data are located on the Google Cloud platform located in the United States.
  • We do not store any student data outside of the US.
• Network-Level Security Measures
  • The Riveting Results® platform servers are hosted in a cloud environment.
  • Our hosting provider implements network-level security measures in accordance with industry standards.
• Server-Level Security Measures
  • Access to production servers is limited to a small, identified group of operation engineers who are trained specifically for those responsibilities.
  • Google Cloud handles all security updates on the server level.
  • The servers have intrusion detection, configuration control, monitoring/alerting, and automated backups.
  • RR constantly monitors for vulnerabilities in our software
• Computer/Laptop/Device Security Measures
  • RR employs a full IT staff that manages and secures its corporate and employee IT systems. Access to all RR computers and laptops is password-controlled. RR sets up teacher and administrator accounts for Riveting Results® platform so that they are also password-controlled.
  • We support customers that use single sign on (SSO) technology for accessing the Riveting Results® platform.
• Encryption
  • The Riveting Results® platform is only accessible via https and all public network traffic is encrypted with the latest encryption standards.
  • Encryption of data at rest and in motion is implemented for all data stored in the Riveting Results® platform system. 
• Employee and Contractor Policies and Procedures
  • RR limits access to student-identifiable data and customer data to those employees, contractors and subcontractors who need to have such access in order to allow RR to provide quality products and services to its customers. RR requires all employees, contractors and subcontractors who have access to RR servers and systems to sign confidentiality agreements. RR requires its employees and contractors and subcontractors who have access to student data to participate in annual training sessions on IT security policies and best practices. These sessions are conducted virtually and cover the following topics:
    • Introduction to Student Privacy Laws
    • Definition of Personally Identifiable Information (PII)
    • Handling of Student Data
    • Data Security Best Practices
    • Data Retention and Disposal
    • Employee Responsibilities
    • Data Sharing and Third Parties
    • Incident Response and Reporting
    • Training and Awareness
    • Q&A Session
  • In the case of our large cloud service providers, we have reviewed their privacy and security policies and they comply with the requirements of the NDA. Any employee who ceases working at RR is reminded of his or her confidentiality obligations at the time of departure, and network access is terminated at that time. RR has audit logs whenever PII is accessed.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Roads to Success

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/07/2023 – 6/26/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Roads to Success is the lead partner at PS/MS 57, the James Weldon Johnson Academy, our only community school located in East Harlem, where we serve 527 students in grades 3K-8. PII is essential for implementing our programs, facilitating targeted interventions through case conferencing, advisement sessions, and data trend observation, ultimately contributing to students' academic success and well-being.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft OneDrive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Roads to Success Community School Contract at MS 57 employs a comprehensive approach to protect Personally Identifiable Information (PII) and mitigate data privacy and security risks. While the full details of our safeguards are sensitive and proprietary, we can provide an overview of our measures:

• Administrative Safeguards:
  • The executive team and our IT department are responsible for overseeing and implementing our data protection protocols.
  • Regular training programs are conducted for all personnel who handle PII, ensuring awareness of data privacy laws, security practices, and our internal policies.
  • Access to PII is strictly controlled and limited to authorized personnel on a need-to-know basis, with user roles and permissions carefully defined and monitored.
  • We conduct thorough background checks and reference screenings for all employees and contractors who handle PII.
• Technical Safeguards:
  • PII is stored in secure, encrypted databases with access controls and multi-factor authentication mechanisms in place to prevent unauthorized access.
  • Robust firewalls, intrusion detection systems, and advanced threat detection  technologies are deployed to safeguard against external threats.
  • Regular software updates and patch management ensure that security vulnerabilities are promptly addressed.
  • Data transmission is encrypted using industry-standard protocols to prevent interception and unauthorized access.
• Physical Safeguards:
  • Physical access to our data centers and server rooms is restricted to authorized personnel only, with strict access controls, surveillance, and security measures in place.
  • Facilities housing PII are equipped with environmental controls to ensure optimal conditions for data storage.
• Risk Mitigation:
  • We conduct regular risk assessments and vulnerability assessments to identify and address potential security gaps.
  • Incident response plans are developed and regularly tested to ensure swift and effective actions in case of data breaches or security incidents.
  • We maintain strong partnerships with cybersecurity experts and engage in ongoing threat intelligence monitoring.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

RocketLit

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. RocketLit, Inc. offers the Rocketlit and InnerOrbit platforms, which are adaptive educational platforms designed to help students learn various subjects, including science and social studies and assess their understanding and application of their knowledge and skills through assessments. InnerOrbit.com is a website that supports students, teachers, and administrators with Science assessments, activities, reports, and professional learning. RocketLit is an adaptive reading platform that tailors science and/or history assignments to participating students’ reading levels. Teachers can register their students so that they may access the materials.

RocketLit will receive PII for the purposes of allowing students, teachers, and admin to login to the platform, build or administer assessments and view reports. Students will take assessments , view reports on progress, and receive teacher feedback.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. RocketLit prioritizes the protection and security of its users’ personal information, and maintains a series of safeguards designed to protect against any unauthorized disclosure or access to users’ personal information. All employees are given background checks and privacy/compliance training every 6 months across the organization. All student and teacher data is stored in the Google Cloud Platform. Google Cloud firewalls are fully embedded in the cloud networking fabric. Passwords are hashed one-way using the latest hashing algorithms. Google Cloud SQL Databases store all data which is encrypted during transfer using SHA-256 with RSA Encryption SSL Certificates. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Robo Wunderkind

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Robo Wunderkind is a turnkey solution for children to learn 21st century skills. Our emphasis is on robotics and coding within the subjects of STEAM. Students can build any robot or smart device they can imagine with our kits and program them in 3 different programming languages to progress from simple to complex projects. Our content is project based and aligned with curriculum standards. PII is required to create student accounts, keep each student’s projects their project assessments, and grading history saved and associated with their accounts to provide feedback to the student, and provide an intuitive platform for teachers to track student progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Digital Ocean.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. On the administration side, Robo Wunderkind has company standards in place to have 2FA on all accounts, and role based permissions on all accounts associated with development to ensure no unauthorized access can be given to PII. Digital Ocean’s NY3 server where the PII shall be kept is certified to SOC 2 Type II, SOC 3 Type II and PCI-DSS standards to ensure the digital and physical security of the data kept, and to alert of data risks and breaches. In the event of a data breach it is our policy to alert all of our users of this event so it can be dealt with swiftly and transparently. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rockalingua

Type of Entity: Commercial Enterprise

Contract / Agreement Start Date: 2/2/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Rockalingua is an educational website for Spanish teachers and students. Through engaging content (videos, songs, interactive games, short stories and more) students will gain proficiency in the Spanish language. We offer two types of teacher subscriptions. The basic teacher subscription includes access to all of our resources and a generic student account so that students can access from their own devices. The Pro account gives teachers access to all of the resources and our learning management system where they can create classes, assign tasks and monitor student work. We have an integration with Google, Clever and Classlink.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Vercel.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our platform is NIST SP 800-53 certified, data is encrypted, and we are FERPA and COPPA complaint. Penetration test are regularly conducted to ensure the security of our system and all personal are trained annually.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Rosetta Stone

The exclusive purposes for which Protected Information will be used: The exclusive purposes for which “student data” or “teacher or principal data” (as those terms are defined in Education Law Section 2-d and collectively referred to as the “Confidential Data”) will be used by Rosetta Stone, Ltd. (the “Vendor”) are limited to the purposes authorized in the contract between the vendor and the NYC DOE (the “Contract”).

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Vendor will ensure that any subcontractors, or other authorized persons or entities to whom the Vendor will disclose the Confidential Data, if any, are contractually required to abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable state and federal laws and regulations (e.g., Family Educational Rights and Privacy Act (“FERPA”); Education Law §2-d; 8 NYCRR Part 121).

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Contract commences and expires on the dates set forth in the Contract, unless earlier terminated or renewed pursuant to the terms of the Contract. On or before the date the Contract expires, protected data may be exported by the School District in the client facing administrator tool and/or destroyed by the Vendor as directed by the School District. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Confidential Data provided to Vendor by the School District will be stored in the United States and protected as per the Student Records Data Privacy Policy.

How the data will be encrypted (described in such a manner as to protect data security): The Vendor will apply encryption to the Confidential Data while in motion and at rest at least to the extent required by Education Law Section 2-d and other applicable law.

Rubrik

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Entity will provide data backup and recovery services. Entity will not use any PII for any purpose other than as reasonably necessary for Entity to provide the services procured by NYC DOE. Entity’s data protection platform will offer NYC DOE third-party, secure backup & recovery capabilities for NYC DOE's M365 tenant. Entity will be creating immutable, air-gapped copies of select e-mailboxes, instant messaging platforms, and file sharing and document management systems, or such other types of data sources for which NYC DOE elects to utilize the Entity services. These copies will be kept in Rubrik's secure Azure tenant for retention and fast operational recovery.

Type of PII that the Entity will receive/access: Other: “Type of PII submitted to Processor or Rubrik Service is solely within the discretion of NYC DOE and may include, but not be limited to names, addresses, e-mails, personnel files, student records, and more.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Upon expiration or termination of the services, NYC DOE will have thirty (30) days to retrieve any data or information contained within the Entity’s platform, including any PII. After the thirty (30) day grace period, the NYC DOE instance on the Entity’s system, including any PII remaining therein, will be permanently deleted by Entity.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: “While it is unlikely this request would come to Entity as a backup and recovery provider, Entity agrees to follow the procedures outlined above, to the extent the person or persons making the request identify that they are affiliated with the NYC DOE account. Entity will work with the requestor to redirect them to the source of their data, using commercially reasonable efforts to notify the NYC DOE if Entity believes the requestor may be associated with NYC DOE.”

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. “To the extent NYC DOE has licensed an Entity service offering for which NYC DOE is hosted by Entity (as of the Effective Date, these offerings are: Rubrik-hosted M365 and Rubrik Cloud Vault) then the NYC DOE instance will be hosted on Microsoft Azure.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. With respect to data security, Entity uses AES-256 for data at-rest and data in-flight encryption. All critical customer configuration information is encrypted using modern cryptography via CSP Managed Encryption Keys. Sensitive fields in the database are encrypted using an encryption framework built on top of CSP’s Cloud Key Management Service and Cloud IAM. A key management process is in place to facilitate key rotation and revocation. All backup data is encrypted using the AES 256-bit algorithm. All communications with Entity’s UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2+) over public networks. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Saga Innovations (Saga Education)

Sam Labs

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SAM Labs software app “SAM Studio” is an educational coding platform for kindergarten - 8^th grade students to learn the basic foundations of coding, allowing students to pair with hardware blocks to bring the code to life. Our lessons range across different focus areas of STEAM and Computer Science, and can be used in specialist courses like STEM Specials, Computer Science Class, general education environments, and Makerspaces.

We are a subscription service. In order for students and teachers to access the platform, we only require an email address. Teachers are currently rostered by our Customer Success team once the subscription date is set. This includes the teacher name and email aligned to the school NCES ID. The teacher’s name can be any chosen username that will appear in their account profile. This does not need to be the teacher’s real name; it can be a chosen username or nickname if desired. Once rostered, then teachers and admin will have instant access.

Teachers can manually create classes and upload student rosters on their own. When rostering, the only PII required from students is a working email. SAM Labs will never send email to these student accounts; this is only to create a unique identifier for the student being rostered. The student’s name can be any chosen username that will appear in their account profile. This does not need to be the student’s real name; it can be a chosen username or nickname if desired as the teacher uploads the roster. Once the .csv is uploaded, the student can access the account with the same email address.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SAM Labs is like a superhero for your data! We understand that your information is precious, and we have a number of ways to keep it safe, just like a superhero protecting the city.

• Magic Shields (Encryption): We use a sort of magic shield called ‘encryption’ that scrambles your data into a secret code while it’s being sent or stored. Only the right ‘key’ can unscramble it, so it’s safe from bad guys trying to peek!
• Secret Passcodes (Access Controls & Authentication): Just like a secret superhero base, only people who really need to see your information can access it, and they need special passcodes. We also double-check everyone’s identity before letting them in!
• Super-Secure Fortresses (Physical Security Measures): We team up with Amazon Web Services (AWS), who provide us with super-secure fortresses (data centers) around the world to store  your information. These fortresses have top-notch security like fences, guards, cameras, and even environmental controls to protect against things like fire.
• Time Capsules (Data Backup and Retention): We regularly put copies of your data in a digital ‘time capsule’, just in case we need to go back in time and restore any lost information.
• Security Check-ups (Regular Security Assessments): Like regular health check-ups, our security experts regularly inspect our safety measures to ensure they’re still super strong. At SAM Labs, your data’s safety is our mission. If you have any questions about how we keep your information safe or want to report any issues, feel free to contact us at privacy@samlabs.com. We’re here to help!

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Samuel Field YM & YWHA

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Samuel Field YM & YWHA has worked to identify key PII, as defined in 34 CFR § 99.3, that it must receive to provide contracted services to youth and families. Services provided will include counseling and interventions with key personnel including social workers, to develop and implement afterschool activities, special community events, family engagement and referral to community resources and linkages. The collection of key PII will allow for us to appropriately record and track enrollment, attendance data and facilitate counseling. Where appropriate, PII data collection will be collected through the program’s informed consent application, which include parent consent to disclose student and family names; addresses; and student information including DOB, race/ethnicity gender, disability status, English Language Learners status. The collection of this key PII will allow for the program to efficiently report on key cohort characteristics and to make certain that recruitment and service delivery effectively target/address the populations targeted for this proposal submission. The purpose of the collection of student and family names will be used to ensure record attendance and safe sign-outs of the program daily. This data is essential to ensure that our program provides a safe and secure environment for all students that we serve. Key staff will utilize this data to make sure that students are appropriately accounted for at all times while scheduled to be in programming. It is imperative that attendance data is collected as it directly informs the culmination of key program outcomes, including the number of students that participate in services for the target hours of service as well as attendance performance indicators for specific categories. Due to the nature of the service, it is possible that counseling notes will include PII as defined as “Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.” These notes are necessary to ensure continued, effective mental health support for those receiving the services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Exponent Partners/Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• A child’s PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with state and federal law.
• A centralized staff person is responsible for supervision and monitoring appropriate safeguards, policies, and practices in place to protect the data.
• Staff will participate in mandatory 2-part training about applicable laws, policies, and safeguards associated with industry standards and best practices; consistent with NYC DOE’s data security and privacy policy.
• Encryption, firewalls and password protection will be mandatory for all emails and cloud usage to electronically transmit sensitive PII information.
• Samuel Field YM & YWHA, Inc. will not maintain copies of participant’s PII once PII is no longer needed for the educational purpose/ for which the DOE has disclosed PII.

Samuel Field YM&YWHA Inc. invested in a highly secure system, Exponent Partners. Exponent Partners is a system that requires unique usernames and passwords that must be changed frequently for protection. Access to programs and permission settings will be determined by staff and administrative usage; staff will only receive access to PII as needed to perform their job responsibilities. All data is naturally encrypted while being stored in a user access system via secure HTTPS connection. In addition, there is regular security code scanning to assess if there are any susceptibilities in the system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Sapling Intelligence

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2024 – 6/30/2024.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Sapling Intelligence, Inc. offers an AI writing assistant that integrates with popular applications (such as Google Workspace and Microsoft office) in order to provide writing recommendations. Recommendations include grammar/spelling corrections as well as stylistic recommendations. Sapling receives names and emails of users for account provisioning. Text typed in editable fields in applications where Sapling is integrated is also processed by Sapling in order to provide writing suggestions.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Virtual Private Cloud (VPC) with default deny settings
• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Multi-factor authentication in order to access cloud services
• Continuous monitoring that Sapling follows industry best practices
• External pen testing (annual)
• SOC 2 Type II compliance
• Options for managing where Sapling is available
• Role-based access controls and SSO for end users 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Savvas Learning Company

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Savvas provides K-12 instructional materials and related services to the DOE, some of which require PII such as student and teacher names in order to facilitate instruction and to track students’ performance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Savvas will store PII on servers in a secured facility in the United States operated by a world-class hosting provider. Savvas will maintain an information security program of policies, procedures and controls governing the processing, storage, transmission and security of data (the “Security Program”). The Security Program includes industry-standard practices designed to protect data from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. Savvas regularly tests, assesses and evaluates the effectiveness of the Security Program and may periodically update the Security Program to address new and evolving security threats, technology and practices. No such update will materially reduce the commitments, protections and overall level of security provided to customers.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SCAN-Harbor

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SCAN-Harbor provides services under the Community Schools strategy demonstrating the an integrated focus on academics, health and mental health services, social services, expanded learning opportunities (afterschool and summer enrichment activities), positive youth development, and family and community partnership, is critical to improving student achievement and bolstering equitable outcomes for all students, including vulnerable populations.

PII is being accessed to assess need and to track service outcomes. Data is used to identify students with low and chronic attendance, to provide food, clothes and toiletries to those students that live in temporary housing and services to the students in need of mental health counseling.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365 OneDrive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Some physical files used are maintained by SCAN-Harbor, and others are owned by the New York City Department of Education. Physical files managed by SCAN-Harbor are housed in a locked file cabinet in the Program Office. Digital data is stored electronically via a secured cloud-based program whose encryption at rest and in communication uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. This policy only applies to those in SCAN-Harbor's exclusive possession. At the end of the retention period determined by the contract or upon request, SCAN-Harbor will return and securely delete or destroy PII. All information will be returned to the NYC DOE after the agreed retention period, or at such point that the data is no longer needed for the purpose referenced in this agreement, or, at the sole discretion of DOE, securely destroyed. All electronic data purged from the network in a manner that does not permit retrieval of the data following these procedures.

Secure Deletion: Electronic data is securely erased using industry-standard data destruction methods. This may involve overwriting data multiple times or using specialized software to ensure data cannot be recovered.

Deletion Timeline: Once a file in One Drive has been marked for deletion, it is placed in a recycling bin as a means of recovery for accidental deletion. After 30 days the file is securely deleted and cannot be recovered even by IT administrators.

All paper files will be shredded using SCAN-Harbor's secure data shredding system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Scholastic Inc (for digital curriculum)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII.

• BookFlix: Pairs animated stories from Weston Woods with best-selling nonfiction ebooks from Scholastic to build real-world knowledge and early literacy skills.
• FreedomFlix: Offers a range of text types and media on more than 70 key social studies topics spanning ten areas of core-curriculum study.
• LitCamp Powered by Literacy Pro: Combines reading and writing lessons (K-8) with a fully digital summer school approach to accelerate learning. Children are immersed in personalized learning experiences while building their social-emotional skills, knowledge and vocabulary necessary for reading comprehension success.
• PreK On My Way: A new comprehensive program that welcomes every child into the classroom, celebrating their strengths as they take the next step on their learning adventure!
• Rising Voices Libraries: Provide students with high interest, culturally relevant texts that give context to today’s world while celebrating the stories of the historically underrepresented. These books, paired with innovative teaching materials aligned to the CASEL framework, build a classroom community that broadens the world for students from all backgrounds and enables deep discussions on inclusivity, social justice, and empathy for others. Each Rising Voices collection includes a digital resource website featuring mentor videos, continued-learning resources, discussion guides, standard correlations, and more to help teachers implement the program.
• Scholastic F.I.R.S.T.: Foundations In Reading, Sounds & Text, is a highly adaptive, foundational reading program for Grades PreK–2. Through explicit phonemic awareness training and systematic phonics instruction, F.I.R.S.T.’s research-based pedagogy trains the brain to master “speed of listening.” Students become automatic in their decoding skills, preparing them to read fluently and increase their reading comprehension.
• Scholastic GO!: Offers credible, accurate, reliable content on every core-curriculum topic in a clean, easy to navigate interface.
• Scholastic Literacy: A unique blended learning approach to standards informed comprehensive literacy instruction with a focus on balancing the rigor and flexibility that educators need to meet today’s high expectations. With unparalleled access to authentic and culturally relevant texts in every area of the literacy block, Scholastic Literacy is designed to engage readers, support social-emotional development, and help students become lifelong independent thinkers, readers, and writers.
• Scholastic Literacy Pro: A blended solution for Grades K–8 that empowers teachers to ensure effective reading for all students—in and out of school. It provides students with a single resource to read ebooks and track reading progress on both print and digital titles, while giving teachers real-time, actionable data about reading levels, activities, and comprehension.
• Scholastic Magazines+: A blended, subscription-based solutions that ignites student engagement through relevant, high-interest stories and powerful digital teaching tools. Magazines in print and digital are available for grades PreK-12.
• Scholastic RISE: A short-term intervention that provides targeted, small-group instruction in reading comprehension, word study and phonics, and guided writing. Based on Jan Richardson’s The Next Step Forward in Guided Reading, the RISE framework offers daily instruction for students who are reading six to 36 months below grade-level benchmarks. With RISE Online, instructors can assign students texts, monitor student progress, and access videos and other resources to easily facilitate remote instruction. Students can access assigned texts for extra reading practice on any device.
• Scholastic W.O.R.D.: Supercharges vocabulary acquisition and strengthens reading comprehension in a new and engaging way. With a thematic approach, W.O.R.D. prepares students to think critically and creatively about the world around them. By providing deep background knowledge, W.O.R.D. presents vocabulary as a tool for building meaning across all areas of learning—reinforcing students’ retention of skills learned throughout the school year.
• ScienceFlix: Integrates age-appropriate scientific content, interactive features and intuitive navigation to build knowledge and a lasting interest in scientific discovery.
• Short Reads Digital: Engages classrooms with access to fiction and nonfiction short texts at every guided reading level, and extends learning with teacher materials to accompany each text.
• The Scholastic Leveled Bookroom 5.0: A whole-school (K-6), small-group instructional system with over 6,000 books, 780 short reads, 24/7 access to instructional resources with the digital Accelerator, and professional books and services.
• TrueFlix: Provides thousands of resources to strengthen both educator instruction and student learning of science and social studies content-area knowledge.
• Watch & Learn Library: Builds learning excitement while providing the background knowledge and vocabulary necessary for reading comprehension success.
• LitLeague: LitLeague is an exciting new program that provides a joyous and interactive literacy experience for students in an engaging social- emotional literacy learning environment where children participate in book-related activities including read-alouds, group discussions, independent reading, writing activities, games, and songs. Tailored for expanded-learning times, after-school, extended day, English language learners, and more.
• Next Step Guided Reading: The Next Step Guided Reading Assessment uses proven Assess- Decide-Guide teaching system to determine students’ reading levels and target instructional next steps. From the key text features in the assessment texts to the evidence- based comprehension questions, the Next Step Guided Reading Assessment provides teachers with a way to assess students and teach them the skills to meet higher standards.
• Scholastic Edge: Using engaging, authentic text, EDGE connects striving readers to relevant and essential content needed for future academic success.
• Scholastic REAL: REAL (Read, Excel, Achieve, Lead) is a new program devoted to giving school districts the tools needed to recruit, encourage, and equip mentors to inspire students and build literacy skills.

Scholastic collects PII to provide students and teachers with access to its digital education technology products to support the BOE’s educational goals, to benefit its students, and to support product users. More specifically, PII is used, subject to applicable law and any contractual requirements:

• To support instruction and adaptive, personalized learning o By enabling administrators and educators to tailor and optimize use of the products to the needs of a particular school, classroom or student
  • By permitting educators to review student work and monitor student performance and progress, to facilitate lesson planning
  • By providing reporting capabilities at the district, school or class level (depending on the product), including in some cases cross-product performance data
  • By enabling students to access information shared by their teachers (assignments, content), track their progress, maintain files of their work, create book collections and play educational games
  • By suggesting other content or activities to students (but not for purchase or in the form of advertising)
• To authenticate users, maintain user sessions and facilitate return access
• To communicate with Scholastic’s education customers (teachers/BOE personnel only, not students)
• To ensure products run properly and support optimal user experience
• To diagnose problems, troubleshoot issues, and provide maintenance and support
• To detect and investigate unlawful activity and protect the security of Scholastic’s products, systems and customers
• To calculate royalties

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law. The Entity also states that “In some circumstances, with permission of the education customer, student PII may be retained to facilitate rostering in a subsequent period and/or resumption of product use. Teacher/BOE staff PII may be retained as part of the parties’ business relationship and/or in connection with separate accounts such persons may have with Scholastic. Note, data deletion/destruction may take the form of permanent, irreversible overwriting or de- identification to the extent permitted by law.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. These safeguards include standards that align with the NIST cybersecurity framework. Protected data is encrypted in motion (currently with TLS 1.2 encryption) and at rest (currently with 128-bit AES encryption). Processor conducts periodic risk assessments and keeps audit trails and security logs to assess and remediate vulnerabilities and to protect data from deterioration or degradation. Additional measures include firewalls, anti-virus and intrusion detection, configuration control and automated backups. Data is classified by sensitivity, and access to data is rule- and role-based.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

School Data Corp

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. School Data Corp. helps schools see how well students are performing over the course or the school year. We track how well they are reading, writing, or performing on the tests they take. We put this information in a teacher‐friendly format so teachers and principals can see which students are doing well, and which students need additional help or support. I need to PII so that I can identify individual students by their ID number to generate reports and assign them to their subgroups.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “School Data Corp. uses Dropbox, but the information within Dropbox is encrypted and cannot be accessed or read by anyone at Dropbox. There is no sharing of unencrypted PII.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Dropbox.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All emails are encrypted. All data stored is encrypted. Our network is protected by a firewall. No paper records are maintained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

School Specialty, LLC (for Coach Digital and Catch Up with Coach)

The exclusive purposes for which Protected Information will be used: Coach Digital Platform allows students to access tests and workbook pages online for instruction, practice, or assessments. Teachers will assign content to students and use this data for progress monitoring, assessment reporting, and targeting educational gaps.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: School Specialty maintains the necessary administrative and technical requirements to safeguard the security and privacy. Our teams work on company devices or virtual desktop environments within a secure VPN and two-factor authentication. Only Platform Developers and Support Admin roles can access PII to support customers. School Specialty staff participate in an annual code of ethics certification for protecting company information and data. All data on the platform is either protected via SSH or SSL connections for intraplatform communication and via HTTPS for web communication. School Specialty staff must sign Non-Disclosure Agreements, pass a background check, and participate in a companywide Security Awareness certification annually. All contractors must adhere to company Master Service Agreements and SOWs.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: [DOE comment: School Specialty’s agreement with the DOE is dated March 8, 2021]. Data is encrypted and deleted at the request of school or school district. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: School Specialty, LLC will use Clever Rostering for student and teacher data. Data in Clever is shared at the discretion of NYC DOE. Data shared from NYC DOE SIS. School Specialty, LLC will work with the NYC DOE in processing challenges to the accuracy of student data.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The Coach Digital Platform is hosted on a domestic Amazon Web Service Environment. The Amazon VPC Environment has Enterprise Level Support and 24/7 Managed Services for Security VPC, VPN, Firewall, and endpoint Management.

How the data will be encrypted (described in such a manner as to protect data security): The data in motion is encrypted with TLS 1.2.The Coach Digital Platform collects minimal data and will utilize Clever Secure Sync and SSO [Single Sign On]:

• Teachers and Administrators: First and Last Name and Clever ID
• Students: First and Last Name, and Clever ID.

The Coach Digital Platform utilizes AWS SSL and the VPC ELBs have Security Groups with least privileges enabled. Connectria LLC is in the process of finalizing a proposal to be fully compliant with this requirement.

School Specialty (for ThinkLink)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/5/2023 – 10/4/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ThinkLink is an online learning management system in which students use to access content specific to their learning. PII is used to track student performance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administratively, we have robust policies and procedures that are overseen by a team of security professionals, ensuring stringent management and monitoring of access to PII.

Technologically, we utilize state-of-the-art encryption methods and firewalls. We also employ physical measures to secure our premises and data centers, ensuring that only authorized personnel have access.

Additionally, we employ proactive strategies such as intrusion detection systems and vulnerability scans to identify and address potential security risks before they escalate.

Periodic reviews and audits are conducted to ensure that our security measures meet or exceed industry standards and regulatory requirements.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Schoolbinder (also called TeachBoost)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/1/2022 – 9/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TeachBoost is a performance management and educator development platform for K-12 schools. We work with NYCDOE schools and organizations to help them completely manage the evaluation, feedback, coaching, and development process for their staff, educators, and other support personnel. TeachBoost also works alongside the NYCDOE’s ADVANCE reporting system, handling the compliance requirements for DOE administrators.

We request, store, and process DOE employee PII for the sole purpose of providing these performance management and operational services. For instance, we request and store staff rosters and employee names and email addresses for employee user accounts, and we request store and process employee evaluation ratings as entered by DOE staff and administrators.

Type of PII that the Entity will receive/access: APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon AWS and Linode.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We protect PII in number of ways, summarized on our Data Security commitment at https://teachboost.com/terms/data-security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SchoolCNXT 

SchoolMint (also called SchoolRunner)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Schoolrunner is a comprehensive data management system that simplifies day-to-day operations with straightforward, powerful and actionable data. Schoolrunner makes it easy to track attendance, student behavior, grades, and more. School administrators can easily see where students or teachers are struggling and can provide the support they need. Parents can see how their kids are doing via a real-time feed in the mobile app and can even get notifications when attendance or grades drop below certain thresholds.

The system allows for greater ease of use than current systems and also offers more flexibility so that schools can use data to achieve their goals. For example, some schools want to move to a mastery-based grading system which Schoolrunner supports. Schoolrunner also offers parents communication with built-in automated language translation to any of over 100 languages.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Users and employees are permissioned to access the information they need based on their role in the system while restricting them from accessing information not needed for their role. Data and backups are encrypted in transit and at rest. Access to key infrastructure services are limited to a small number of engineering leaders and are protected by multi-factor authentication. Monitoring, logging, and alerting systems provide additional layers of security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Schools That Can

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2023 – 8/31/2028.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. STC teaches a proprietary Career Readiness curriculum in high schools to help prepare students for their future. We administer exit tickets at the end of each career readiness lesson that we are deliver to NYC public high schools. These exit tickets are no more than 5 questions and they seek to identify student engagement in the lesson so we can evaluate our content and report back to the school about our progress. To realize this result we need access to limited student information that consists of: Student Name, Teacher Name, Student School Email Address, Teacher contact information. Similarly we administer pre- and post-studies at the beginning of the course and at the end to assess learning.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google and SurveyMonkey.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administratively, the Entity will continue to implement data privacy policies and procedures for employees and regularly monitor who has access to PII. Furthermore, employees and contractors will continue to take regular training. The organization will review its incident response plan on a quarterly basis and identify any new organization threats as part of its quarterly security review. Technically, the organization employs industry standard encryption methodology and access authentication (MFA). Software systems are regularly updated to protect against the latest threats. For physical safeguards, the organization uses secure facilities are all data storage and uses access control via physical key access. Employee devices are secured in safe locations and all building locations have environmental controls. Data and any physical disposal is completed with shredding when not needed. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SchoolStatus

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• ClassTag and SchoolStatus Connect, a communication platform powered by holistic student data to drive meaningful engagement with families when it matters most
• TeachBoost / SchoolStatus Boost, and TeachBoost Coach / SchoolStatus Coach , a teacher evaluation and coaching tool for educator effectiveness and compliance
• School Innovations and Achievement (SI&A) and SchoolStatus Attend, an attendance management platform for truancy prevention
• SchoolNow, a website design, content management, and hosting solution.
• Smore, a tool to develop newsletters with enhanced aesthetics and readability
• Operoo and SchoolStatus Forms and Flows, allows schools to achieve operational efficiency and reduce spending by automating workflows for all paper-based forms including onboarding packets, extracurricular activities and parent communications.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Data Centers - SchoolStatus is hosted at Amazon data centers, running on Amazon Web Service (AWS). These data centers provide physical security around the clock, state of the art fire suppression, redundant utilities, Internet connections. AWS is also NIST compliant among other certifications. See: https://aws.amazon.com/compliance
• Network Security - Your data is protected between you and our systems. We use encryption with respect to traffic between you and our servers. Sensitive data is stored encrypted our servers as well (encryption at rest) for an additional layer of security.
• System Security - We update our systems periodically. For example, our virtual systems are replaced on a regular basis to reduce the window of a potential compromise.
• Restricted Access - Our policy is that only people who reasonably need access, get access. Where access is within our control (i.e., with respect to our staff), access to systems that hold and process sensitive data is limited to our reasonably necessary staff. Please note that we generally do not control how schools or their staff may access or use data; you should contact them to understand their data privacy and security practices. We log access.   
• Penetration Testing - We double check our work with an external group that looks for mistakes that put your data at risk. When they identify issues, we quickly remediate them and retest.
• Reliability - We use scalable cloud technology to maintain a high level of uptime. If an individual data center fails, our systems keep going.
• Data Backup - We backup and test our backups on a regular basis. If something goes very wrong, we can bring back our systems in a short period of time.

Of course, please note that no system can guarantee 100% security or eliminate the risk of any vulnerability or compromise.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SCO Family of Services (Learning to Work)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SCO’s LTW program is designed to complement the academic component of each transfer high school. The program aims to provide support to over-aged and under-credited students, helping them complete their academic requirements to earn a high school diploma. Our LTW program assists students in acquiring the tools and competencies needed to succeed in their pursuit of postsecondary education, training, and career development. PII is essential for coordinating educational efforts, offering internship opportunities, and monitoring attendance and academic progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SCO has implemented the following safeguards to protect the security of PII:

• Administrative Safeguards:
  • A designated Security Officer and Privacy Officer responsible for the development and implementation of privacy and security policies and procedures that outline how PII is collected, used, stored, and shared.     
  • Access to PII is limited to authorized individuals on a need-to-know basis and only as permitted under the law.
  • All SCO employees and contractors who access PII receive training on SCO’s policies and procedures and Federal and State laws governing privacy and security of PII.
• Physical Safeguards:
  • Established rules for authorizing and restricting access to SCO’s computers, network, applications, workstations, mobile devices, and areas where PII is accessible.
  • Policies and procedures to ensure that PII stored or transported on storage devices and removable media is appropriately controlled and managed. 
  • SCO requires the use of keycards to access locations where data is stored.
• Technical Safeguards:
  • SCO utilizes internal and external systems that are inaccessibly by unauthorized individuals, including assigned User ID and passwords, firewalls, anti-virus protection and multi-factor authentication.  

SCO uses encryption of data in transit and storage, access controls, and implementing regular and encrypted backups.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Scoir

Screencastify

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2023 – 6/30/2024.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Screencastify provides video recording, editing and sharing software tools and services designed for use in classroom educational settings. Students may be directed by their teachers to create and submit video and audio recordings as part of classroom assignments. PII is required to identify students to their submitted video and audio recordings in connection with the services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud data centers located in the United States that maintain their own rigorous industry standard certifications and compliance offerings.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Screencastify has designated a privacy officer responsible for information security governance and maintains privacy policies and practices that support compliance with the Family Educational Rights and Privacy Act (“FERPA”), the Children's Online Privacy Protection Act (“COPPA”) and other applicable laws. Screencastify provides regular privacy and security awareness training, including training on applicable laws that govern the handling of PII, to its employees who will have access to PII. Screencastify limits internal access to education records and PII to those individuals that are determined to have legitimate educational interests within the meaning of §2-d and FERPA. Screencastify uses encryption technology and other suitable means to protect the PII in Screencastify’s custody, whether in motion or at rest, from unauthorized disclosure using a technology or methodology specified by the secretary of the U.S. Department of Health and Human Services in guidance issued under P.L. 111-5, Section 13402(H)(2), or any other technology or methodology specifically authorized by applicable statute, regulation or the New York State Education Department.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Securly

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2024 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Securly receives, accesses, and uses PII exclusively for the purpose of providing Securly’s Classroom solution to schools/school districts. Securly Classroom is a classroom management tool enabling teachers understand student activities online, for both in-school classes, remote learning, or a hybrid combination of the two. Securly Classroom gives teachers:

• A thumbnail view of all screens in the class, including open tabs, so they know that their students are engaged in classwork;
• The ability to send class-wide announcements, start chats with individual students, or recognize students with raised hands/seeking assistance;
• Seamlessly push lesson content directly to student screens, ensuring students make the most out of valuable class time;
• The ability to check the browsing history of their students that occurred during class, while administrators can view all the history of all students;
• The option to received a summary email for each class listing participating students, most accessed sites, and other info.

Classroom can be deployed in any K-12 classroom where school-provided and/or student owned devices are used for teaching purposes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and/or ElasticSearch Clouds.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Securly's mission is to foster safe and focused learning environments through technology, while keeping students healthy and engaged. In pursuit of this mission, we support our school customers in building cultures of trust and safety by maintaining a comprehensive written information security program built on enterprise-level data security and privacy practices aligned with NIST Standard 800-53. For example:

• We encrypt all student data in transit and at rest, and our student safety and wellness solutions have attained compliance with SOC 2 information security standards.
• Securly provides training to those with access to protected information on federal and state laws governing confidentiality of student/teacher/school data at onboarding and annually thereafter. Training covers confidentiality obligations, information security, compliance, and data protection, including the requirements of relevant laws and regulations, as well as Securly’s information security policies and expectations.
• Securly limits access to student, teacher, and district data to employees or authorized service providers who: (1) are contractually bound to protect such data from unauthorized access, use, or disclosure; (2) receive training on relevant data protection laws and regulations; and (3) adhere to a written information security program reflecting industry best practices for data security aligned with NIST Standard 800-53.
• Physical access to information assets and company workspaces is restricted through the use of key cards, key codes and/or physical keys. Physical access to sensitive information assets (i.e., servers, distributable media, paper documents) is restricted to authorized individuals.
• Securly has adopted a SOC2 compliant information security incident response policy and plan, that addresses: incident preparation and prevention, detection and analysis, incident notification, containment, eradication, recovery, and post-incident review. The incident response plan is exercised on a regular basis, at least annually. In the event of a breach or suspected breach of any privacy or security measures described herein that has become known to Securly, Securly will immediately notify affected Customers.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Seesaw Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• General Description: Seesaw is the most intuitive, robust and easy to use cloud-based K-5 digital portfolio in the education space. Seesaw Lessons are Standards-Aligned, Ready-to-Teach & Flexible supplementary curriculum resources that are design for PK-5th grade classrooms. Lessons adapt to whole class, centers, and independent learning in any setting.
• Account Information: When teachers, parents, family members, or school administrators create an account on Seesaw we collect their name, email address, password, and profile picture. Seesaw may also collect an adult user phone number if its entered into their Account Settings. Teachers using Seesaw to communicate with Families may add a family member’s email or phone number to Seesaw in order to send messages or updates about school work to the appropriate parent or family member. Students cannot create an account by themselves, but must be invited to a Seesaw class by a teacher or school administrator. Where students have permission to use Seesaw, Seesaw collects personally identifiable information about them including their names, email addresses, and profile picture. This information may be entered by a teacher or the student or populated from the student’s account with a third party sign-in service, such as their Google account.
• Journal Content: Seesaw collects content that is added to a class or student journal. This content may be photos, drawings, files, notes, hyperlinks, and other ways of documenting student learning. Seesaw regularly add types of information that can be uploaded to a Journal, and these are all covered by this Policy. Comments on posts in a class journal are also collected. These comments may be text, or if Seesaw is allowed to access the microphone on the device, voice recordings. Journal Content that is uploaded by a student or teacher may be considered a student education record as defined by FERPA.
• Messages: Seesaw collects messages that are sent and received in Seesaw by teachers, family members, and students.
• Activities: Teachers may use Seesaw to create activities to use with their students. Activities may include text or voice instructions for how to complete the activity, an example of a correct response or a template for students to edit.
• Activity Author Profiles: Teachers who choose to publish activities to the Community Activity Library or the Activity Library managed by their school or district can also create an Activity Author Profile. This includes the name and profile picture they choose to publish on their Author Profile, as well as their school name and location.
• Communications: Seesaw collects any information sent to us directly, such as email communications. Information from a users Google Account or other Third-Party Sign-in Service: Seesaw allows teachers, parents, family members, and students (after being invited by a teacher) to sign up for and log into our service using a Google or Clever Account. Teachers can also create student accounts on behalf of students in their class. When Seesaw creates an account using one of these Third-Party Services, we use the name, profile picture, and email address (if available) provided by these services.
• Log Data: When using Seesaw, log data is received such as IP address, browser type, operating system, device information, and mobile carrier. In addition, information such as the referring web page, referring search terms, and pages visited may be received or collected. If Seesaw is being used by a teacher, parent, or administrator, Seesaw may use that IP address to determine the approximate location for the purposes of sending customized marketing and other information about our products.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Seesaw routinely conducts 3rd party security audits to verify the security and integrity of our systems and internal controls. Data is stored in access-controlled data centers operated by industry leading partners with years of experience in large-scale data centers with 24/7 monitoring. We routinely monitor our systems for security breaches and attempts at inappropriate access. Journal content (e.g. photos, video, audio, and other content added to a Seesaw journal) is encrypted in transit and at rest. Seesaw uses TLS 1.3 security at the network level to ensure account information and journal content is transmitted securely. We have also adopted an internal data access policy that restricts access to personally identifiable information to a limited number of employees with a specific business need (such as for technical support). Data is also accessible to our sub-processors, who are required to sign a Data Processing Agreement that limits their ability to access and use data.  

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Shutterfly Lifetouch

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Shutterfly Lifetouch, LLC ("Lifetouch" or "Entity") is a trusted provider of school photography services throughout North America since 1936. In preparation for Picture Day, Lifetouch collects certain roster data from the school or district, to be used solely as follows:

• To produce and deliver to schools the products and services as described in the Photography Services Agreement (the "School Deliverables");
• To deliver Picture Day notices on behalf of the school and provide parents of students photographed opportunities to purchase student and class pictures and yearbooks;
• To verify parent authorization to order student photographs; and
• As otherwise specified by the Agreement.

For the avoidance of doubt, this Agreement does not apply to (a) information collected from customers who opt to purchase products directly from Lifetouch and/or establish a Lifetouch family account; or (b) Lifetouch photographs, except as incorporated into the School Deliverables.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Lifetouch has implemented a variety of physical, technical, and organizational security measures to help protect School Data from unauthorized access and use.

• Facilities. Lifetouch produces portraits and School Service Items within its own U.S.-based photo labs. Lifetouch data, including School Data, is maintained in cloud-based storage or in on-premises data centers that meet or exceed industry standards for cybersecurity. All facilities and systems are protected by strong physical security controls such as restricted role-based access, ID cards, entry logs and video monitoring. We have a secure backup process and utilize high availability systems and equipment to maintain availability.
• Networks. Devices storing or providing access to School Data are protected with the same multi-layered security strategies that we use to protect Lifetouch's sensitive and confidential business records. Image databases supporting our photo processing labs and websites are separated from associated data files containing identifiable information, and all databases are protected by firewalls, monitoring, vulnerability scanning and authentication procedures. We apply intrusion prevention methods and perform regular network penetration testing and code scanning on a periodic basis using both internal and authorized third party testing services and. Our systems enable secure transmission of School Data from and to the Lifetouch network with encryption technologies. School Data is segregated from other databases in our systems and is securely disposed of when no longer needed. Devices or media containing or accessing School Data are password-protected and encrypted and stored in secure, locked areas when not in use. Laptops and tablets used by our field are also protected by software that, in the event of theft, notifies Lifetouch immediately if the device is connected to any network and allows Lifetouch to remotely erase the device.
• Personnel. Lifetouch's policy is to collect, use, and disclose personal information only in ways that are consistent with our respect for an individual's privacy. We require Lifetouch employees to sign confidentiality agreements as a condition of employment, and we provide training on the appropriate use and handling of School Data. Access to School Data is limited to those who need it to perform their jobs, and when our employees are instructed to only access School Data secure channels (like the Lifetouch Portal). We also take appropriate measures to enforce these policies.
• Enterprise. A comprehensive set of IT policies based on ISO 27001/2, PCI-DSS, OWASP and/or NIST frameworks and standards, as applicable, governs information systems practices and procedures throughout the Lifetouch enterprise. Additionally, Lifetouch partners with secure payment processing platforms like PayPal to handle payment card data when the families we serve make their portrait purchases. Additionally, the Lifetouch Portal is designed and maintained to exceed the standards of the Software & Information Industry Association's Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Signal Vine, Inc.

The exclusive purposes for which Protected Information will be used: Segment contacts, personalize and trigger outgoing text messages to students and/or parents. [NYC DOE Comment: Signal Vine is a tool used to engage and communicate with students, families, and staff.]

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: No subcontractors have access to NYC DOE personal data. Signal Vine staff access is limited to the team supporting your account. All access is logged.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Protected Information is removed from the platform within 30 days of the expiration of the agreement, and cycles out of backups 14 days later.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored within the United States. All data is stored on Amazon Web Services and conforms to SOC 2, ISO 27001 and DoD standards.

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest via Amazon’s TDE service and in transit via TLS 1.2+

SimTutor

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SIMTICS is a cloud-based service with simulations and other supporting media, designed for learning how to perform clinical and medical imaging procedures. The Service is provided by SimTutor Inc (SimTutor). Each SIMTICS module covers one procedure, skill or topic. In most cases a module contains the following media: Video demonstration of the procedure; Explanatory text; Anatomy images related to the procedure, in 2D and 3D format; A multi-choice quiz; Simulation scenarios for the user to learn and practice the procedure interactively and test their skill.

The school provides us with student first/last names and a DOE-issued email address, so students have a unique username and their in-app activity can be tracked individually and kept separate from other students’ data. The SIMTICS system tracks the user’s activity in the app (study time, and scores in simulations and quizzes). Each learner’s activity data is recorded in their personal SIMTICS logbook and can be accessed only by that named user and by teachers and administrative users with the necessary privilege.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SimTutor is SOC 2 certified and has robust systems, system architecture, and procedures in place to ensure student data is protected. SOC 2 is a compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. SOC 2 certification is the result of a detailed annual audit by a qualified third party auditor. SimTutor has been SOC 2 certified for three years.

Our information security procedures to protect PII cover the following areas:

• Data classification – at SimTutor, school/student data is classified at the highest level of confidentiality, above our own company data
• Selection, documentation, and implementation of security controls
• Daily security checks of our systems and infrastructure
• Annual assessments of security controls and updates as necessary
• Careful authorization, changes to, and termination of information system access
• Maintenance of restricted access to system configurations, user functionality, master passwords, powerful utilities, and security devices
• Management of user access and roles – only employees with a job requirement (i.e. customer and technical support) are given access to PII
• Security training is part of employee onboarding and Maintenance and support of the security system and necessary backup and offline storage
• An incident response system, tested at least annually, to ensure rapid action in the event of an issue occurring.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Smart Science Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/1/2024 – 8/1/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Smart Science Labs is a virtual science lab system which allows students to do science labs online in place of hands-on science labs where the materials, time, equipment or space is not available. In many urban schools science labs have been missing from science classes for decades due to degradation of science facilities and a lack of funding to replace or rebuild the physical science lab. Smart Science Labs have been in use by schools in the USA for over 20 years for a variety of needs including alternative education, ELL learners (Smart Science works in 100 languages), special ed and self paced learners, virtual academies and traditional schools who lack science lab facilities. PII is used to create student log in access to the virtual labs and track student performance on the virtual labs - staff members can see the progress of each student identified by their name and OSIS number. The resource is fully integrated with Clever and if the school choses to deploy access through Clever then no PII will be used or stored by Smart Science Education because of Clever’s use of encrypted usernames and passwords to the host resource.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Administrative safeguards: Access limited to the CEO of the company and the tech team; All tech team personal who have access have signed confidentiality agreement;
• Technical safeguards: Encryption of data in transit and storage, access controls, and implementing regular and encrypted backups is standard practice for our platform; Test and development servers do not use any real world student or teacher data; All data is entered into a password protected cloud based database that employs current industry standards, hosted in the Google Cloud (GCP).
• Operational safeguards: Company does not host any physical data or create physical copies of data. The offices of Smart Science Education are secured. All systems are cloud based and online only. All employees follow best practices. Tech lead has protocols including notifying the CEO and board so they may take action immediately.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SMART Technologies (for Lumio)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Lumio is a digital learning platform and will only access or use PII when necessary to provide Lumio. Lumio lets educators combine and edit teaching resources, including PDF, Google, and PowerPoint files to create one engaging lesson. Lumio allows educators to liven up a lesson with ad and comment-free YouTube clips. Easily illustrate a concept without wasting time switching to different tabs. Effortlessly engage every student on any device using Lumio’s dynamic, collaborative web-based learning platform. PII is required for users to login.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Student PII will be destroyed when (i) no longer required to provide the service; (ii) upon request by the DOE; or (iii) the end of the school year (July 1) once the service agreement expires. Teacher accounts will be destroyed within one year of the inactivity or expirey [sic] of the service agreement.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Google Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Privacy and security are at the core of our product design. Whether in room, on mobile devices or at a distance, SMART solutions enable interactive and collaborative workflows with built-in features to ensure user information is safe and protected. Customer data is hosted using best-in-class Amazon Web Services and Google Cloud data centers with ISO 27001 and SOC 2/3 certifications. There are no additional privacy settings needed in SMART products because we don’t want you to share anything except the bare minimum required. Being proactive, our product design captures as little personally identifiable information as possible. Students are not required to provide any identifiable information. They can log in using their existing Google or Microsoft credentials, or choose to connect anonymously with guest access. Data is only visible to whom the teacher personally gives access to, and shared lessons never include student data. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Smartest EDU (also called Formative)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: Starting 10/3/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Normal operation and use of Formative’s platform, including reporting on student performance. Formative receives data such as student names, logins, emails, and work generated within the platform. We use this data to allow teachers to assign assessments within the Formative platform, create performance reports, and ensure that rostering within Formative aligns with rostering in Clever, Classlink, or other systems.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Formative’s IT Security and Data Privacy strategy prioritizes detection, analysis, and response to known, anticipated, or unexpected threats; this strategy also emphasizes the effective management of risks as well as resilience against data incidents. Formative continuously strives to meet or exceed the industry’s information-security best practices and apply controls to protect our clients and the organization. Formative reviews of its systems against applicable state, federal, and internal regulations as well as against controls associated with NIST CSF, SOC2, ISO, GDPR, FERPA, CCPA, CPRA, CPA, VCDPA, and UCPA. Formative maintains an Information Security and Privacy Program which, along with security personnel embedded in each of our business units, consists of a centralized group that establishes information security mandates, evaluates adherence to these mandates, and detects & responds to incidents. Formative frequently adjusts this program to ensure ongoing suitability. The Information Security and Privacy Program regularly assesses the sufficiency of Formative’s controls.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SmartPass

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2023 – 6/30/2024.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SmartPass is a digital hall pass system designed to replace traditional physical hall passes in educational institutions. It allows teachers and administrators to monitor student movements in real-time, ensuring safety and accountability. The platform offers features such as analytics, pass limits, and encounter prevention, making it easier to manage and oversee student activity during school hours. PII is used to create accounts and to display the information to teachers and administrators.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud within the United States.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We endeavor to protect the privacy of your account and other personal information we hold in our records, and we use industry standard data security measures to protect your personal information. This includes: (1) only storing your personal information under our control, (2) using two-factor authentication for our personnel to access your personal information, (3) implementing physical access controls to those areas where personal information is stored, (4) limiting access to your personal information to only those of our personnel who need to have that access to do their jobs, and (5) encrypting all of your personal information both in transit and at rest. We also regularly conduct audits of our security practices to make sure that they are up to date.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SmartStart Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SmartStart Education, LLC is an educational services company that provides staffing and tutoring services. For tutoring, we seek to provide high-impact tutoring services to students striving to read and perform math proficiently in grades kindergarten to 12^th grade. Tutoring services will be provided in -person at the students’ schools. We seek to align our tutoring to students’ individual needs. Having access to students’ data, such as IEP, report cards, and New York State test scores, allows us to provide tutoring that is more targeted to individual needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft SharePoint.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data will be served on a password-protected secure server. Only employees who have direct contact with students or their supervisors will have access to student data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Smashcut

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Smashcut will provide a learning management system specifically designed for the teaching and learning of the visual and media arts. This program will be limited to high school students in grades 9-12 Student user accounts are required to access the program curriculum. PII is necessary initially for students to create a Smashcut user account. Once the student account is created, the PII is used for the following platform activities: Accessing the class syllabus, watching video lessons, submitting assignments, joining group projects, participating in class discussions, receiving and sharing project feedback with their teachers and classmates.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We conduct training sessions for all employees and contractors on data privacy, security practices, and compliance requirements. We ensure all employees are aware of the importance of protecting personal information and the specific protocols they must follow. All access to Smashcut systems - if provided - happens through role-based IAM (identity and access management) user accounts to authorized team members. Team members can only access systems with Multi-Factor Authentication. All access to systems is monitored and logged. Additionally:

• All data stored on cloud with physical and logical security controls; no local storage or physical access for employees.
• Access limited to authorized personnel with two-factor authentication.
• Strict role-based access controls and policies for all staff.
• Multi-Factor Authentication (MFA) for system access.
• Regular training on data privacy and security practices.
• All system access is monitored and logged.
• Cloud infrastructure managed by authorized staff via two-factor authenticated VPN.
• Serverless architecture with encrypted data transmission (TLS, DTLS, SRTP).
• Real-time encrypted data backups; data masking to protect sensitive information.
• Quarterly security reviews and continuous risk management.
• Code changes undergo rigorous review, testing, and security analysis before deployment.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Smile New York Outreach

Type of Entity: Article 28 licensed health care facility

Contract / Agreement Term: 7/1/2024 – 6/30/2032.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor will receive Protected Health Information from DOE in order to fulfill its role as a provider of dental services. Under the Health Information and Accountability Act, Processor is identified as a Covered entity when handling PII and therefore subject to extend required protections of PII under HIPAA. The PII obtained from DOE is utilized in the provision of dental services to students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “As a health care provider patient records are retained, at minimum, in accordance to section 29.2 (a)(3) of the Rules of the Board of Regents or in accordance to company policy. Any student information that is not integrated into the patient treatment record will be destroyed upon termination of services.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Physical safeguards to protect PII include encrypting all data in transit and at rest both in our administrative office and while performing clinical duties at the school location, limiting physical access to equipment that stores historical PII records to required staff, access to that equipment requires badge access, personal PIN's, and biometric scans. Administrative and logical access to data requires staff to have a username and password to applications to view PII, and once in only have access to records that are required to perform their duties. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Snowflake

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Customer is responsible for the collection, upload and use of all data in the Service, including, but not limited to, PII.  The use of the Service is at the election and direction of Customer and Snowflake is not required to receive or access PII in the provision of the Service.

Type of PII that the Entity will receive/access: Snowflake is data agnostic and does not know the type of data uploaded to the Service unless Customers expressly advises such. In general, Snowflake does not know and does not need to know the type of data that is uploaded. Customer is responsible for the collection, upload and use of all data in the Service, including, but not limited to, PII .

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Customers that enable and use the Tri-Secret Secure feature may secure delete all Customer Data, including PII, by destroying its set of keys.  Alternatively, Customer Data, including PII, may be deleted by Customers at any time.  If Customers fail or elect not to delete Customer Data, at the end of the Agreement term, Customer Data will be overwritten/deleted in accordance with the underlying CSP data destruction policies.”

Challenges to Data Accuracy.“All requests related to PII will be directed to the Customer that the relevant data subject identifies as having uploaded his/her data.  All requests to change or delete PII data are Customer’s responsibility.  In accordance with the DPA, Snowflake makes available features for Customers to effect such. Note, Customer may register emails in the Service for notification of privacy requests.”

Security and Storage Protections. Describe where PII will be stored or hosted. “To the extent Customer elects to upload PII that constitutes Customer Data, it will be stored in the Customer elected hosting location that forms part of the Service.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Snowflake default data protection commitments are as described in the Snowflake DPA  found here:  https://www.snowflake.com/legal/data-processing-addendum/ and Security Addendum found here:  https://www.snowflake.com/legal/security-addendum/, however, Customers are responsible for making appropriate configuration decisions within our Service to meet applicable legal and regulatory requirements.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “To the extent Customer elects to upload PII that constitutes Customer Data to the Service, it shall be encrypted in motion and at rest in accordance with the protocols set forth in the Security Addendum.”

SOLVED Consultancy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SOLVED helps school administrators and teachers analyze student data so that they can make better instructional decisions based on this data. Schools have multiple data sources from different assessments administered throughout the year. In order to use data efficiently and effectively to inform instructional practices and the use of resources and to analyze student data, SOLVED developed the Assessment Dashboard, which is a platform built within the NYCDOE servers using Google Data Studio (which is part of the Google Workspace Cloud where all NYCDOE accounts and information live). This platform helps Principals, Assistant Principals, and Teachers to look at all their students’ assessment information in one centralized location. Only staff belonging to individual schools are authorized to access their platform, and never parents, guardians, or students.

SOLVED needs to have access to this PII to build this platform for schools. SOLVED displays the PII received in the Assessment Dashboard and this PII does not leave the NYCDOE servers as it is uploaded to the NYCDOE Google Cloud and SOLVED uses Google Data Studio to display PII to Principals, Assistant Principals, and Teachers who are authorized to log in with their @schools.nyc.gov accounts (which are Google accounts).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “SOLVED uses the NYCDOE’s Google Workspace Cloud to store PII, which are part of the NYCDOE servers. Google Workspace Cloud is a subcontractor for the NYCDOE. The PII does not leave the NYCDOE servers.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “None of the PII that SOLVED is given leaves the NYCDOE servers as it is stored in the Google Workspace Cloud of the NYCDOE. Hence, there is no data return because the data does not leave the NYCDOE servers.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “SOLVED uses the NYCDOE’s Google Workspace Cloud to store PII which are part of the NYCDOE servers. Google Workspace Cloud is a subcontractor for the NYCDOE. The PII does not leave the NYCDOE servers.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The PII is stored in the NYCDOE’s Google Workspace Cloud and the NYCDOE servers. Hence, many of the technical (i.e. data encryption) and physical (i.e. physical servers) safeguards to keep this data safe is controlled by the NYCDOE.

SOLVED as multiple administrative and operational safeguards to ensure the highest rigor of data protection. These are:

• For all roles within SOLVED, the hiring process ensures the candidate has the necessary competence to perform the role and can be trusted to take on the role, especially for roles related to the use, management, or protection of data or PII. Data protection responsibilities are communicated to employees as part of the on-boarding process.
• Background checks are required prior to employing SOLVED employees, regardless of if a competitive recruitment process is used.
• All SOLVED employees are required to sign a Non-Disclosure Agreement before being granted access to any data. Upon termination of employment, staff are reminded of confidentiality and non-disclosure agreements.
• All new staff must complete an approved Security Awareness training prior to, or within 30 days of, being granted access to any data. In this training, all new staff are provided with relevant data policies and protocols to allow them to properly protect data. All new staff then must acknowledge they have received and agree to adhere to the SOLVED data policies and protocols before being granted access to any data.
• All staff must complete an annual security awareness training.
• SOLVED provides all employees an anonymous process for reporting violations of information security policies or procedures.
• Staff found to have violated SOLVED’s data policy or protocols may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Sooth Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Sooth.fyi is a subscription-based, curated internet search engine specifically designed for students and educators to conduct online, internet research without running into ads, chatbots, dubious sources, or commercial content found on other search engines. Sooth.fyi uses a proprietary, human curated search index comprised of thousands of the web's most reliable and diverse primary sources of news, research, and information that can't be found in traditional academic research databases.

Sooth.fyi also includes many unique tools and collaboration features that accelerate student productivity when conducting online research. For example, Sooth.fyi includes a citation generator, bookmarking and research collection folders, notetaking tools, a misinformation toolkit, and a personalized news aggregator.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure Cloud Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Sooth.fyi implements the following measures to ensure the technical and physical safeguarding of PII:

• Sooth Inc. is NIST 800 compliant (cyber security posture)
• All Sooth Inc. data, including user Personally Identifiable Information (PII), is securely stored and managed on Microsoft’s Azure Cloud Services platform.
• Sooth Inc. collects only the minimum PII required in order to operate a safe, secure, functional, and enjoyable platform.
• All PII is encrypted while in transit and while at rest.
• All employees and contractors conduct annual cyber security and privacy compliance training.
• Sooth Inc. Compliance Officer conducts annual audits against a comprehensive checklist derived from NYC DOE requirements, COPPA, FERPA, PPRA, and all other applicable federal, state, and local data privacy laws and regulations.
• Sooth Inc. implements role-based access control systems to enforce minimum necessary access to PII based on job responsibilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

South Asian Youth Action (SAYA)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As part of SAYA’s Community School programming at Richmond Hill High School, our team monitors program quality and effectiveness in three areas: school attendance, college access support, and social and emotional impact. In order to track data and measure the effectiveness of our offerings, our staff secure student PII and make use of the Department of Education databases, as well as Apricot - Social Solutions, which is a customized database used by SAYA across all of our sites. These databases house and track a number of metrics, including attendance and college enrollment. SAYA staff gather PII data points from our participants, teachers, and other school administrators to measure and gauge youth improvement within these metrics. Through data gathered, our Community School Director and team continually determine how SAYA programming and intervention can best benefit our students and improve their performances.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Workspace, Apricot - Social Solutions.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access control methods to be used shall include:

• Auditing of attempts to log on to any device on the company network
• Automatic updates implemented on all systems
• Server access rights
  • Active file and email intrusion detection (implemented with Google Workspace for Non-Profits)
  • Active Network Intrusion detection and automatic emails to IT team to inform of the situations.
• Firewall permissions
• Web authentication rights
• Database access rights
• Encryption at rest and in flight
• Network segregation
• Yearly user training concerning the handling of sensitive information and PII will be provided. Additionally, this data security policy will be available to any SAYA staff member or contractor. This also applies to contractors and third party vendors who for whatever unforeseen circumstance would need access to sensitive information.

Access control applies to all networks, servers, workstations, laptops, mobile devices, web applications, websites, cloud storages, cloud databases, and any other form of cloud service that contain sensitive or PII data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

South Bronx Overall Economic Development Corporation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As the CBO our initiative is focused on enhancing student performance and well-being through a range of integrated programs and services. These include healthcare, mentorship, expanded learning opportunities, adult education and other support services for middle school and high school programming. Our goal is to address the diverse needs of students, engage their families, and strengthen the broader community.

The purposes for receiving and accessing personally identifiable information (PII) include managing student records, ensuring accurate enrollment, and coordinating participation in our services. This information allows us to tailor program activities to meet the specific needs and interests of students. We utilize data on students' academic interests, extracurricular preferences, and special needs to design and implement programs effectively. Additionally, we track student participation to monitor their progress. This evaluation helps us assess the effectiveness of our programs.

In summary, our project focuses on providing targeted programs and services to support student development. Accessing and using PII is essential for managing enrollment, coordinating activities, communicating with stakeholders, evaluating program effectiveness, and meeting regulatory reporting requirements, all while maintaining strict controls over data sharing to ensure compliance and protect privacy.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks

Administrative Safeguards:

• Policy Development: Our company has established comprehensive policies and procedures specifically tailored to the handling of Personally Identifiable Information (PII). These policies outline the proper protocols for accessing, storing, and transmitting PII, ensuring that all staff members are aware of their responsibilities in safeguarding sensitive information. Such as, but not limited to: password policy, online session management and security policy.
• Role-Based Access Control: Access to PII are strictly controlled based on roles and responsibilities. Employees are granted access only to the information necessary for performing their duties, and access permissions are regularly reviewed and updated as needed.
• Training and Awareness: Training sessions are conducted to educate employees about data  privacy and security best practices, including the proper handling of PII. Staff members are trained to recognize potential security threats such as phishing attacks and are instructed on how to respond appropriately.

Physical Safeguards:

• Restricted Access: Physical access to facilities where PII is stored or processed is restricted to authorized personnel only. Access controls such as keys and surveillance cameras are employed to monitor and control entry.

Data Privacy and Security Risk Mitigation:

• Regular Audits and Assessments: The Company conducts regular audits and assessments of its data privacy and security practices to identify potential vulnerabilities and areas for improvement. These assessments help ensure that safeguards are effectively implemented and maintained over time.
• Incident Response Plan: In the event of a security incident or data breach, the company has established an incident response plan to guide the organization's response and minimize the impact on affected individuals. This plan includes procedures for investigating incidents, notifying stakeholders, and implementing remediation measures to prevent future occurrences.

By implementing these administrative and physical safeguards, along with proactive risk mitigation measures, the company demonstrates a strong commitment to protecting PII and maintaining the privacy and security of its data. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Sparkler

The exclusive purposes for which Protected Information will be used: To provide the service, directly and in coordination with the BOE. Aggregated non-identifiable data may also be used to improve the service.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Data protection and security requirements that meet or exceed these requirements are a part of Sparkler’s privacy policy and all employment and contracting agreements used by Sparkler.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The agreement starts on signing, and will extend no more than a year, or until terminated by either party. Protected information held by Sparkler will be deleted at any time at the instigation of either users or the DOE, and at any rate under Sparkler’s policies will be deleted no later than one year after the end of the agreement.

[NYC DOE comment: The current agreement became effective starting on April 1, 2020 and terminates when all NYC DOE schools and/or offices cease using Sparkler’s products/services. The terms of the agreement remain effective through the period during which Sparkler possesses or otherwise is in control of covered protected information.] 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US, using the commercially reasonable protections afforded by AWS. Further provisions are described in the Recipients Terms of Use and Privacy Policy.

How the data will be encrypted (described in such a manner as to protect data security): Sparkler is using the industry standard AES-256 encryption algorithm to encrypt all data on the server. For encrypting network communications and establishing the identity of the app, Sparkler is using industry standard SSL/TLS protocols.

Speak Agent

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 11/15/2023 – 11/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Speak Agent, Inc. receives PII for the sole purpose of delivering supplemental instruction. "Speak Agent" is an instructional software platform that includes "Math+Language" and "Science+Language" programs for grades K to 12, providing digital lessons and activities that run on its cloud-based platform. These programs supplement the school district's math and science curriculum. Specifically, PII is needed in order to (1) provide secure login through single sign-on; (2) connect students with the correct class sections, teachers, and grade-appropriate instructional materials; and (3) provide students with expressive language opportunities (writing, speaking, and representing) and individualized feedback.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and/or Heroku.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII data are securely stored using cloud hosting facilities that meet ISO 27001 and PCI Level 1 requirements. PII may be viewed only by authorized district and Processor users. Processor secures and manages usernames, passwords, and other means of gaining access to PII at levels recommended by NIST SP800-171 (password complexity, encryption, and re-use).

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Sphero (for Sphero EDU)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Use of Sphero’s Sphero EDU application available at edu.sphero.com, and all related client applications, with which students learn, code, and play with Sphero robots. Depending on if and what type of user accounts are created, PII can contain first name, last initial, email address, and date or birth. Name and email information is used solely for the purpose of creating user accounts. Date of birth is used for the purpose of checking age of consent of the user.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Sphero ensures that data is encrypted both in motion and at rest. The Sphero Edu platform runs in an Amazon Web Services (AWS) facility (please see full details here: https://aws.amazon.com/security/). Personnel are only given access to data on an as-needed basis. AWS provides extensive protection in the form of secure physical facilities, permissions and identity policies, rapid patching and updating of systems, firewalls, network threat detection and response, and scalability to respond to denial of service attacks. PII data is always password protected in addition to being encrypted.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Spruce Technology

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Spruce Technology, Inc. provides information technology consulting services for the New York City Department of Education, including the implementation, integration, customization, testing, and support of technology platforms licensed and hosted by other providers; custom design, development, testing, and support of technology solutions; cybersecurity advisory services; user interface design and development; and provision of specialized technology staff. We require access to PII to develop initiatives, troubleshoot issues, create reports and provide adequate support to all patrons.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII will be stored or hosted by Entity.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All DOE data that is considered private, sensitive, or higher classification will be accessed by Spruce team within DOE environment using DOE issued equipment such VDI / Servers etc. Plus the technical design of the PSAL ensures that the design and architecture conforms with all citywide security standards and will get all necessary approvals prior to go live in production.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

St. John’s University's School of Education (for Project RAISE)

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: 1/31/2022 – 1/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Resilience, Access, and Imagination for Success in Education (henceforth Project RAISE), consists of the following components:

• Supplemental Instruction
• Counseling Services
• Tutoring Services
• Mentoring Services
• Parent Engagement Services
• Professional Development; and
• Extended Year Program

St. John’s University’s Project RAISE is a program designed to provide Title I supplemental instructional services and related services under the Every Student Succeeds Act (ESSA) for Title I eligible students, parents, and teachers at nonpublic schools in New York City. To this end, all students from Pre Kindergarten through grade 12, as well as their parents and teachers who are eligible for Title I assistance, will benefit from Project RAISE. Pre-Kindergarten to grade-12 students from families in poverty grapple with numerous challenges in terms of their emotional, physical, social, and cognitive development. These challenges adversely affect their academic success. The primary goal of Project RAISE—which is intended to provide Title I nonpublic schools supplemental instructional services—is to afford students from Pre Kindergarten through grade 12 with the opportunity to receive supplemental instruction in the areas of English! language arts/reading, mathematics, English as a Second Language (ESL), social studies, and technology, as well as Pre-Kindergarten services to help them succeed in these subjects. The primary location for services will be in New York City nonpublic schools serving students from pre-kindergarten to twelfth grade, and that select St. John’s University as their service provider

Data collected will be for the purpose of invoicing/billing the participating non-public schools in the City of New York. The data will include the following: Student ID Number; Grade Level; and School Name.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. This correspondence articulates elements of the St. John’s University cyber security and privacy infrastructure as it relates to the academic research infrastructure for the New York State Department of Education grant award supported by faculty in the St. John’s University School of Education.

St. John’s University has taken a risk-based approach to cyber and information security by ensuring the confidentiality, integrity, and availability of its information assets. The University has a viable program that balances the people, processes and technologies and focuses on the management of the security program, user awareness, research platform, and operations. The details are as follows:

Security Program: Our Security Program is comprised of several strategies that include, but are not limited to:

• A viable IT Governance model and reporting structure
• University-wide and department-specific Information Technology (IT) and Security policies and standards
• A Vulnerability and Patch Management (VPM) program (policies, standards, processes, and procedures) to proactively address potential vulnerable and unpatched systems and applications of critical and non-critical information assets.
• Multi-factor authentication to minimize authentication threats
• An IT risk management framework based on the NIST Cyber Security framework to manage IT risks consistently and continuously.
• Adequate security awareness and training of faculty and staff, including staff that handles personally identifiable information (PII)
• Processes and techniques to address the end-user computing threats
• Data maps for PII that is transmitted, processed, and stored within the University.
• Records/data that are classified into three groups
• Active records that are stored in a primary storage medium
• Data is retained for a regulated specified period according to the University’s retention schedule

The subcontractor is held to the same standards described above.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

St. Nicks Alliance Corp (Community Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. St. Nicks Alliance (SNA) is a community-based organization contracted by the NYCDOE to provide services at:

• The Williamsburg High School of Art and Technology, Brooklyn, NY 11206: These services provide integrated student support, expanded and enriched learning time and extended learning time opportunities, active family and community engagement, and collaborative leadership and practices. These supports and programs help to ensure consistent attendance, academic recovery, relationship building and leadership inside and outside the school community.
• John Ericsson Middle School 126, Brooklyn, NY 11222. These services provide integrated student support, expanded and enriched learning time and extended learning time opportunities, active family and community engagement, and collaborative leadership and practices. These supports and programs help to ensure consistent attendance, academic recovery, relationship building and leadership inside and outside the school community.
• PS 150 Christopher, Brooklyn, NY 11212. These services provide integrated student support, expanded and enriched learning time and extended learning time opportunities, active family and community engagement, and collaborative leadership and practices. These supports and programs help to ensure consistent attendance, academic recovery, relationship building, and leadership inside and outside the school community.

Protected Information may be collected or accessed by authorized SNA representatives to support students with attendance and credit accumulation. We may examine academic data (i.e. grades on assignments, courses, or exams); daily attendance statistics, demographic and disciplinary history, contact information, survey responses, and/or Other Protected Information. This data is used to track student progress toward attendance and credit accumulation and to tailor services to each student.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data storage can be in electronic or non-electronic formats (such as paper surveys), including data files and databases. Non-Electronic data is stored in the United States in locked cabinets in SNA main office (located at 2 Kingsland Avenue, Brooklyn, NY 11211} or Bushwick Community High School at 231 Palmetto St., Brooklyn, NY 11221)), as required by regulatory agencies (ie. NYS Department of Health). The lock's key or combination is exclusively shared with authorized staff.

For electronic data storage, SNA uses password-protected computers. The password is changed every 60-180 days and is only accessible to SNA staff members responsible for analyzing the data. Data storage requirements are thoroughly discussed with SNA staff both during onboarding of new staff and ongoing during training on Federal and State laws governing confidentiality to any officers, employees, or assignees who have access to student data or teacher or principal data to ensure compliance with our regulations and SNA internal data storage plan that protects confidentiality and safety of PII. Do not use educational records for any other purpose than those explicitly authorized in the contract.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

St. Nicks Alliance Corp (Learning to Work)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/01/2015 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. St. Nicks Alliance (SNA) is the community-based organization contracted by the NYCDOE to provide the Learning-To-Work program at Bushwick Community High School, Brooklyn, NY. These services assist students with attendance improvement and dropout prevention through individual and group counseling, case management, and post-secondary planning, among other evidence-based strategies.

Protected Information may be collected or accessed by authorized SNA representatives to support students with attendance and credit accumulation. We may examine academic data (i.e. grades on assignments, courses, or exams); daily attendance statistics, demographic and disciplinary history, contact information, survey responses, and/or Other Protected Information. This data is used to track student progress toward attendance and credit accumulation and to tailor services to each student.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data storage can be in electronic or non-electronic formats (such as paper surveys), including data files and databases. Non-Electronic data is stored in the United States in locked cabinets in SNA main office (located at 2 Kingsland Avenue, Brooklyn, NY 11211} or Bushwick Community High School at 231 Palmetto St., Brooklyn, NY 11221)), as required by regulatory agencies (ie. NYS Department of Health). The lock's key or combination is exclusively shared with authorized staff.

For electronic data storage, SNA uses password-protected computers. The password is changed every 60-180 days and is only accessible to SNA staff members responsible for analyzing the data. Data storage requirements are thoroughly discussed with SNA staff both during onboarding of new staff and ongoing during training on Federal and State laws governing confidentiality to any officers, employees, or assignees who have access to student data or teacher or principal data to ensure compliance with our regulations and SNA internal data storage plan that protects confidentiality and safety of PII. Do not use educational records for any other purpose than those explicitly authorized in the contract.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ST Math - MIND Research Institute

The exclusive purposes for which Protected Information will be used: Personally Identifiable Student Information (PISI) will be used to enroll/roster students into the ST Math program as well as collect usage and performance data as related to the program (i.e. progression through the program, mastery of standard, time on the program). 

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: MIND Research Institute requires all employees that will handle PISI to agree to and sign our employee handbook which details requirements each employee must adhere to in order to ensure the security of user data. Additionally, MIND Research Institute provides scheduled training and refresher training on best practices in the handling of data and requires employees to participate. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI received from a LEA is de-identified or deleted in a reasonable period of time after the relationship between MIND Research Institute and the LEA has been terminated.

[NYC DOE comment: The current agreement became effective starting on September 18, 2019 and terminates when all NYC DOE schools and/or offices cease using ST Math’s products/services. The terms of the agreement remain effective through the period during which ST Math possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): MIND Research Institute's infrastructure is hosted within the United States. We design and implement our systems to provide resiliency against server, segment, and geographic failure, through the implementation of a clustered redundant architecture that yields highly available service endpoints. which provide resiliency against server, segment, and geographic failure. We utilize service providers whose systems have been certified for compliance with security standards including ISO 27001. 

How the data will be encrypted (described in such a manner as to protect data security): Unauthorized access of User data is a real risk facing the users of today's electronic information services. MIND Research Institute strives to keep informed of these risks, and we work diligently to combat them. One method of protecting User data is to utilize cryptography to prevent data visibility in the event of its unauthorized access. MIND Research Institute leverages cryptography to protect user data in the following two ways:

• Data in Transit. Our services support Transport Layer Security (“TLS”) to encrypt User communications (TLS 1.0 or greater and only the strongest ciphers). Data transferred between our Site and its end Users (including credential submission, data uploads, and data downloads) are sent over TLS connections, which protect such data using strong encryption, so that data in transit is kept in a private channel between the intended User and our systems.
• Data at Rest. User data that contains personally identifying information, when “at-rest” (i.e., when in storage) is encrypted using industry standard AES-256. There are two types of "at rest" storage:
• Database. Database server disk storage is “volume” encrypted (i.e., encrypted at the level of the database).
• User Files. User files are individually encrypted before being recorded on long-term, secondary storage systems.

Staten Island Makerspace

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide project based STEM lessons for visiting school groups at our location or we provide lessons at schools. We also provide professional development workshops for educators at our location or at schools. PII may be issued for the purposes of preparing materials and lesson plan that is appropriate for grade level and number of students..

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and

written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Dropbox.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Data will be stored on a secure Dropbox server (which includes data privacy requirements that are as stringent as the ones in this agreement, including unique storage architecture that protects sensitive data against brute force attacks, ransomware, malware, and data breaches) and can only be accessed through multi- factor authentication. SIMS implements role-based access controls to limit access to Confidential Information to authorized personnel only. Access is authorized by Executive Director and only given to Executive staff including Education Director and Associate Director.
• SIMS utilizes encryption technologies to protect data both in transit and at rest, following the  encryption standards specified by state, federal, and local security data laws.
• Staff uses dedicated Makerspace computers assigned to them and all devices are equipped with security software that includes firewall protection, secure VPN server, and real time scans enabled. Only three people ever have access to the data that is stored on a secure Dropbox server and to access it they have to be authorized to use it. This includes the Education Director, Associate Director, and Executive Director. Dropbox uses multifactor authentication. No identifiable student data is transmitted electronically via email or text. Teachers bring their students to our facility for field trips or we send a teacher to the school to work in a classroom with the DOE teacher present- we do not accompany students anywhere or transport any student data anywhere.
• Upon notification of suspected security breach from any source including security system scans, Dropbox server security monitoring notifications, client notification, DOE staff, or any other source, SIMS maintains an incident response plan. This plan includes notifying DOE authorities immediately in the event of any reportable security breach and providing detailed information about the nature and scope of the incident. Security Incident Response is managed by Associate Director and overseen by Executive Director.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

STEM Sims

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Great Leaps Digital is a web-based application used by instructors 1-on-1 with K-12 students to improve students’ proficiency in reading fluency and basic mathematics skills. Great Leaps Digital offers: (1) the Reading Program with exercises in Letter Recognition and Letter Sounds, Phonics, High Frequency Word Phrases, and Stories with Depth of Knowledge based comprehension development question and more, and (2) the Math Programs, developed as a simple, multi-sensory approach to teaching basic math facts.

Great Leaps Tutoring offers 1-on-1 online tutoring using the Great Leaps Digital Reading and Math Programs. Data collected is used for system access and progress tracking.

Student PII is required for account creation and performance tracking. Performance tracking is used to communicate to instructor(s) how student performance has progressed with their usage of the program. Performance tracking allows instructors to determine if the program is an effective intervention for the student and communicate data on student performance to relevant and authorized individuals (e.g., school administrators).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS, DigitalOcean.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. STEM Sims uses encryption technology to protect this information while in motion or in its custody from unauthorized disclosure and conducts digital and physical periodic risk assessments to remediate any identified security and privacy vulnerabilities in a timely manner. Additionally, STEM Sims incorporates various technical safeguards to protect the collected student information and data. The database servers are behind a firewall so that only their other servers can connect to the database. The program is built to ensure that any user account logged into the system is only able to access data about themselves and any students they are teaching, and each student is isolated from each other throughout the system. STEM Sims also limits access to customer data from employees and uses an internal tool to limit the interactions with customer data for authorized internal users. When generating any internal reports, STEM Sims minimizes the amount of sensitive information to just student performance and runs any necessary information that might identify a user through an anonymizing function so it cannot be linked back to the original student. STEM Sims also uses industry-standard transport layer security protocols on any connections that customers make to the server to make sure the data transmitted back and forth is private. In case of becoming aware of any breaches in the system, STEM Sims will follow the steps outlined by their Data Breach Response Plan, including containing the breach, remediating the access, disclosing to affected users as appropriate, and reviewing and enhancing security measures to prevent further breaches and mitigate privacy and security risks.

STEM Sims limits staff access to customer data through user and permission management to ensure that only authorized staff can interact with PII. Administrative safeguards also include security training within our onboarding process for all new staff and monthly security risk assessments for all staff with access to PII.

Physical safeguards include controlling physical access to our office and ensuring only authorized staff can access our physical servers and computers. Encrypted PII residing in Digital Ocean’s cloud servers is protected by Digital Ocean’s physical infrastructure security safeguards and their networks are MANRS certified (https://www.digitalocean.com/security/infrastructure-security). ’s physical safeguards for further information with regard to our cloud servers.

STEM Sims incorporates various technical safeguards to protect PII. STEM Sims uses encryption technology to protect this information while in motion or in its custody from unauthorized disclosure and conducts digital and physical periodic risk assessments to remediate any identified security and privacy vulnerabilities in a timely manner. The database servers are behind a firewall so that only their other servers can connect to the database. The program is built to ensure that any user account logged into the system is only able to access data about themselves and any students they are teaching, and each student’s PII is isolated from others throughout the system. When generating any internal reports, STEM Sims minimizes the amount of sensitive information to student performance only and runs any  necessary information that might identify a user through an anonymizing function so it cannot be linked back to the original student. STEM Sims also uses industry-standard transport layer security protocols on any connections that customers make to our servers to ensure the data transmitted back and forth is private.

The disclosure of the description on NYC DOE’s website will not compromise the security of the data or our security practices and protocols.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Strategic Inquiry Consulting

Type of Entity: LLC

Contract / Agreement Term: 3/1/2022 – 2/28/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Coaching support for teachers and school leaders in developing student writing skills. PII is received in the form of electronic student work files (showing progress toward skill mastery, which contain student names and handwriting).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google Workspace.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SIC will maintain reasonable technical, administrative and physical safeguards to protect PII including storing in an online portal that provides data encryption and has built-in security designed to detect and block threats like spam, phishing and malware.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

STRIDES Via Transportation 

• Via shall use 256-bit SSL when transmitting sensitive data over the internet.
• Wireless network transmissions will be encrypted. 
• Audit logs that contain sensitive data will be sanitized or removed from the logs.
• Via uses AWS Key Management Service as the main KMS. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect our keys.
• AWS KMS is integrated with AWS CloudTrail to provide audit logs of all key usage.
• All endpoints that connect to Via’s network are disk-encrypted using industry-standard encryption. Personal client information is never stored on the client-side device

Study.com

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Identifying students, communicating assignments, composing classrooms, recording and reporting grades, and tracking progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access to Protected Data is limited only to trained System Administrators within Study.com. Key FOBs are required to enter the facility and servers are locked in a keyed cage. All AWS servers are on a restricted Virtual Private Network. We log any unauthorized attempts to access this network or the Protected Data contained on the network. All analytics, features, and data processing are done internally on physical Study.com owned servers racked in a secure facility.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Sunnyside Community Services

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Community Schools provides programs/services related to attendance, health and wellness, expanded learning time, and family engagement. Some of these programs/services include attendance support check-ins, tutoring, in-class Math support, time management groups, and wellness lunchtime events. PII will be used to:

• Create student and parent records in Salesforce
• Log student and parent activity hours and outreach efforts
• Distribute interest surveys and needs assessments to students and parents
• Use sign in sheets for events, activities, and incentives.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Only authorized users of the Salesforce system have access to PII, which is protected by Multifactor authentication.

SCS will have full Hard Disk Encryption on Laptops/Desktops implemented with Win 10 Pro Bit-locker. PII

Data sent over email will be encrypted with 0365. Automated Security & Windows patches with anti-virus are updated on a scheduled basis. We hold written policies to ensure the treatment, use, and security controls for data, as well as enforcement to ensure security. This covers access to and storage of data, among other relevant issues. In line with DOE expectations and our own security policy, SCS shall only disclose PII to Contractor's employees and Subcontractors who need to know the PII in order to provide the Services and the disclosure of PII shall be limited to the extent necessary to provide such Services. SCS will ensure that all student data and PII information is secured and will not be shared with any subcontractors without written/approved agreement. SCS will also comply with all regulatory requirements in collection, retention, and destruction of student data and PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Suntex International (also called First in Math)

The exclusive purposes for which Protected Information will be used: We do not absorb, display or store any sensitive data in this process. As part of a typical data sync, the district will provide information regarding the school buildings, the classroom that exist, and the teachers that are assigned to those classrooms. Lastly, a list of students and what classes they belong to is provided. In the most common application, these files are transmitted nightly through Clever. The syncing process will automatically establish accounts, preserving the teacher/student relationship. As this relationship changes, and students move to a different classroom, or school building this change is reflected in vendor’s website. If student no longer appears in the data feed, the student will be held in a reset/deactivated status until they appear again. Teachers that are no longer teaching the classrooms associated with the program will be removed as indicated by the feed. There are some cases where the relationship is not correctly reflected in the SIS, or the student’s classroom assignment is ambiguous. In this case the teacher may use tools to find students that are deactivated or exist in an unassigned pool for that grade level using a drag and drop tool. The teacher may also examine a roster and determine that a student is either no longer in that classroom, or that they no longer exist within that school, or reset a password, though passwords are not relevant when an SSO sign in method is being used. A building level administrator may have additional tools to move students to different classrooms within the building.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:  Suntex does not use subcontractors. Company employees follow proper policy in handling data for initial import of district data, trouble-shooting, customer service. We take reasonable measures to protect the confidentiality of the Data as required by federal and state laws and regulations applicable. We establish technical and physical security measures to ensure the confidentiality, integrity and availability of the Data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Traditionally, we retain the current school year and one-year prior of data. Before each school year we purge any older data. At the end of the contract period or upon request, information will be returned to a NYC DOE, or at such point that the Data are no longer needed for the purpose referenced in this Agreement, or, at the sole discretion of NYC DOE, securely destroyed, and all electronic Data purged from the network in a manner that does not permit retrieval of the data.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov. ]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored within the Atlanta Data Center of Aptum Technologies, 106 Jefferson Street, Suite 300, San Antonio TX 78205 (Formerly Cocego-Peer1), a top-tier and leading hosting provider. Multiple approaches to data security include physical security (CCTV, biometric access control, on-site guards), network and application protection, including DDoS protection, hardware fire, load balancer, and access through VPN only. The next layer of security includes alert logic monitoring and McAfee enterprise anti-virus. Web Site access is only allowed using SSL (2048-bit). The environment is kept clean, installing only the necessary applications and features, and is kept up-to-date with the latest security patches. 

How the data will be encrypted (described in such a manner as to protect data security): All data in motion will be encrypted either via Secure HTTP (HTTPS), SFTP, or another approved encryption mechanism. In general, Email send and receive is protected by TLS in its transmission, but is not generally an acceptable means of passing confidential information.

Sussman Education Company, Inc. for Lightswitch Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Sussman Education Company, Inc., for Lightswitch Learning offers FAMIS e-catalog approved culturally responsive/social emotional, and parent engagement offerings in print and digital format through their textbook contract. 80% of the offerings feature minority authors and subjects. Sussman is applying for a software contract so schools can order site-based one-year subscriptions for their eBook content. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Type of PII that the Entity will receive/access: Entity will not receive or access PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Challenges to Data Accuracy. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

SVAM International (for ASKFOOD Project)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. DOE Office of Food and Nutrition Services (OFNS) supports over 1,300 Cafeterias within 1,800 NYC public schools and delivers about 1 million meals per day. The students are served with breakfast, lunch, and afterschool meals daily under the City’s Public Schools student meal program. With the P0018 ASKFOOD Project, DOE aims to simplify the current manual processes and legacy applications by overhauling their business processes and developing a new system that will increase the efficiency of the food preparation services and production of meals in the schools’ cafeteria kitchens. The ASKFOOD Project will realize efficiency benefits across both perishable products and non-perishable products, streamline user entitlement across OFNS applications, and deliver relevant decision-making data to stakeholders.  

The project scope is divided into four workstreams: 

• Workstream A - Back of House (BOH)
• Workstream B - DOE Central Warehouse Automation and Modernization (WHAM)
• Workstream C - Food Services Business Analytics (FSBA) 
• Workstream D - OFNS Integration with Enterprise Access and Authorization Platform.

Type of PII that the Entity will receive/access: Student PII. “For Workstream C - Food Services Business Analytics (FSBA), SVAM project team will access DOE Datawarehouse which may have Student PII data, to generate Analytical reports/queries; this may provide SVAM team indirect access to the Student PII data. SVAM will not store or host PII data on SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “For Workstream C - Food Services Business Analytics (FSBA), SVAM project team will access DOE Datawarehouse which may have Student PII data, to generate Analytical reports/queries; this may provide SVAM team indirect access to the Student PII data. SVAM will not store or host PII data on SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “For Workstream C - Food Services Business Analytics (FSBA), SVAM project team will access DOE Datawarehouse which may have Student PII data, to generate Analytical reports/queries; this may provide SVAM team indirect access to the Student PII data. SVAM will not store or host PII data on SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Please note that SVAM will not store or host PII data on SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure. For Workstream C - Food Services Business Analytics (FSBA), SVAM project team will access DOE Datawarehouse which may have Student PII data, to generate Analytical reports/queries; this may provide SVAM team indirect access to the Student PII data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SVAM International (for DOE’s Compliance Systems Modernization Project)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2023 – 7/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Compliance Systems Modernization Project focuses on implementing any modifications and enhancements to support any updated business policies/processes and relevant Federal, State and City mandates.

Type of PII that the Entity will receive/access: Student PII. “Under High Level Enhancements for the OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data. However, SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Under High Level Enhancements for the OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data. However, SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity. “Under High Level Enhancements for the OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data. However, SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Please note that SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure. Under High Level Enhancements for OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Swivl (also called Satarii)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Reflectivity cloud based software service is for teachers’ and administrators’ collaborative work and professional development. In order to properly authenticate educators in the service, we collect some PII, such as name, email, job title. Student PII may be captured in the videos of teachers providing instruction, which shall be uploaded and reviewed by instructional coaches as part of the professional development process.

Type of PII that the Entity will receive/access: Student PII, and teacher name, email, and job title.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Swivl software is hosted on SOC2 compliant data centers provided through Amazon AWS and require multiple factors of authentication to gain access to the data. Swivl uses AES-256 encryption for data storage and TLS 1.2 for data transport). All infrastructure is behind industry leading firewall solutions and require VPN access with secure keys. We restrict access to customer data to a small set of security and operations specialists who need to have access as part of fulfilling their job duties. We have a continuous process of testing our security processes and services and mitigating any issues, if found. We have a dedicated security team which monitors and tests our system continuously using leading software tools.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Taito Learning (for TypeTastic)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/10/2024 – 6/30/2030.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide the TypeTastic School Edition application, an educational software designed to teach touch typing skills to K-12 students in schools. The application offers a structured and interactive learning environment where students can practice and improve their typing abilities. The service includes progress tracking, lesson plans, and reporting tools for teachers to monitor student performance.

PII is necessary to create user accounts for students and teachers, which allows the application to track individual student progress in touch typing. This data enables personalized learning experiences and progress monitoring regarding their learning journey in the TypeTastic platform.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All internet connections of the Contractor are secured by professional standard protections (antimalware, firewall, etc).

Contractor devices are protected by professional standards encryption protocols (REST).

The Contractor has in place access control where only those employees and subcontractors directly working with the project may access any data pertaining to it. Physical security and access control measures are in place at the Contractor’s offices. 2FA has been enabled in all supported applications..

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TalkingPoints

The exclusive purposes for which Protected Information will be used: To provide a two-way translated messaging platform between school & district administrators, teachers and parents.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: TalkingPoints has implemented strict controls over physical, environmental, and software security for all employees and contractors.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: TalkingPoints will either delete or return, within a commercially reasonable period of time but not to exceed 45 days, all personally identifiable information upon the expiration of any agreement when requested to do so by notification from the contracting party; [NYC DOE comment: The current agreement became effective starting on May 29, 2020 and terminates when all NYC DOE schools and/or offices cease using Talking Points’ products/services. The terms of the agreement remain effective through the period during which Talking Points possesses or otherwise is in control of covered protected information.] 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. Any parent, student, eligible student, teacher or principal may correct inaccurate student data or teacher or principal data that is collected. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored in the U.S. As described in Attachment B of the Agreement, TalkingPoints’s infrastructure is built on industry-tested technology and security practices.

• TalkingPoints uses encryption, firewall, and network security software.
• TalkingPoints uses single sign-on (SSO) and twofactor authentication (TFA).
• Low-level auditing software is supported for all external providers (AWS, Atlas) to record potentially malicious actions that may take place.
• TalkingPoints runs periodic penetration tests, then logs and resolves discovered issues.
• All TalkingPoints clients use TLS/SSL when communicating with our servers.
• TalkingPoints has a host-based intrusion detection system to detect unauthorized access to production hosts.
• Audit logs are sent to a central location for storage and analysis. Access to production servers and interaction with production systems is audited and logged.

How the data will be encrypted (described in such a manner as to protect data security): All student data or teacher or principal data is stored on cloud servers within the United States and protected with industry standard and best practices procedures, including AES256-CBC encryption when in transit and when stored at rest.

Teachercentric (also called Satchel Pulse)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The products we offer are as follows:

Climate Tool. This is an online platform designed to help school and District Leaders make data driven decisions based on direct feedback given by staff, students, & parents. Built specifically for the education market, Pulse takes feedback and converts it into measurable data and leading indicators, enabling District Leaders to make focused, proactive decisions. Data is delivered in real me and shows information relating to staff, student and family engagement, school culture and improvement across me at a group, school and district level. Using Pulse to monitor feelings and opinions enables School and District Leaders to understand exactly where they need to focus their efforts for improvement. Actions can be created to target issue areas and Pulse used to track the trends in feelings and opinions, highlighting the impact of those actions. Our system uses student information to help track and filter the results of the Climate survey.

Skills Tool. Supports each student by helping them build important social and emotional skills that give them the confidence they need to grow. With Satchel Pulse's SEL Solution, you can efficiently and accurately measure students’ and teachers’ perceptions of SEL skills, identify school-wide, group, and students SEL skill development needs, develop plans for improvement, and monitor progress.

We need to receive/access the staff/students PII information so they can be identified in the application in order to have access to their account and a way to identify who responded to the survey and where to keep their results. Other uses are for grouping or searching for students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services – RDS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is encrypted at rest and in transit. You can find full information on our Information Security Policy that’s been shared.

• Administrative Safeguards:
  • Data Access Management: We employ a role-based access control system that ensures only authorized personnel with a legitimate business need can access PII.
  • Training and Awareness: We provide regular training and awareness programs to our employees to ensure they are well-informed about the latest data protection practices and understand their roles in protecting PII. The employees receive a yearly training via Zoom to review and discuss the training and awareness around data security.
  • Policies and Procedures: We have comprehensive policies and procedures that outline how PII should be handled and protected, including incident response plans.
• Technical Safeguards:
  • Data Encryption: We utilize strong encryption standards for data both in transit and at rest to ensure that PII is unreadable to unauthorized users.
  • Network Security: We employ various network security controls including firewalls, and secure configurations to protect our network infrastructure.
  • Regular Security Assessments: Our systems undergo regular security assessments, including penetration testing and vulnerability scanning, to identify and remediate any security vulnerabilities.
  • Disaster Recovery: We have disaster recovery plans in place to ensure data can be recovered in the event of a physical disaster (data is stored in AWS).
• Mitigating Data Privacy and Security Risks:
  • Continuous Monitoring: We continuously monitor our systems for signs of security incidents or data breaches and have incident response plans to ensure swift action.
  • Data Minimization: We practice data minimization to ensure that only the necessary amount of PII is collected and stored, reducing the potential impact of a data breach.
  • Regular Review of Practices: Our security practices are regularly reviewed and updated to align with emerging threats and best practices in data security and privacy.

Please note that, in the interest of security, this description is intentionally high-level. We take the security of PII very seriously and employ a robust set of safeguards to protect this data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Teachers College, Columbia University (for the Reading and Writing Project)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 12/1/2021 – 11/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Teachers College Reading and Writing Project may review and use student protected information as part of professional development in literacy in schools. Reviewing this information is necessary in order to systematically check to see if and when students have internalized key literacy skills, and to assure that instruction is differentiated in response to student needs. TCRWP staff developers also regularly lead study groups with teachers in order to provide teachers with opportunities to examine student writing, to study patterns in data, and to co-author methods and curricula. Studying student work together in this way enables teachers to thoughtfully plan next steps based on what students are actually doing. This shared work is vital to deepening teachers understanding of conducting formative assessments, and of norming across a school so as to ensure a consistent vision of excellence.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TCRWP Staff Developers may have access to student work as part of leading professional development in literacy in schools. In the event remote work is required, the Teachers College Google Drive instance will be utilized to transfer and store student writing documents. Within Google Drive, a Shared Drive will be created and appropriate access (read-only, edit, or content manager) will be assigned. Those assigned read-only access will not be able to download or share content. Additionally all subcontractors accessing PII data are required to sign a NDA. TC employees are educated and reminded of how to treat PII data and employees with access to PII data are required to sign confidentiality agreements. A copy of the NDA and confidentiality agreements are attached.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Teachers First (for Toddle)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Toddle is a one-stop web-based platform that streamlines the teaching and learning for by educators, students, and family members. It is used for, among other things, curriculum planning, lesson planning, assessments, student portfolios, family communication and progress reports. It is also licensed by the IB.

We receive and access PII for the following purposes:

• Rostering: PII is essential for the operation of Toddle and for account rostering. All classes and grades have to be setup and we need PII for that purpose.
• Communication: PII is also essential for teachers to uniquely identify and communicate with students and parents. It is also required for 1:1 communication, class discussions etc.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All Toddle employees and sub-contractors undergo extensive trainings and background checks at the time of onboarding.
• We follow the Principle of Least Privilege to restrict access to data and only the account manager and any personnel or sub-contractors considered essential for operation are given access.
• We have a comprehensive exit policy to ensure access to any and all forms of data is revoked and deleted specifically, redactions are not acceptable as per policy
• We use the highest standard of encryption and anonymization techniques to ensure deidentification of PII
• We use industry-standard AES-256 encryption.
• All data is encrypted at rest and in-transit and hosted on AWS servers in USA
• We regularly conduct vulnerability and penetration testing
• We are subject to regular and surprise audits by independent third-party auditors and the access to the audit report can be shared on request.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Teach for America

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2024 – 6/30/2029.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To facilitate professional development of TFA teachers placed in NYCDOE, TFA requires access to student-level data. Access to student information will occur by virtue of having TFA teachers in NYCDOE classrooms and will not be distributed beyond this purpose.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Teach for America employs a number of strategies to secure data and limit unnecessary access during transfer, storage, and processing. We encrypt data in transfer as well as at rest when it is being stored in a data repository. For our internal data storage, we change encryption keys on a regular basis to avoid stale credentials and unwanted legal access. Data is regularly obfuscated for analytics and reporting purposes. We use best practices for data isolation, including limiting accounts for vendors who push data to our systems and centralized oversight of user accounts for external systems when we need to pull the data ourselves. We use a “least privilege granted” model for access to internal systems, employing multi-factor authentication where feasible, and monitor access across these systems with auditable logs.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TeachFX

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/29/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As a general overview: TeachFX provides a software-as-a-service application and reporting tools, powered by artificial intelligence, designed to provide measurements of student engagement and other pedagogical indicators, to educators with respect to dialogue that is occurring in instructional settings. TeacherFX also has a partner success team that designs and implements professional learning experiences for educators to improve their instruction and student engagement. The TeachFX classroom implementation does not collect or store student PII. However, where a teacher opts to use the TeachFX virtual instruction option via Zoom, student names and virtual platform unique identifiers will be collected.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud Platform.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have multiple safeguards in place to protect all sensitive student data, including PII.

• Authentication: We authenticate users before they can use the application. Email verification is required to access the features of the app.
• Access control: We use object-level permissions to monitor user access to data.
• Secure communication and encryption: All our communications happen through HTTPS, secured by strong ciphers. User data is maintained in encrypted storage at rest.

We have multiple monitoring systems in place to mitigate risks, including systems used for codebase scanning, artifact scanning, and monitoring vulnerabilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

The Teaching Lab (for Podsie)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/24/2024 – 6/30/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Podsie is a web-based application that facilitates personalized spaced retrieval practice for middle and high school students. Our application allows teachers to create and assign educational content, which is then presented to students at optimized intervals to enhance long-term retention. The Protected Information will be used exclusively for the purpose of providing and improving this  educational service. This includes:

• Creating student accounts
• Enabling teachers to create and assign content specific to their curriculum
• Presenting content to students using spaced repetition algorithms to improve memory retention
• Tracking student progress and performance on assigned content
• Generating insights and reports for teachers to inform instruction and support personalized learning
• Improving the quality and effectiveness of the spaced repetition algorithms and educational content.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Podsie employs a variety of administrative and technical safeguards to protect PII and mitigate data privacy and security risks:

Administrative Safeguards:

• Access to PII is strictly limited to authorized Podsie staff who need this information to perform their job duties.
• All Podsie employees undergo mandatory data privacy and security training before being granted access to any systems containing PII.
• Podsie maintains and regularly updates data privacy and security policies that all employees must acknowledge and adhere to.
• Regular audits are conducted to ensure compliance with these policies and to identify any potential risks or areas for improvement.

Technical Safeguards:

• Podsie uses industry-standard encryption to protect PII both in transit and at rest. This includes using TLS 1.2 or higher for all data transmitted over the internet and AES-256 encryption for all data stored in our databases.
• Access to systems containing PII requires unique user credentials and multi-factor authentication.
• Podsie maintains detailed logs of all access to PII for auditing and monitoring purposes.
• Our systems are regularly scanned for vulnerabilities and promptly patched to maintain security.
• Podsie performs regular backups of all data to prevent data loss, and these backups are encrypted and stored securely.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Teaching Strategies

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Teaching Strategies GOLD® Enhanced supports effective teaching and assessment while providing educators with more time to spend with the children in their program. Student Data is used to set up and maintain user accounts and student portfolios and to grant other Authorized Users the right to access, update, view, and/or modify such portfolios. Portfolio Data can be used to identify and recommend appropriate activities and customize student plans.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS, Google Cloud Platform and Ntirety.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TS implements background checks on all employees, security and privacy training, admin user training, secure development training, NIST policy and procedure alignment, weekly vulnerability scanning, IDS/IPS, file integrity monitoring, central logging and monitoring, secure cloud storage, annual risk assessments, annual 3rd party penetration testing, and annual SOC2 Type II compliance audits by an AICPA accredited organization.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TEAM FIRST, Inc NYGEAR UP Program

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/13/2023 – 9/30/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TEAMFIRST, Inc. NYGEAR UP will provide academic and social support to a cohort of 710 students in Districts 7, 8, and 29 that will increase high school graduation and college enrollment rate. We collect student data (i.e., demographic information, attendance, LEP, and/or IEP designation, grades, standardize test scores, promotion status, grade) to be reported to the US Department of Education to measure student outcomes as required by the federal GEAR UP Program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Measurement Inc. and the Google iCloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data provided will be confidential in nature and will only be reported to the US Department of Education as required by our Annual Performance Report. Access to Personally Identifiable Information (PII) will be limited to the Evaluator and Director of Programming solely as required for reporting purposes. All information will be collected and secured in a locked file cabinet and will be used solely for reporting to New York State Education Department. Passwords will be changed on a regular basis and protocols for deletion and/or destruction of PII will be carried out and written certification will be provided to NYCDOE.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Tech4Learning, Inc.

The exclusive purposes for which Protected Information will be used: To access the Wixie online authoring tool.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: N/A - We will not share student data with subcontractors or other persons or entities.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At agreement start protected data will be uploaded by NYC DOE staff to Wixie. At agreement end protected data will be deleted unless return instructions are provided. [NYC DOE additional information: The current agreement remains effective through the period during which Tech4Line, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected data is stored in our San Diego, CA-based data center. Data is protected via biometric, physical, and logical security.

How the data will be encrypted (described in such a manner as to protect data security): Data transmitted to Wixie and data at rest will be secured using industry best practices.

Territorium

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Territorium will provide NYC employees and learners in K-12 and higher education with an immutable NYC Department of Education-sponsored and transferrable digital record of skills and credentials through the provision of a digital wallet enabling targeted job opportunity, promotion, and educational pathway enrollment. The transferrable digital record of skills and credentials is considered immutable, the issuers of verified skills and credentials (including the NYC Department of Education) can set expiration dates as well as process for revocation of prior awards. The learner (or their parent or guardian, if applicable) ultimately controls access to and sharing of all data in his/her record of skills and credentials.

Territorium uses PII to make user accounts and track student progress and share progress with parents.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Territorium’s data privacy and security program employs a combination of ongoing training, use of processes to review and document authorization to access its data, technology controls specifically employed to safeguard Protected Information.

Territorium employs several best practices including administrative safeguards of limiting all access to NYCDOE data within Territorium and only providing access to PII to NYCDOE staff; requiring confidentiality agreements for all employees of Territorium even despite no access to PII; multifactored authorization to access data with a service log. All storage is maintained with encryption of data in transit and storage, access controls, and implementing regular and encrypted backups; all quality assurance, testing, and development are free of any student data and have separate domains and security keys. All passwords to access requiring production system require a password change every 60 days (about 2 months).

Territorium deploys physical security items (i.e. security cameras, key card access, etc.) that function in our employee offices to make sure that there is no unauthorized entry to our places of work. We have a company headquarters and a second headquarters location as meeting place and executive houses. In addition, we provide company-issued devices to employees that do not have access to any Production data and are monitored for acceptable access points and sites.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TestOut Corporation (LabSim)

Texthelp Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2023 – 3/1/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Read&Write, Equatio, Snap&Read, Co:Writer are Assistive Technology Literacy toolbars for students to scaffold learning and to help them access the general education curriculum. uPAR is a reading accommodation decision making tool to help teachers determine accommodations. OrbitNote is an accessible PDF tool. Again this helps make the curriculum accessible to students with typical PDF tools but also accessibility tools to read text aloud. EquatIO is an Assistive Technology Math toolbar and a math space for students to enter math and solve math problems digitally. Again it is a critical support for students with disabilities to access the general curriculum.

Data minimization is at the core of the design of the company’s products and we only collect the necessary data to provide access and usability of our tools to our users. The core of PII is the student’s email. The student’s email is used for the student to log in to the tools and manage their preferences. In addition we collect usage data and other accommodation data for staff to make decisions about future needs of students in using these tools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS and Google.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Texthelp adhere to the principle of Privacy by Design/Default. Our software solutions are designed to use a minimal amount of PII. Texthelp are a Processor for the purposes of Processing Customer Personal Data; and we are a Controller in relation to any Processing described in our privacy and cookie policies located at www.texthelp.com. 

All personally identifiable information is used and held in accordance with our privacy and security policies.

Security controls are in place to keep Texthelp systems and data separate from other client’s data.

Policies and procedures exist to satisfy all of the 114 controls contained within Annex A of the ISO 27001 standard. These include, but are not limited to:

• ISMS 1.2 Information Security Policy
• ISMS 1.3 Product Analytics Policy
• ISMS 1.4 Access Request Policy
• ISMS 1.5 Roles/Responsibilities/Authorisations Register
• ISMS 1.6 Audit Logging Policy
• ISMS 1.7 Backup Policy
• ISMS 1.8 Encryption & Cryptographic Policy
• ISMS 1.9 Access Control Policy
• ISMS 1.11 Network Security Policy
• ISMS 1.12 Privacy Notice for Employees & Job Applicants
• ISMS 1.13 Record Retention Policy
• ISMS 1.14 Security Patching Policy
• ISMS 1.15 Infrastructure Hardening Policy
• ISMS 1.16 Vulnerability Management Policy
• ISMS 1.18 Privacy Policy for Texthelp Products
• ISMS 1.19 Security Incident Response Policy
• ISMS 1.20 Acceptable Use, Mobile & Teleworking Policy
• ISMS 1.21 Information Classification & Labelling Policy
• ISMS 1.22 Password Policy
• ISMS 1.23 Statement of Applicability
• ISMS 1.24 Risk Treatment Plan
• ISMS 1.25 Asset owner Policy
• ISMS 1.26 Secure Development Policy
• ISMS 1.27 Social Media Policy
• ISMS 1.28 Texthelp Web Properties Cookie Policy
• ISMS 1.29 Data Subject Access Request Policy
• ISMS 1.30 Texthelp Web Properties Privacy Policy
• ISMS 1.32 User Removal Policy
• ISMS 1.34 Security Disclosure Policy
• ISMS 1.36 AWS Asset Tagging Policy
• ISMS 1.38 Data Transfers Risk Assessment
• ISMS 1.40 Finance Data Handling Procedures

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thinking Maps Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our application provides both virtual resources for teachers and a virtual environment for students and teachers to create and share Thinking Maps within their school or classroom. Student First/Last Name and Login ID are the only PII required, and are used to created their accounts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Within 60 days following termination of a school’s license, the PII associated with that school shall be automatically deleted, unless otherwise directed by the school or district at that time.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is protected through standardized encryption and security in compliance with NIST guidelines. Student information is only available to users with appropriate roles and/or privileges within the system. All employees with access to such data are provided with security and privacy training, as well as being required to sign a privacy agreement with Thinking Maps Inc.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thinking Nation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/1/2023 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor will provide students and teachers of the 6th-12th grades of the NYCDOE with its specialized, proprietary history curriculum, assessments, and other related resources. Processor evaluates and grades all assessments and essays of participating students and provides them and their teachers with normed data collected from these assessments and essays. Processor will use classroom rosters provided by NYCDOE to properly aggregate and share the data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All employees have distinct logins so there is a record of all actions and edits when using PII.
• The least privileged authority is enforced to ensure that PII is used only when necessary.
• When there is an inactivity during a user's session, the platform automatically logs out the user.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thinkingmap (also called Vocabulary.com)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/8/2023 – 3/8/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Vocabulary.com provides personalized, systematic vocabulary instruction for students from 5^th grade through high school, and beyond. Beyond its core purpose of building academic vocabulary knowledge, the platform improves literacy skills in the areas of reading, writing, listening, and speaking. Since 2008, Vocabulary.com has served more than 5.1 billion questions to learners all over the world. Today the platform is used by 3.7 million students in 56,000 schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS (a cloud hosting and data analytics provider), Century Link (used for telecommunications), Google G Suite (a cloud computing, productivity, and collaboration tool) and Salesforce Inc (a Customer Relationship Management (CRM) solution); and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Vocabulary.com has implemented a variety of physical, administrative and technological safeguards designed to preserve the integrity and security of the personal information we collect and to protect against unauthorized access to data. These include internal reviews of our data collection, storage, and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data. We restrict access to personal information to IXL employees, contractors, and agents who need to know that information in order to operate, develop, or improve our services. Vocabulary.com provides encryption for customer data as follows:

• Network connections to Vocabulary’s production environment utilize Transport Layer Security (TLS) or Secure Shell (SSH);
• All data stored in Vocabulary ’s production environment is encrypted at rest using AES-256 bit encryption; and
• All data stored on Vocabulary -owned laptops is encrypted at rest. Vocabulary employs automated log collection and audit trails for production systems.
• Connections originating from untrusted networks segments will be governed by firewall rules and other security safeguards that grant the minimal access required to access the intended service provided by the company.
• System passwords and access keys are stored in a privileged location accessible only to Vocabulary security administrators, and all credentials are changed from factory default settings.
• Production systems receive regular maintenance to apply security patches; and
• Physical access to systems requires security RFID badges and biometric authentication, and is limited to IT staff performing physical maintenance.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Third Space Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Third Space Learning Inc provide high-impact, high-dosage math tutoring to schools to accelerate math achievement and increase the number of students working at grade level. To do this, Third Space Learning use Littera’s Academic Support Platform. Littera’s Academic Support Platform is designed to enable schools and districts to design, deliver, and monitor tutoring programs that are customized to address the needs of their students.

PII is used to create and manage online accounts, communicate with teachers and students, and ensure that students identified by the school are receiving assistance through the program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Littera Education Inc, Salesforce, Xero.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Third Space Learning Inc use Littera Education Inc’s academic support platform (approved by NYCDoE under ERMA-N2B52030) where PII is protected and stored on US servers. Littera Education and Third Space Learning both place the utmost importance on privacy, safety, and security. All transmission of files or data to organization roster systems is done securely via HTTPS, using industry standards. When files are uploaded, they are stored in encrypted, non-publicly accessible databases. Littera and Third Space Learning uses Amazon Web Services (AWS) as its cloud hosting provider. The database along with all the cloud. infrastructure is hosted inside a private virtual cloud (AWS VPC). Only a limited number of personnel have access to this VPC.

Third Space Learning utilize two-factor authentication on all services (where available). Access will be granted based on the principle of least privilege, and access is removed immediately when no longer required.

Additional safeguards that Third Space Learning has in place include:

• Third Space Learning carry out extensive checks on our tutors including criminal record checks, checks on proof of id and address, at least two references and face to face interviews;
• Third Space Learning carry out safeguarding specific training, data privacy, and security training for all staff (including all tutors);
• Third Space Learning have safeguarding policies and procedures that are reviewed regularly and strengthened by 3 complementary policies: a Whistleblowing Policy, a Safer Recruitment Policy and a Code of Behavior for working with children;
• Third Space Learning have a designated safeguarding officer (DSO), a deputy DSO and a board level champion for safeguarding; as well as a Data Protection Officer (DPO).

In addition to these measures, Third Space Learning has additional built-in safeguards compared to most organizations that work with children:

• Tutors never physically meet up with the children: our tutors are based remotely;
• The only interaction is through Littera's tutoring platform which means the tutor and student can only connect at the predetermined time scheduled by the school using our secure platform;
• Tutoring is overseen by a member of school staff, or during periods of school closure, by a parent or guardian.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thomson Reuters

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/1/2023 – 12/31/2027.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Thomson Reuters HighQ provides centralized case tracking and management to the Office. HighQ provides storage and access functions that include contact management, document assembly, document and electronic file management along with configurable records management, discovery management, and case status tracking. Out-of-the-box, HighQ secure cloud follows NIST SP800-63b guidelines, is IS)27001 certified, delivers highly available 99.9% uptime, offers banking grade encryption, and is monitored by TR personnel 24/7. With a complete audit trail and workflow stage configurable privacy settings, HighQ delivers enterprise-grade security standards.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity states “As a data processor, Thomson Reuters cannot access DOE’s data and will pass on any request relating to access or correction to the DOE. The HighQ platform is designed to allow the DOE to fulfill these requests without assistance from Thomas Reuters.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The HighQ platform is fully audited and accredited to meet information security standards. HighQ is ISO27001 certified, which ensures the controls and processes are in place to protect customer data. HighQ uses robust security measures including advanced AES 256 encryption, data back-up and a fully redundant infrastructure to guarantee uptime. HighQ is built around single-tenancy hosting, single jurisdiction hosting and we perform independent penetration tests on the platform. The HighQ platform provides a variety of tools and features that you can use to keep your information safe from unauthorized use. This includes credentials for access control, HTTP endpoints for encrypted data transmission, the creation of separate IAM user accounts using 2FA, and user activity logging for security monitoring.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Timely Schools

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2024 – 8/31/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Timely is a secondary scheduling solution that will help a cohort of New York City Public School middle and high schools build their master scheduling leveraging its AI optimization technology and strategic support from a team of educators who know and have lived scheduling. This will require a combination of student, staff, course and rooms data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Timely takes data privacy seriously. We have multiple controls in place at the organizational and technology levels to protect user data. Organizationally, we establish clear expectations on how user data is handled and who is allowed access to that data depending on need. We limit access to district and school data to only staff who are essential to provide services to those districts and schools. We provide training and require staff to utilize data security best practices, such as encrypting laptops, using work laptops for only Timely-specific activities, and sharing data only through approved channels. We have dedicated password managers to store and share credentials internally and with customers. We leverage outside experts to support us in our data security and privacy needs and to provide us feedback on our practices so they align with the latest industry standards. Additionally, we apply the NIST framework to continuously review and improve our security posture as an organization.

At a technical level, we have multiple controls in place to ensure data remains secure. We implement industry-standard SSO authentication for users and support district and school level authorization scopes for access to scheduling data. We utilize industry-leading cloud vendors to host our infrastructure, requiring encryption of data at rest and in transit throughout the application lifecycle. Data is transferred between our customer environments and Timely only through secure channels such as SFTP. Access to any shared infrastructure is managed through granular authorization scopes that provide access to only the parts of infrastructure that a staff member or system needs. We implement logging and monitoring of our applications and infrastructure throughout the technology stack to ensure visibility and auditability of any privacy issues. These and any other technical controls are continuously evaluated and improved as we seek to enhance our security posture for customers. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TinyIvy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TinyIvy’s program provides instruction, materials and support to enable students in grades K-2 to learn to read at grade level, and for the teachers in the classroom to manage curriculum and leverage resources related to that instruction.

TinyIvy’s Explorer product includes the ability to place students into Reading Groups, to support the teachers as they manage instruction for those students. In addition, TinyIvy has resources for the Parents to use at home with their children, as well as apps that can be used in the classroom by the students. In order to sync the information provided to the student with what is happening in class, PII is collected as part of the account setup process and used to manage the student’s identity across these platforms.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud, Hubspot (for teacher contact information).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TinyIvy’s leverages world class PaaS providers that provide integrated services on secure architecture, minimizing weak links in our security profile through such actions. The systems have been designed for high scalability and maintainability, which includes security maintenance. Our specific safeguards and processes are described in our policies and procedures.

All information is encrypted in our platform both in-transit and at rest in the database, with all website delivering traffic over secure HTTPS protocols. Access is controlled via administrative roles and accounts require a NYC DOE secure email to access any system data.

Operationally, the TinyIvy team receives annual security training as well as briefings on key security changes to the application, and on additional requirements that are added to our security profile based on new school relationships we develop.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

TomorrowToday

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TomorrowToday is a full-stack Career Readiness Platform. We tackle the critical issue of the changing workforce landscape and the increasing reliance on educators to ensure student career readiness. TomorrowToday streamlines career readiness program management, connects students to career awareness, exposure and development experiences that align with their goals and interests. We simplify skill acquisition tracking and engagement.

Our Service offerings include:

• Standardized Skill and Career Readiness Tracking: Leverage a built-in career readiness journey framework powered by automation and matching algorithms. This system aligns real-world experiences with pathways, skills, and competencies, while enabling the monitoring and tracking of educator efforts and student engagement.
• Broader Experience Integration: Manage a wide range of experiences, including internships, apprenticeships, and professional conversations, to support a complete career readiness journey.
• Dynamic Student Portfolios: Students can create and download portfolios in resume format, showcasing their skills and growth over time.
• Advanced Analytics: Deliver actionable insights to your school for tailored support and enhanced student engagement.
• Versatile Workflows: Utilize pre-built workflows for student and partner feedback collection, working papers management, mentorship programs, and other career activities.
• Enhanced Experience Marketplace: Expand your school's offerings with a diverse array of opportunities.

Value to Schools - Save time with centralized data and streamlined workflows, allowing more focus on direct student support and counseling. This enhances their ability to make informed decisions that align with student goals.

Value to Students - Students access diverse opportunities, exploring and developing career pathways and employability skills. With powerful analytics, TomorrowToday helps educators provide personalized support, equipping students with the skills needed to thrive in a dynamic job market.

TomorrowToday requires certain PII in order to provision accounts for educators and students, deliver TomorrowToday’s services, and provide in-app reporting on student progress towards career readiness for educators and parents.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s and written discretion, in a format agreed to by the parties; and Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS (Amazon RDS for PostgreSQL).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All personally identifiable information is used and held in accordance with our privacy and security policies. TomorrowToday shall maintain the confidentiality of the shared student data or teacher or administrator data in accordance with federal and state law and the educational agency's policy on data security and privacy. TomorrowToday has the following administrative, operational, and technical safeguards and practices in place to protect personally identifiable information.

TomorrowToday shall:

• limit internal access to personally identifiable information to only those employees or subcontractors that need access to provide the contracted services
• encrypt data in transit and at rest at 128-bit encryption or better
• utilize two-factor authentication prior to access to personally identifiable information
• utilize antivirus and malware software on computers access personally identifiable information; conduct regular software security updates
• implement additional network and physical security measures consistent with commercially reasonable security standards used to help safeguard pupil records; monitor hosted and collected data for unauthorized intrusions using network-based and host- based intrusion detection mechanisms through its cloud hosting provider
• use access control and redundancy to ensure the resilience of the data collected and stored, through its third-party cloud hosting provider
• destroy personal data according to internal policy and external commitments
• require TomorrowToday staff members undergo annual privacy and security training.

 TomorrowToday will ensure that subcontractors and third-party service providers with whom TomorrowToday shares Protected Information abide by all applicable data protection and security requirements by entering into written agreements whereby such parties will perform their obligations in a manner consistent with the data protection and security requirements outlined therein.

TomorrowToday uses AWS and does not have their own physical data centers.   

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Tools for Schools

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/13/2023 – 7/13/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Book Creator is online software for the creation and publication of eBooks. We use student/teacher/principal data to:

• Provide Book Creator and make sure you can use it properly and effectively;
• Manage and administer your account and the books that you create;
• Respond to any questions, requests, or complaints we receive from you;
• Communicate with you about Book Creator if we need to;
• Investigate potential illegal activities on Book Creator;
• Analyze use of Book Creator.

We will never use your information to target advertising at you based on your behavior. We will not build a personal profile of you other than for supporting authorized educational or school purposes, or as authorized by you (or by a parent or guardian if necessary). We also won’t use your information for any purposes except those above without letting you know and getting your permission if necessary.

Tools for Schools collects: full name; email address; school name (optional); grade level (option); any PII that is uploaded as book content (optional).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud Platform.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All employees are vetting for working with student data.
• Continuous security compliance audit conducted by Drata. This includes user review access, information security policy adherence and both static and dynamic application security scans. We are aiming for SOC2 Type II certification by the end of 2023.
• Regular penetration tests conducted (at least annually).
• Data is encrypted at-rest and in-transit using industry standard mechanisms.
• Access to systems that store, process, or transmit data is controlled by a role-based access system. Users are authenticated by this system using a strong password and two-factor authentication (not SMS-based).
• Regular employee training (internally and by iKeepSafe) to ensure awareness of, and compliance with, COPPA, FERPA< GDPR, NY Education Law 2-d.
• All data stored in Google-owned datacenters in the continental US.
• All data in flight sent using SSL/TLS.
• Encryption at rest is AES 128/256 provided by Google Cloud.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TPR Education

The exclusive purposes for which Protected Information will be used:To fulfill TPR’s obligations under its agreement with the DOE, including but not limited to test preparation and tutoring services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Subcontractors do not have access to confidential data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: For the term of the underlying agreement. At contract end, Protected Information will be deleted as provided in the underlying agreement between the DOE and TPR.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All data resides in the United States. Systems are protected using industry standard security practices by using a combination of encryption, role/group-based permissions, firewalls, and passwords.

How the data will be encrypted (described in such a manner as to protect data security): Data will be encrypted at rest using AES-256 at the disk level. SQL encryption on certain fields, and TLS 1.2 SSL for encryption in transit.

Transcend Inc

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Transcend offers a survey called the Leaps Student Experience Survey which assesses student experiences. One feature of the survey is being able to disaggregate the results by student identifiers, such as race or ethnicity. This is critical so that schools can understand and design models of learning which work for all young people and do not reinforce patterns of inequity. Transcend needs to collect student data (including PII) to associate the individual student responses with their demographics. No student PII is reported in a non-aggregated and de-identified manner to anyone, including the schools.

Transcend will partner with the Imagine NYC Schools Design Lab in a planning phase to co-design the approach and curriculum for a Design Journey, a new offering from Imagine NYC Schools to support schools to reimagine school by designing or redesigning their whole school model. This will be done through sharing of Transcend resources, professional developments, and giving participants in the project access to tools like the Leaps Student Experience Survey so that they can use it in their own design work with NYC schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure and Google Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data is secured in cloud based infrastructure that is accessible only by qualified staff using a 2FA system.

All staff is additionally trained on handling student PII and the training is reviewed annually. Staff must complete an annual competency review to ensure continued adherence to our data security policy and safeguards.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

TRIAD Consulting Strategies

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/01/2021 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TRIAD Consulting Strategies provides critical wrap around Community School services and student supports intended to serve the whole child. Services focus on the four pillars: Collaborative Leadership & Practice, Family & Community Engagement, Expanded Learning Time, and Wellness & Integrated Support through programs including leadership development and civil engagement, professional development workshops, mentoring, and college and career readiness.

It is necessary for the Entity to receive or access PII, to conduct the services in order to effectively communicate with all relevant stakeholders (in the mode most conducive to them), track, document and update improvement metrics, and drive tangible outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google and/or Microsoft Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TRIAD Consulting Strategies and any subcontractors and/ or affiliates will (at all times during the Term) use encryption to protect personally identifiable information in its custody while at motion or at rest and implement appropriate safeguards to protect the Personal Information that are no less rigorous than accepted industry practices (such as ISO 27002, ITIL or COBIT or other industry standards of information security), and will ensure that all such safeguards, including how Personal Information is processed, comply with applicable data protection and privacy law and comply with the terms of the contract.

TRIAD Consulting Strategies shall implement and maintain a written information security program, including appropriate policies and procedures that are reviewed for new risk assessments at least annually. Such obligation shall continue throughout the contract term.

At a minimum, TRIAD Consulting Strategies’ information safeguards shall include: (a) secure business facilities, data centers, paper files, servers, back-up systems and computing equipment including, but not limited to, all mobile devices and other equipment with information storage capability; (b) network, device application, database and platform security; (c) secure transmission, storage and disposal; (d) authentication and access controls within media, applications, operating systems and equipment; (e) encryption of Personal Information; (f) encryption of Personal Information when transmitted over public or wireless networks; (g) access controls, including logging of all access and exfiltration, and retention of such access control logs for a period of no less than one (1) year; (h) conducting external and internal penetration testing and vulnerability scans and promptly implementing a corrective action plan to correct the issues that are reported as a result of the testing; and (i) limiting access of Personal Information, and providing privacy and information security training to staff.

TRIAD Consulting Strategies and its employees will adopt the following measures:

• Employees will not at any time during or after affiliation TRIAD Consulting Strategies (TRIAD) disclose TRIAD Confidential Information to which they have or had access in any form (i.e., electronic media, paper, verbal etc.) to any unauthorized individuals.
• Employees will not access any record(s) they are not authorized to, including but not limited to the student or family records of any program member or co-worker.
• Employees will utilize and access only the minimum amount of information necessary for the performance of their duties.
• Employees will not access or request data on students for whom they have no professional relationship and/or legitimate TRIAD related purpose. If a given employee has reason to believe that the confidentiality of his/ her user log-in has been compromised, he/she will immediately ensure that the password is changed.
• Employees will respect the confidentiality of any reports and handle, store and dispose of these reports when necessary.
• Employees will not install or operate any non-licensed software on any TRIAD computer.
• Employees understand it is against TRIAD policy to electronically communicate student information to others outside of the CC/ school network.
• Employees are responsible for all e-mail messages generated from their e-mail accounts.
• Employees understand that the use of e-mail is for business purposes, however limited personal use is acceptable.
• Employees understand that the e-mail administrator may monitor TRIAD e-mail if noncompliance with the electronic messaging policies is suspected.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Tutteo Inc (also called Flat for Education)

The exclusive purposes for which Protected Information will be used: We use data solely to deliver the service Flat for Education.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All subcontractors or employees that will access personal data have agreed in writing to protect the confidentiality and security of Customer Personal Data. They also receives regular personal trainings. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: We will delete all the data that we and our sub-processors hold. NYC DOE can reach out to us in writing to ask us to return all data by secure transfer in such a format as notified by you to us.

[NYC DOE additional information: The current agreement became effective starting on December 17, 2020 and remains effective through the period during which Tutteo, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): When stored all the data is encrypted (see point below). We also ensure that all our sub-processors abide by the same level of security and best practice we commit to.

How the data will be encrypted (described in such a manner as to protect data security): All Flat for Education's platform services encrypt the data while communicating with other services, whether internal or external. The data in motion is always encrypted using either HTTPS or TLS, whether between our microservices, databases and caches services, and between the different regions of our cloud infrastructure.

Flat for Education uses cloud disk storage and object storage that are encrypted at rest using 256-bit Advanced Encryption Standard (AES-256). This includes encryption at rest of our all backups.

Typing.com

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We will provide students with access to learn keyboarding and computer literacy skills. Administrators and teachers can monitor student progress through usage reports that track typing speed and accuracy. Personally Identifiable Information (PII), is needed to track progress and manage classes within the program. This information also facilitates student access to the program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Typing.com employs robust administrative, operational, and technical safeguards to protect data integrity and privacy. We adhere to NIST cybersecurity standards and maintain SOC 2 compliant infrastructure with strict access controls and regular employee training on data protection. Our operational measures include secure data handling, encrypted storage, and minimal risk exposure protocols. Technically, we deploy advanced security technologies like Web Application Firewalls, intrusion detection systems, and AES-256 encryption for data at rest, ensuring the strictest data access controls based on the principle of least privilege. We also conduct regular security audits, risk assessments, and system updates, supplemented by pre-hiring background checks, non-disclosure agreements, and comprehensive data management policies to safeguard data privacy and integrity.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

U Startups Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. University Startups will provide access to our digital Career and College Counseling Courses via the Canvas learning management system to the High School for Economics & Finance at City of New York and other NYC Public Schools. Specific courses and programs to be provided include (1) Social Entrepreneurship, (2) College Counseling, and (3) Workforce Development. Additionally, students will have access to the Impact Internship program. University Startups will publish the courses, provide training to facilitators, and provide support as needed. PII is used to make user accounts and to track student progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Canvas.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Any PII in the possession of University Startups that has been collected via its programs will be deleted within 30 days of the course completion. We will also conduct annual scans of our internal software tools to ensure PII is not saved (Google Workspace and Canvas LMS).

• Limited Transfer of Data
• Regular Security Audits
• Employee Training on Data handling
• Vulnerability scans
• Administrative Safeguards:
  • Limiting access to a minimal number of authorized personnel who have a legitimate need for such access. We anticipate this to be between 1 and 4 employees.
  • University Startups requires confidentiality agreements for any personnel with access
• Technical Safeguards:
  • University Startups uses Google Workspace and Canvas LMS to administer it’s courses and internship readiness program. Both programs offer encryption of data in transit and at rest, access controls, and implement regular backups.
• Operational Safeguards:
  • University Startups implements 2FA and MFA on critical systems such as Google Workspace.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

United Activities Unlimited (UAU)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/01/2022 – 6/30/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. UAU is providing youth mentors who help identify the underlying causes of absenteeism and begin to address them through a wide range of interventions and support services through the collaboration of school staff. In addition, UAU provides school enrichment programs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. When emailing Sensitive PII UAU will save it in a separate document and password-protect or encrypt it. Sending the encrypted document as an email attachment and will provide the password to the recipient in a separate email or by using phone. Documents will be saved in a file on the computer that is password protected and if the file is not needed again after mailing then the file is deleted. When documents are at rest they are encrypted with a password and well as being a password protect file folder. UAU will never email Sensitive PII to a personal email account. UAU does not leave Sensitive PII unattended on desk, printers, fax machines or copiers. Securing Sensitive PII In a locked desk drawer, file cabinet or similar locked enclosure when not in use.

When using Sensitive PII, UAU keeps it in an area where access is controlled and limited to person with an official need to know. UAU does not fax sensitive PII information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

United Community Schools

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/01/2021 – 6/30/2022.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. United Community Schools (UCS) is an educator lead NYC based organization with a city-wide approach and reach. We help bridge the opportunity gap for students and families by providing academically rigorous multi-day in-school and after-school academic, general & mental health, food supports, arts and enrichment programs to K-12 students. To better served our student community, PII will be utilized to register program participants, determine their academic and social progress and for planning and course correction.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. UCS policies are designed to ensure that client information is protected. All client files are maintained in locked cabinets. Electronic data is securely stored. Access to data limited to authorized project personnel and on a need to know basis. Strict controls are maintained concerning the location and identification of stored data. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

University Settlement Society of New York

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Community School Program provides a variety of supportive services including mental health services and referrals, parental engagement, combating absenteeism, and professional development for staff. The program supports the school administration in all efforts to increase and improve the school's chronic absenteeism, parental engagement, and literacy rates and improve the overall culture and climate of the school community.

PII is needed to engage with students identified by the school as in particular need of support and provide one-on-one targeted counseling to ensure they can thrive academically, emotionally, and socially. PII is used to track attendance, monitor student progress in the social emotional supports provided and direct them to other services as needed.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft365; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administrative safeguards include policies, procedures, and practices implemented to ensure the overall security of systems and protection of data. This includes Security risk Management, written password policies, and an incident response plan to protect data. Security risk management includes prevention of phishing attacks through regular monitoring. University Settlement also outlines confidentiality of participant information in our employee handbook where it states that All staff must maintain confidentiality and provide safeguards for individuals against invasion of personal privacy. University Settlement has a comprehensive policy in place to govern the use of its Computer Systems by employees including policies regarding internet use, access restricts, data sharing, and employee monitoring.

Physical safeguards include Visitor Management of program sites where only staff can physically enter schools sites and administrative offices and Secure Storage for Equipment by locking rooms that contain PII.

Technical safeguards include industry standard security measures including encryption protocols that comply with New York law and regulations to preserve and protect PII. We utilize Multi Factor Authentication (MFA) as well as Proofpoint for digital security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Universal Technologies

Type of Entity: Commercial Enterprise

Contract / Agreement Term: “Bid #R1653 mentions expected start date and end date as “ASAP – up to 24 months.”

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Troubleshooting applications containing PII - Sr. Technical Business Analyst. Technical Business Analyst will be working on the Universal Pre-Kindergarten Program (UPK). There is a student enrollment module which has student name, DOB, gender and address but this module is not a part of day to day activities for the Analyst. Access would only come into play if there are any technical troubleshooting/ application enhancements to this module which the Analyst may need to be a part of.

Type of PII that the Entity will receive/access: Student PII; APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Universal will not store PII and will only have access as long as we have access to DOE's systems (during the agreement).”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Processor has established a comprehensive set of administrative, operational, and technical safeguards and practices to protect the Protected Information received under the contract. These safeguards include:

• Administrative Safeguards:
  • Appointment of a Data Protection Officer responsible for overseeing data privacy and security. Regular internal audits and risk assessments to identify vulnerabilities and weaknesses.
  • Development and maintenance of data breach response and incident management plans.
• Operational Safeguards:
  • Access control mechanisms to restrict access to Protected Information based on job roles and responsibilities.
  • Regular employee training and awareness programs on data security and privacy. Documented policies and procedures for secure data handling and disposal.
• Technical Safeguards:
  • Encryption of data at rest and in transit.
  • Firewalls, intrusion detection systems, and antivirus solutions to protect against unauthorized access and cyber threats.
  • Regular software updates and patch management to address known vulnerabilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Urban Arts Partnership

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024, extended to 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Urban Arts Partnership will provide Community School services to The Facing History School through the end of the contract date of June 30, 2024. Community Schools are centers of opportunity with a shared leadership model so that academics, social services and supports are integrated into the fabric of schools. Urban Arts will provide high quality arts and technology based education as well as leverage strategic partnerships to support the following Community School pillars: 1) Rigorous academic programs with strong supports to prepare all students for college, careers, and post-secondary success; 2) School-based and school-linked programs and services that, based on a needs assessment of the community, address the comprehensive needs of students and their families; and 3) partnership cultivation that demonstrates collaboration with the local community, including by engaging families and other community stakeholders. Through the Community School model, Urban Arts seeks to support the whole community through collaborative leadership, family engagement, expanding learning time and wellness support.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google Workspace with assistance from our IT vendor, Altourage.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.  Urban Arts Partnership (UAP) and its subcontractors will collect various kinds of PII data, including students' names, emails and grade levels. Electronic PII data will be stored on our custom-built CRM Platform and each authorized employee will have access through a two-step authentication password system. The data will also be stored on our drive and accessible via a secure password and two-step authentication as well. Data that is recorded on paper will be stored in our records closet, which is locked at all times with entry restricted to the Chief Operating Officer, Operations Manager, and the Director of Programs. Our records closet lives within a building that has extensive security measures - i.e. security in the lobby, no unauthorized entry by non-UAP personnel via the elevator and floor without a unique key access card that each UAP employee is assigned. Subcontractors will be expected to adopt similarly rigorous protocols and demonstrate to UAP's satisfaction that proper protocols are in place.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, the Entity agrees that PII will be encrypted using industry-standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

The Urban Assembly

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The UA’s Program Services & Supports derive from our mission, priorities, goals and guiding principles as detailed in our workplan, and some of these services utilize student PII for monitoring and analysis, to provide customized supports for each school. The UA model serves to meet and/or exceed the NYC DOE’s program goals and respond to state and city accountability frameworks in order to drive student success at UA schools and beyond.

Support areas include Algebra Success, Social-Emotional Learning, Data Exploration and Monitoring support, Early Career and College Awareness, Alumni Success, and Leadership development. These programs focus on customized program implementation in the real and varied settings of our partner schools, which requires visibility into the actual population of classrooms and rosters. This to allow for specific, targeted, and intensive coaching and support as well as monitoring of outcomes on student-level metrics identified for each program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “As of May 2022, UA is putting this practice in place and expects it to be fully realized by July 2022: The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Vendor selected “Other: UA will safely maintain data until such time that the partnership with the NYC DOE is concluded. In that event, UA will destroy PII on a mutually agreed upon date to ensure that the data collected for this partnership is protected from unauthorized individuals.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. UA considers security of PII to be vitally important. As such, there are a range of administrative, technical, and physical safeguards in place, as described in further depth in our security policy. Safeguards include but are not limited to: endpoint protection, regular security training, encryption of organizational data, and limiting access to confidential information based on role and caseload.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

USA Scheduler

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Master scheduling solution for the schools, Google integration, School Administration Solutions. To build the master schedule, we need the school rostering information for the course, teacher and their section, students and their courses requests or selections. Google integration is optional and not crucial.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.” The vendor stated “Google can be used as SSO (Single Sign On) to make login more secure. Google will popup and the school needs to authenticate with Google. Only then can data be shared with the schools knowledge and permission.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Server login restricted
• Backups are encode
• SSL encryption
• Sensitive databased encode
• Database is restricted
• Two Factor Authentication

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Vanguard Direct

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. DOE data will be used for communication services for NYC Charter Schools. Data will not be sent to NYC Charter Schools.

Vanguard will use PII to print and mail communications to current and former DOE parents/guardians and/or students as requested by DOE schools, offices, and programs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Information Classification and Handling–All information in the system will be suitably classified and role based security will be implemented to restrict access to classified information only to authorized roles.
• Account Management and Access Control–All user logins will be associated with authentication tokens that will be set to expire when certain conditions are met, for instance a specified period of inactivity. All access privileges in the system will be role-based and will be granted based on the job function of the user accessing the system.
• Encryption Standards–All confidential data will be encrypted in the system, at rest and in transit, using mutually agreed encryption standards and protocols.
• Secure Configuration–All system configuration will be securely stored and will not be accessible over the network. This information can only be accessed through physical access to the servers, which will also be controlled based on job function.
• Security Logging–All system and transactions will be securely logged to an audit log and will contain identifiable user information to establish a trail of events when needed.
• Vulnerability protection–Penetration testing will be performed with the help of security experts, where needed, to ensure the system is protected from known and potential threats.
• Patch management–System hardware and software components will be regularly patched when such patches are released by their respective vendors. Latest upgrade and security patches ensure the system is secure from all known vulnerabilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Variety Boys & Girls Club of Queens

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/2021 – 6/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We collect student and parent names and phone number for the community schools program. We provide support through promoting attendance, mental health services, homework help and more to the community of PS 112Q, the youth and families.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Hard copy documents containing student and parent name and phone number are locked in a cabinet in the CSD’s office.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Only authorized administrators have access to confidential data. PII is stored in hard copy in private offices away from public access and on cloud storage on ASAP Connected, the online registration system that Variety Boys & Girls Club of Queens uses. All staff will receive comprehensive training in Data Privacy and Confidentiality of PII through NYSED including training on data privacy policies and procedures, prohibiting electronic sharing of confidential staff or participant data, keeping data stored in hard copy in a private office. Staff must demonstrate understanding of data privacy policies before handling PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Varsity Tutors

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Varsity Tutors for Schools (VTS) will access personal information (PII) to provide services to schools and their students, and for no other commercial purpose. VTS is a leading education solution provider, offering personalized one-to-one and small-group high-dosage tutoring, 24/7 on-demand chat tutoring, and a range of robust learning resources. Trusted by more than 500 schools and districts, our tailored offerings empower educational institutions to meet their goals for student success and family engagement. PII is used to create individualized learning plans, report on progress, and to measure student growth. You can explore our comprehensive solutions at http://varsitytutors.com/school-solutions.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Process will ensure PII will be protected in accordance with the administrative, technical, and physical safeguards specified in this agreement. VTS uses industry standard best practices for administrative, technical and/or physical safeguards to ensure PII is protected and to mitigate data privacy and security risks. The VTS platform is hosted in a private AWS cloud environment for high availability and scalability. Amazon’s WAF (Web Application Firewall) restricts access and defeats malicious web traffic and DOS attacks. Data is encrypted in transit both externally and internally. The data stores are encrypted at rest and direct access is limited to the administrative team. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ViewSonic Corporation

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/25/2022 – 2/25/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The myViewBoard® Suite is a purpose-built visual learning and collaboration platform to connect, engage and inspire through a comprehensive suite of apps, it empowers educators and professionals to work, teach and learn in their own way. More than just a digital whiteboard, the myViewBoard Suite empowers users to do everything from creating engaging content to managing multiple devices, and includes secure cloud storage, multiple presentation options, video-assisted learning and so much more.

myViewBoard only collects and stores first name, last name and email address of its users for the purpose of identifying users within its collaboration platform.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. myViewBoard software has different levels of safeguard to ensure PII data security. For access control, myViewBoard implements a least-privilege model with segregate data access for private data. For data handling, myViewBoard encrypts all private data during information transmission. For details about the workflows and terminologies, please refer to https://myviewboard.com/white-paper/security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Vision 2 Vision Organizing

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Visions 2 Visions Organizing LLC will sort, categorize, transfer, and organize school files at DOE sites. PII may be accessed to effectively organize documents in the manner requested by the DOE.

Type of PII that the Entity will receive/access: Student PII, APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data)

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “No data is stored or hosted by Vision 2 Vision LLC.”

Challenges to Data Accuracy. “No data is stored or hosted by Vision 2 Vision LLC.”

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Vision 2 Vision Organizing LLC personnel will require a confidentiality agreement for all personnel, with access to files, implement employee best practices, for handling physical files and limit access to company personnel only. We’ll transfer physical files securely, by having one of our company personnel, in the designated drop off location, at all times, to ensure no one other than Vision 2 Vision Organizing LLC personnel, have access to the files. All files will be transferred using equipment that makes it easy to stack, move and drop off, at the designated location easily, with another member handling and guarding the files, at all times. When the designated location is not in use, the space will be secured, with a lock that only a minimal number of authorized personnel will have access to.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Visionaryz

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Visionaryz Inc. will provide the DOE with Staff Augmentation and Project-based work models for various programs. Visionaryz provides IT Project Management, Business Analysis, Software Development, UI/UX Design, IT Infrastructure and Network Operations, and Quality Assurance services. Access to PII is necessary to troubleshoot issues, provide adequate support, and develop initiatives.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Other: No PII will be stored or hosted by Visionaryz Inc. (the entity). Visionaryz Inc. is only providing a staff augmentation resource.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Visionaryz Inc. has policies for access to confidential restricted information, policies for Client Data Security Policies and Protocols, and training procedures on Visionaryz Data Security and Privacy Policy, and training to reduce the risk of authorized disclosure. Additional safeguards include policies limiting data access, sharing data, and accessing confidential and restricted information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Other: Visionaryz Inc. will not receive, store, access, or host PII. Visionaryz Inc. is only providing a staff augmentation resource.”

Vista Higher Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Vista Higher Learning creates and delivers high-quality, integrated print and digital solutions that meet the needs of all language learners—those learning a new language, improving a second language, or perfecting their native language.

Specifically, the digital solutions provide teachers with learning content, assessments, and course management tools built exclusively for language learning. Additionally, VHL solutions support common educational single sign-on (SSO), rostering, and learning management system (LMS integration standards.

VHL receives or access PII for the following purposes:

• To facilitate and enable the registration, access, and operation of VHL Digital Products;
• To respond to teacher requests for product support or customer service;
• To personalize the use of and experience with VHL Digital Products; and
• To monitor and improve the overall performance and quality of VHL Digital Products

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.  

• VHL shall only collect PII in an amount that is reasonable to accomplish legitimate business purposes or necessary to comply with other state and federal regulations;
• VHL shall limit access to PII to those persons who need it to accomplish a legitimate business purpose or otherwise comply with other state or federal regulations;
• VHL shall undergo an annual SOC 2 Type 2 Security audit by an external, professional auditing firm.
• All VHL employees, vendors and independent contractors with access to PII shall agree to confidentiality terms and undergo appropriate security training.
• VHL shall maintain and operate appropriate incident response and investigation processes and procedures in the event of unauthorized access or use of PII. These include prompt steps to mitigate the access, evaluate and respond to the events, notify users affected by the access, and engage appropriate auditors or examiners in connection with the access.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Voces Digital

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Voces Digital provides world language curriculum in a browser based program. We access PII for the following reasons: To confirm your identity; To respond to your questions and provide related customer services; To monitor and protect the security of our information, systems and network.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Quantum Services Group.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Security Policy: All data is encrypted both in transit and at rest. Data is stored with a hosting company that is: Policy Compliant - SOC 2 Type 2 Audited, HIPAA Audited, and PCI Compliant. Data servers are stored in a facility with the following security measures:

Minimize Risk of Loss and Theft

• 24/7/365 Manned Facility
• Closed Circuit TV Security Cameras
• Monitored 24/7/365 by 3rd Party Security Company
• Site Entrance Controlled by Electronic Perimeter Access Card System

Minimize Risk of Damage

• High Security Facilities
• Data Centers Privately Owned and Operated
• Disaster Neutral Geographic Locations

Security Zones

• Office Space Separate from Data Center Space
• Advanced Proximity Credentials Required to Access Data Center
• All Employees Receive Full Background Check
• Key Locked Physical Server Rack Enclosures
• Component Level Redundancy Available for Hard Drives. 
• Hot and Cold Spare On-site Servers Available

Entry Security - Access Controls

• Exterior Entrances Secured by Mantraps with Interlocking Doors
• Access to the Data Center Space Requires Secure Credentials

Uninterruptible Power Supplies (UPS)

• Multiple N+1 MPS Generators
• Multiple Fuel Contracts Ensure Fuel Availability for Generators
• Multiple N+1 UPS Systems with 30 Minute Minimum Runtime.
• Server Chassis Feature Redundant Power Supplies
• Server Chassis Have A/B Power Configurations
• Four 10 Megawatt Feeds Available
• Diverse Paths from Substation

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

VolunteerSpot (also known as SignUp)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SignUp provides a SAAS website that facilitates signing up for, coordination of, and reporting associated with activities like bake sales, classroom volunteering, and general school and community volunteering. The specific services are up to the initiators of the activities, SignUp is a tool to make getting things done easier. No PII will be received from the NYC DOE. Individuals may at their discretion on sign up for events organized and at that point disclose name and email. Name does not have to be a legal name it can be any nickname or identifier, email is optional.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Data destruction must be implemented by the customer. When they have completed their use of the system they delete the planned activities and those deletes cascade, deleting all associate customer data that is not in use by another activity. By deleting all signups on their dashboard the data will be deleted and after 60 days will cycle out of the backups or the backup keys will rotate rendering it unreadable.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Signup uses industry standard best practices around data security with all traffic encrypted between the client and servers, data encrypted at rest (Amazon EBS encrypted volumes with rotating keys), and Amazon physical security practices https://aws.amazon.com/security/. Regular scans and a robust responsible disclosure program keep out public facing surfaces well covered. Internal security best practices and OWASP checklists keep the internal surfaces reviewed.

All data is domiciled in the US and not exported. All support and engineering personnel US based and subject to background checks, security policy processes, and nondisclosure agreements.

Customer data is only accessible in the context of a support request, all accesses are logged with an audit trail from end to end.

In the event of a breach (which has not happened since the company founding in 2009) customers will be notified within the contracted SLAs by email, not to exceed 24 hours.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Votenet Solutions, Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/1/2022 - 5/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Votenet Solutions provides the software deployed for the nomination and election of Community and Citywide Education Councils. The nomination process involves the completion of an application which has and requires PII as it relates to the parent being nominated and the student relationship to be considered and vetted by the DOE. Once the application process concludes, the DOE who is in-charge of vetting each application, confirms the qualification and consideration of the candidate for the election. Without the PII in the application, the DOE cannot complete their vetting process. As for the voting process, we need PII in order to conduct the verification of the voter accessing the election to ensure they are voting in the council they are eligible and qualified to vote on.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The below details how the Policy establishes the Access controls among the various entities accessing its IT Systems.

• THIRD-PARTY/ VENDOR COORDINATION
  • The InfoSec Center of Excellence (InfoSec CoE) at eBallot coordinates with vendors/ third-parties to implement and maintain security controls, to safeguard eBallot information assets from unauthorized access by individuals or devices. Active Directory accounts are established through Help Desk ticket requests.
  • Vendors/ third-parties work with their eBallot development managers, account managers, and the InfoSec CoE to determine how access is managed and who, under what circumstances, may access eBallot's information assets.
  • Application Development managers serve as owners for the eBallot application systems that their teams support. Requests for application access go through the application development managers which are then further approved by both the eBallot Account Manager and the InfoSec CoE.
  • Access to specific parts of the network for administrative work is approved by the information asset owners (in most cases this is the Account Manager unless otherwise mentioned). 
• COMPLIANCE DEVIATION PENALTIES
  • For eBallot employees, failure to comply with the procedures identified in this policy may result in progressive discipline up to and including termination of employment.
  • For eBallot vendors/ third-parties/ non-eBallot personnel, failure to comply may result in removal of the individual’s ability to access and use eBallot data and systems. Employers of non-eBallot personnel will be notified of any violations and respective disciplinary action would need to be undertaken as stated on the contractual agreement with the specific vendor/ third-party.
  • All personnel employees/ vendors/ third-parties are also subject to any applicable penalties for statutory requirements compliance violations. Depending on the requirement and the nature of the violation, penalties could include fines and/or criminal charges. In addition section 4.5 speaks to the Access Management policy for Users and the strict implementation of the policy for Least Privilege Access which ensures that at no point, do any resources have unauthorized access to Votenet’s business or client data. See below.
• LEAST PRIVILEGE ACCESS
  • Both the InfoSec CoE and eBallot IT must ensure that the principle of least privilege is employed for eBallot Information Assets to ensure that users (or processes acting on behalf of users) are allowed only authorized access necessary to accomplish assigned tasks, in accordance with job duties, consistent with/ applicable Executive Orders, directives, policies, regulations, standards, and guidance.
  • For the Information Assets that it supports, eBallot IT employs the principle of least privilege, which allows only authorized accesses for users (or processes acting on behalf of users) necessary to accomplish assigned tasks in accordance with job duties
    • eBallot IT explicitly authorizes access to system utilities, by requiring that they only be made available to those with a legitimate business case.
    • eBallot IT requires that system administration accounts (e.g., root access) be limited to as small a group as possible and based on the principle of least privilege.
    • eBallot IT requires that any administrators first login as themselves (ordinary user) before escalating privileges to that of an administrator.
    • eBallot IT implements safeguards to prevent non-privileged users of Information Assets from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
    • eBallot IT restricts privileged accounts on the Information Asset to defined personnel or roles (defined in the applicable security plan).
    • eBallot IT audits the execution of privileged functions.
    • All eBallot IT-supported Information Assets prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/ countermeasures.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Waitwhile

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/13/2023 – 4/12/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Waitwhile is a cloud-based Virtual Queue Management solution that is used to eliminate physical lines, improve waiting experience for customers and reduce wait times overall. Our customers can configure what contact information to collect, how to manage a virtual queue or customers and send text or email notifications. The system will also allow end users to use basic UI to manage a self-serve experience for customers to enter themselves into a virtual queue. The system provides basic store capacity counting with data to show how long wait times are.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our organization is dedicated to preserving the privacy and security of your data. We have established a comprehensive privacy policy, robust data management procedures, and a fortified infrastructure. Access to sensitive information is stringently controlled, and we consistently monitor and evaluate our systems for potential vulnerabilities. Our employees undergo background checks, receive security training, and adhere to confidentiality agreements. Furthermore, we employ sophisticated encryption measures and conduct annual penetration testing to ensure the utmost security of our products. If you have any inquiries or concerns, please do not hesitate to reach out to us.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Wakelet

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII will be received in order to create and maintain secure accounts in the Wakelet platform Wakelet is a web-browser based platform and app that empowers students to take their futures into their own hands. It helps them capture, organize and showcase the things that make them so much more than a standardized test score alone. Students and teachers bookmark, curate, collaborate on and share links, documents, videos, text and any other digital resources all in one place in a visually engaging and meaningful way. Students operating in a Wakelet workspace will be able to share content with their teacher only for assessment and feedback.

Through Wakelet, students can save and share (with their teacher only) their academic achievements, extracurricular accomplishments, personal development, and anything else that helps evidence their talent and skill. Through the maintenance of a Wakelet portfolio, they’ll gain a real advantage when it comes to college admissions and employability. The administrator of accounts designated by the DOE have oversight of all student work and have control over all permissions by grade level. Student work will be set up so that it is only viewable by their teacher in a closed classroom environment.

Educators can also use Wakelet in many ways, including to curate and share learning resources, create lesson plans, deliver newsletters, create collaborative projects and set assignments for students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Wakelet takes the privacy and security of data very seriously. The following steps have been taken to ensure and mitigate risks:

• limiting employee access to student data based on roles and responsibilities;
• conducting background checks on employees who have access to student data;
• conducting privacy training that includes FERPA for employees with access to pupil data;
• protecting personal information with technical, contractual, administrative, and physical
• security safeguards in order to protect it from unauthorized access, release or use.

Data Center Security: Wakelet utilizes data centers operated by AWS who have extensive experience in designing, constructing, and operating large-scale data centers. AWS has certification for compliance with ISO/IEC 27001:2013, 27017:2015, and 27018:2014. ISO/IEC 27001:2013 Compliance - Amazon Web Services. AWS aligns with the CSA STAR Attestation and Certification based on the determinations in our third-party audits for System and Organization Controls (SOC) 2 Reports and ISO 27001:CSA - Amazon Web Services. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Walsworth Publishing Company

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 9/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII data collected is used for the publication of the yearbook. We collect students’ names, images, and grade levels, which are then printed in the final product. We collect parents’ names and addresses when they order yearbooks online, and we use their address if they have requested home delivery.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data privacy is crucial for everyone, and to ensure its protection, we rely on three key aspects: administrative, technical, and physical safeguards. Administrative safeguards involve creating policies, procedures, and guidelines to control who can access sensitive information. Technical safeguards make use of tools and technologies, such as firewalls, encryption, and passwords, to protect data from being accessed by unauthorized users. Physical safeguards are the tangible measures, like keeping files in locked cabinets or secure rooms, to prevent unauthorized access to data storage locations. These three aspects work hand‐in‐hand to maintain the privacy of our valuable personal information and keep it safe from misuse.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Wayside Publishing

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/23/2022 – 8/23/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Wayside Publishing’s® mission is to empower the next generation of global learners. Our Learning Site® provides engaging and equitable online tools and resources that foster active learning, allows for innovation and personalization, builds a global community, and creates an online ecosystem that depicts what users can do with languages. Through our content, activity types, and technology, students are given choices, have flexibility, make connections, set goals, and collaborate amongst classroom communities to apply learning to real world challenges.

We collect, maintain, use and share Student Education Records only for an authorized educational purpose in connection with the Services, or as directed by the School, the Student User and/or the student’s parent or legal guardian (a “Parent”). The following types of student PII (as defined in FERPA) that Wayside Publishing will receive or access are as follows:

• Activity Task Answers
• Audio & Video Recordings (associated with Activities/Tasks or Forums)
• City
• Email
• First Name
• Gender
• Last Name
• Password
• Proficiency Self-Assessment Results (Cando's)
• Profile photo
• Rostering/Integration ID Number
• School NCES ID
• SIS ID Number
• State
• Survey Responses
• User ID Number (Wayside identifier)
• User Type (Teacher vs Student)
• Username
• Vocabulary Grades
• Vocabulary Performance Reflection
• Zip Code

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services (AWS), Google Analytics, Nualang, Quickbooks, Salesforce, Sentry, and Shopify.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Wayside Publishing performs regular internal network penetration testing, external network penetration testing, and web application testing using a third-party cybersecurity vendor. Wayside Publishing also engages with a third-party cybersecurity vendor to perform regular application security scans of the Learning Site. A NIST  cybersecurity framework maturity assessment was also performed by a third-party cybersecurity vendor with an objective of identifying optimal changes that can be implemented to ensure Wayside's security program is relevant and sustainable.

Wayside Publishing's Learning Site follows OWASP requirements and data is stored using Amazon Web Services (AWS) and encrypted at rest using no less than 256-bit AES. District passwords and data transmitted through web browsers are encrypted in transit using TLS 1.2 protocol when requested, by default we use TLS 1.3. Wayside Publishing is constantly working to reduce the likelihood and data security impact of security issues.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Westat

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Study description: The NYCDOE ONPS is seeking help in capturing data for the Title I Part A program in a more concise and usable way to more effectively monitor both the implementation and the impact of this program. To meet this need, Westat will leverage our organizational strengths to help ONPS identify and define desired Title I outcomes among their nonpublic school population, develop efficient means for gathering critical monitoring and assessment information, and provide useful and timely analysis of both primary and extant data sources.

Purpose: Westat will receive and access PII to analyze administrative and student achievement data in the nonpublic schools participating in the Title I Part A program. The analysis of these data will allow Westat and ONPS to examine a range of academic and behavioral student outcomes across the schools in the study.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Data will be delivered or returned to NYCDOE via the Westat Secure FTP server unless otherwise directed by NYCDOE. Media not containing sensitive information are disposed of conventionally. Media containing sensitive information are erased, purged, or destroyed.

• Hardcopies containing sensitive information are destroyed by shredding.
• Storage media and devices are cleared by a Common Criteria validated secure-erasure tool, purged by degaussing, or destroyed.
• Data (e.g., files, databases) stored on shared assets are backed up and/or archived, and the network directories and underlying data sets are cleared, purged by secure erasure, or, if necessary, the drive(s) extracted and destroyed.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Westat employs administrative, technical, and physical safeguards to ensure PII is adequately protected within the Westat environment. These safeguards align with the security standards and requirements established by the Federal Information Security Management Act (FISMA); Federal Information Processing Standards (FIPS) publication 199; Standards for Security Categorization of Federal Information and Information Systems; FIPS-200, Minimum Security Requirements for Federal Information and Information Systems; NIST SP 800-53, and Security and Privacy Controls for Federal Information Systems.

Administrative controls ensure that all staff (including systems support) are properly screened, verified, and trained. Westat’s Background Screening Unit coordinates with Federal agencies to provide the information needed for any necessary background checks. Each Westat employee and contractor is instructed in Westat’s data security policies, standards, and procedures. Westat employees and employee-equivalents are required to take Westat information security awareness training annually, and to take agency information security awareness training as required. Westat security awareness training includes information about insider threats.

Technical controls are primarily implemented and executed by mechanisms contained in the hardware, software, or firmware components of the system. Users of the system(s) must be properly authenticated before access is granted. The Westat network requires two-factor authentication while the Survey website requires a unique PIN. The project director approves all requests for accounts or rights assigned to Westat accounts. Westat keeps system logs containing access information to support reviews and/or investigations about who has accessed project data on various servers. Westat monitors accounts for repeated logon failures, login date and time, and session duration. Atypical usage is reported to the hosted project system manager. Westat uses automated tools to scan for vulnerabilities on servers and websites. Newly discovered vulnerabilities are reviewed and prioritized for remediation. Westat maintains two data centers in continuous operation with fully redundant capabilities, each acting as an alternate processing site for Westat information system resources. Westat's network consists of a system of redundant firewalls and redundant Internet connections to support actively managed websites, email, and list servers. The data centers are supported by Diesel-powered backup generators that permit the continuous operation of the data centers in case of long-term utility power failures.

Physical controls have to do with the protection of the physical environment where the system resides. Access to Westat facilities is controlled at all times through the use of magnetic key cards assigned to individual staff, certain contracted consultants, and, in a few approved cases, selected vendor staff with established long-term business relationships. In addition, all staff are issued photo identification cards which must be visibly displayed at all times. Every use of the magnetic key card to enter a particular building or area is recorded in an electronic log for security and tracking purposes. Visitors are required to sign in with a receptionist and receive a day pass. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Western Psychological Services (WPS) (also called Manson Western)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Web-based assessments used by educators/practitioners (e.g., school psychologists, speech and language pathologists, occupational therapists, reading specialists, social workers, teachers, and others) in the areas of autism, dyslexia, oral language, sensory processing,  social/emotional/behavioral development, cognition, and adaptive functioning, to improve clinical evaluation, inform diagnosis, guide intervention, and monitor student progress.

PII is used to make client profiles, to score assessments based on normative data, and to track student progress. PII is used to allow school staff to communicate student assessment data, progress, and interventions with parents.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. WPS has implemented an Information Security Program and a set of Security Controls that are automatically monitored in real time by utilizing a cloud-based security and compliance solution that helps us establish, maintain, and automatically monitor our Information Security Program. We perform rigorous security testing including threat-modeling, automated scanning, and third-party audits. If an incident occurs, we resolve the issue quickly using our security incident response practices and keep all relevant parties informed.

WPS employs, but is not limited to, the following safeguards to protect PII:

Administrative safeguards by WPS:

• Designated security officers
• Security awareness and training
• Incident response, disaster recovery and business continuity procedures
• Internal risk assessments
• Policy reviews process
• System activity logging

Technical safeguards used by WPS:

• Unique usernames
• Role based access
• Data encryption in transit and at rest
• Multi-layered security infrastructure (firewalls, Anti-malware, MFA, session timeouts)
• Audit logging

Physical safeguards used by WPS:

• Key card access
• Video surveillance
• Secure data destruction
• Data backups stored offsite
• Company enforced acceptable use policy

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Westhab Inc

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Westhab’s services include academic support, enrichment activities, social-emotional learning, and mental health support during school hours and out-of-school hours, holiday breaks, and summer. As the lead CBO, we will assist the school administration and school community in assessing and addressing the needs identified for the school. Westhab Inc. receives or accesses PII to gauge attendance rates during the school day and the rate of participation of students in the afterschool program. In addition, the data is used to contact parents to address attendance issues or assist the school administration in addressing chronic absenteeism.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All physical data is kept in a locked file cabinet and only certain staff have access. Westhab employees with access to the files are instructed to not remove them from the Department of Education site or to make copies of them without authorization. After school staff will have access to a dedicated Chromebook device provided by Westhab that is on the school’s network and meets their safety and security standards. Westhab Inc. will use dedicated web-based computers with no local storage to track student attendance in our after-school program. Electronic student is only accessible by a limited number to Westhab Staff. All Westhab staff conduct annual training on email and data privacy and security that includes identifying phishing and scams.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

WeVideo

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. WeVideo is an online collaborative video editing platform with interactivity features. We are collecting PII such as Name and email address for the purposes of account authentication and management, IP address for backend functionality, and user generated content for the creation tools. In addition to this, behavioral analytics are collected for product improvement purposes and survey answers are collected for coursework responses.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS, US-East-1 (N. Virginia).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. WeVideo follows NIST CSF best practices has attained SOC 2 Type II attestation. Regular vulnerability scanning and penetration tests are performed. Multi factor authentication is used where possible and employees undergo cybersecurity awareness training on a regular basis. AES-256 encryption is utilized and data is encrypted in transit and in rest. Principle of least privilege is utilized, and the data collected from users is the minimal needed for functionality purposes.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Wheelchairs Against Guns

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We will be privy to student PII for programing purposes only, will include to keep track of program attendance and grades if need be. The purpose of the PII will be to keep track of student who are apart of the program. WAG will conduct workshops that will include conflict resolution strategies, critical thinking techniques, self-esteem building, and financial literacy. Theses workshops will be conducted during school hours from 12pm-2:25pm Mon, Weds, And Fri for the duration of FY 22-23. There will be 2 assigned facilitators that will present the workshops to a selected body of student. The purpose of the PII will be to keep track of student who are a part of the program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Apple iCloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All staff must pass a thorough training course on the importance of storing and securing students PII to a 128 encrypted software and iCloud as our subcontracted entity. All info is wiped clean from all former employees assigned iCloud as all hardware and software is returned to WAG.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

William H. Sadlier, Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/1/2017 – 1/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. William H. Sadlier Inc., an existing contracted vendor for Educational Software with the New York City Department of Education, provides schools with programs identified within the contract on Sadlier Connect.

Sadlier Connect is a single sign-on learning platform that supports schools with content in the areas of K–12 English Language Arts, Grammar, Vocabulary, Reading, and Mathematics and supports administrators and teachers by providing easy access to high quality programs and the ability to create assignments, generate detailed reports, and identify recommended resources to lead students toward meeting the expectations of grade-level standards.

Sadlier Connect also supports learning inside and outside of NYC classrooms, students and families have access to free engaging, program-specific games and digital resources in a variety of formats (audio, video, and interactive) that can be accessed anytime, anywhere, on most Internet-accessible devices.

We will use the Personal Information that we collect from students solely for the use and benefit of the NYC DOE, including providing the Site's educational services to its registered accounts. We do not use the Personal Information that we collect from students for commercial purposes not related to the provision of the services requested by the NYC DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

“For subscriptions to Sadlier Connect, NYC DOE data will be destroyed/returned following the earliest of the following events: a written request from NYC DOE for destruction or return of data; or the date when the data is no longer needed to provide the services, or the date of the expiration or termination of the agreement.” In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Sadlier Connect uses Amazon Web Services (AWS) Key Management Service (KMS).
• All data is transferred to/from Sadlier Connect using HTTPS/TLS.
• Data is encrypted in transmission using the current SSL and TLS standards and at rest at no less than 256-bit level encryption.
• The development team primarily develops on lower tiers, and when they work in our production environment, they use scrubbed or synthetic data (i.e., email addresses and passwords are altered.)
• Vulnerabilities are triaged and repaired according to scope and severity.
• Intrusions are prevented by a defense-in-depth strategy including software and virtualized hardware firewalls and strict limitations on the personnel who are authorized to access our infrastructure. We continue to evaluate improvements to security protections. All job applicants who have accepted a job offer are required to go through a background check through an external vendor. Additionally, HR conducts reference checks for all potential employees prior to their starting with Sadlier.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Wilson Language Training Corporation

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2023 – 6/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII will be used in connection with the provision of FUN HUB, a teacher tool that provides downloadable PDFs and videos to aid in teachers instruction and professional learning.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Wilson Language Training Corporation (“WLT”) collects student name, School, grade, Fundations® Level, and Fundations assessment scores for students. With respect to educator data, WLT Corporation receives the following information: first and last name, school name, school district, school email address, and other information about the Educator’s School. WLT provides for administrative, operational, and technical safeguards, including encryption, firewalls and password protection. These safeguards meet in the requirements of applicable law, industry standards, and best practices. Safeguards include:

• User Access. Use of an account and a password is required to access our Digital Products. We do not offer Users, including Students, any way to login to our Digital Products through social media tools.
• Employee Access. Access to Customer Data is limited (through user/password credentials and two factor authentication) to those employees who require it to perform their job functions. Our employees with access to Customer Data will receive training on data privacy (including on FERPA and New York Education Law 2d) prior to receiving access and on an annual basis thereafter. All employees must sign a confidentiality agreement before they join the company, and background checks are conducted as part of the onboarding process. We conduct phishing and social-engineering awareness testing and education for our employees.
• Storage and processing. Student Data is stored in the United States. We maintain strict administrative, technical, and physical procedures to protect Customer Data stored in our servers, which are located across Tier 1 data centers that are logically and physically separated locations. Our hosting provider implements security measures in accordance with industry standards.
• Encryption. We use industry-standard TLS 1.2 encryption technology to safeguard the account registration process and sign-up information. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to building and files. Data is encrypted during transmission and at rest.
• Device Controls. We encrypt all of our employee laptops, and those devices are centrally managed and covered by anti-virus protections which are updated periodically. Laptops are password protected.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Wonder Workshop

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement has an End Date: 08/10/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We use student names (profiles) to save and progress through our curriculum and save their programs to the cloud.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Backups are encrypted. User data is only available in secured databases on the cloud. Test environments do not use production user data. Test environments use the same security controls as the production environment, with separate security keys. Data in transit encrypted via TLS. Data storage and backups encrypted with AES 256.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Worked, Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 5/16/2022 – 5/27/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Worked, Inc. is creating a 20 hour Cybersecurity Externship which is a Work Based Learning Program for NYC DOE high school students to engage with Cyber careers.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We collect the minimum amount of data required to successfully operate our programs. In the case where information is obtained from a student that is under the PII label, we only keep that sensitive within our lead teacher, leadership, and lead host team members. Everyone is trained on the right practices. All sensitive data collected in our service is encrypted and aligned with best practices and we have controls which support this collection and data use.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Writable

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Writable scaffolds student learning and builds lifelong writing and reading skills for students in grades 3-12, while saving teachers time on daily instruction and feedback. Working with 16,000 schools and districts, Writable provides formative assessment and feedback tools for teachers and district leaders to assign, grade, and monitor writing growth.

Writable needs to collect student PII in order to identify students in the system and for teachers to manage writing assignments to students in their classes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., (US regions only) using RDS, ElastiCache, OpenSearch, and S3.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Writable hosts its networks and services in US regions of Amazon Web Services (AWS) in accordance with the Shared Responsibility model. AWS is widely recognized as a security leader with multiple certifications for SOC 2, ISO 27001, FedRAMP, and many other compliance programs. Attestments for these certifications can be supplied upon request.

Role-based access controls and system-level policies limit access to all user data. Authentication cookies automatically expire after a period of disuse and only one device can be logged into Writable as a given user at a time. Passwords are secured using a one-way salted hash.

Writable provides federated login allowing Controllers to own and manage the user accounts, only authorizing Writable for permissions requested and only when they are needed.

All network transmissions are encrypted using TLS including browser connections and server-to-server. Encryption at rest utilizes strong AES-256-CGM symmetric encryption with securely managed rotating keys. Encryption at rest utilizes TLS 1.2 or better with no weak ciphers (those based on RC4, MD5, DES, 3DES, or anything with a key length less than 128 bits).

Product environments run in dedicated software defined networks logically separated from any other environment. Access to the network requires VPN connection secured by strong passwords and multi-factor authentication. Network access control lists rules prevent unauthorized connections to all APIs and databases. Access to public web interfaces pass through a web application firewall (WAF) to detect malicious access attempts.

Subcontractors are not granted access to PII. Production data made available to subcontractors is either aggregated or otherwise de-identified prior to transmission.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

WSD Digital (also called ReFrame Solutions)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/19/2021 – 7/19/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The ReFrame system is housing student first name and last name. The ReFrame System is housing parent or guardian phone number only. The system receives updated student first name and last name from school Principal. Parent phone numbers are received from school Principal. This PII data is used for communication purposes only for the Bronx Technology and Engineering Academy.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ReFrame Engage is delivered on a SaaS (Software as a Service) basis, with Cloud hosting supplied by a secure, highly reliable, and redundant AWS Cloud (using geographically diverse data backup). The application is designed to provide access to data on a need-to-know basis, always protecting PII and privacy including the segregation or suppression of sensitive data where appropriate based on Role Permissions. All data is encrypted in transit and at rest. Employees undergo annual cybersecurity training as part of HR policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Xello Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: Starting on 11/3/2021

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Xello provides college & career readiness software that allows students to discover relevant college, university, trade, military and career options based on their personality, skills, and knowledge. Xello requires certain PII in order to provision accounts for teachers and students, and for teachers to be able to interact with their students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Physical Controls:

• Environmental control (constant temperature and humidity maintenance, particulates filtration), fire suppression systems, redundant power sources and UPS backup.
• Round the clock physical security (card entry, video monitoring of the facilities).
• Data center access logs (Azure).

Technical Controls:

• Logging and auditing of network access.
• Continuous monitoring (SIEM)
• Firewall & endpoint protection.
• Network segregation.
• Encrypted data in transit through the use of TLS 1.2

Administrative Controls:

• Utilization of the principle of least privilege.
• Vulnerability testing.
• Security awareness training (including FERPA and COPPA).
• Criminal background checks on all employees.
• Employee NDAs.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

xSEL Labs

Type of Entity: Commercial Enterprise. “xSEL Labs is a commercial enterprise hired by the American Institute of Research to use our product, SELweb, as an outcome measure in the AIR Harmony evaluation study.”

Contract / Agreement Term: 7/1/2023 – 6/30/2025.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SELweb (xSEL Lab’s Assessment product) is being used as an outcome measure in the American Institute of Research Evaluation study of the Harmony Social Emotional Learning Program. SElweb is a performance based, direct assessment of student SEL competence. Students will take SELweb as a baseline datapoint of their SEL competence in January and then take SELweb again at the end of the school year’s learning instruction to measure change over time in their SEL competencies. This data will be used by the American Institute of Research in their evaluation of the Harmony SEL program’s effectiveness. SELweb requires student first and last name to identify the student account, birthdate to calculate student age for the nationally normed scoring system, grade and classroom enrollment information because score reports deliver data at the classroom and grade level, school, and district aggregate levels.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., 3C Institute’s SELweb platform, AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SELweb runs on the 3C Institute’s Quest cloud-based assessment platform, which has been customized to xSEL Labs’ specifications. The 3C Institute is a leading provider of evidence-based software focused on supporting student behavioral and social-emotional health. 3C and xSEL Labs maintain strong data security protocols that are compliant with FERPA and HIPAA. Data security policies and protocols are based on the NIST Cybersecurity Framework model and include risk assessment and management strategies, access control and preventative technologies, and continuous monitoring systems. SELweb uses role-based authorization to set permissions per user role in the system.

SELweb’s application environment is segregated from the Internet using a stateful firewall to ensure that access to District data is protected. All District passwords and data are transmitted through web browsers encrypted in transit using TLS 1.2 protocol or greater. Please refer to the logical network topography diagram. All user account passwords are salted and hashed when stored at rest. SELweb automatically creates backups of transactional data that can be restored with no more than 1 day of data loss.

SEL competence data that is collected within the platform is delivered within SELweb at varying levels of user access role-based permissions. xSEL Labs has a timely revocation process for granting all user roles access to SELweb. This process occurs during onboarding and is verified during SELweb training plans. All administrator system user accounts are reviewed ahead of active assessment windows as well as in data review to include or remove unnecessary or unauthorized users. SELweb has built in levels of access to district data as well as the ability to remove access to SEL competence data without removing user access to progress completion rates. Teacher level access will only view their associated classroom of students rostered and student SEL competence scores (unless access to scores is turned off. Then they will only has access to progress completion rates and the student roster of their classroom.)

School Level user access grants access to scores of all students enrolled in that school. The school level role-based permissions can also be restricted to progress as well.

District Level Administrators have permission to view district aggregate SEL scores, school aggregate levels, as well as all classrooms and students within the district. SELweb developers are working on a Project level Administrator role that would be able to view all SEL competence data across all local districts but would also have permissions to add and remove access to district and school level administrators.

User login security also complies with district standards explicitly stated in DOE policy. Role based controls restrict user access to SELweb’s source code. Users are automatically logged out due to time out after 30 minutes of inactivity and the passwords that users are promoted to set themselves adhere to the following guidelines:

• Admin passwords contain at least 12 characters.
• Admin passwords contain at least 1 number, 1 uppercase letter, and 1 special character.
• Admin passwords cannot be the same as the previous 5 account passwords.
• Admin passwords cannot contain any common dictionary words.
• Admin passwords maximum invalid password attempts cannot exceed 5.
• Admin passwords have multi-factor authentication at set up

Lastly, user accounts are locked after consecutive incorrect login attempts within an auto-filled or computer generated duration of time. 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Yegros Educational (for Conjuguemos)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/1/2023 – 4/1/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Entity provides a service called Conjuguemos. It’s a website for foreign language practice. Students log in and practice verb conjugations on the site, and the site keeps track of student progress and shows that progress to the student’s teacher. We collect PII so that students can create accounts and do school work on our site. This work is done with accounts so that teachers can then track student progress by looking at these student accounts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Please refer to our privacy policy (Https://conjuguemos.com/privacy) for a description of how Conjuguemos safeguards PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Yeled v’Yalda ECC

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 11/1/2023 – 10/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Yeled V’Yalda E.C.C. (“Yeled”) provides education services, therapeutic services, academic skills development services, social behavior skills development services, and professional development services to children, students and teaching personnel. Yeled needs access to PII to enable effective provision of these services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. To ensure the confidentiality and security of Covered Confidential Information (“confidential information”), Yeled utilizes role-based user authentication to limit access to confidential information to individuals with a legitimate interest in such information. Access to users of confidential information is secured with individual user password protection and user authentication, log-in, and lock out procedures. Confidential information is maintained solely for purposes authorized in contractual agreements and is treated with the same level of security as original copies. Confidential Information is permitted to be disclosed only with explicit parental consent, except when disclosure is to authorized representatives fulfilling contractual obligations. Yeled does not sell or utilize confidential information for marketing purposes.

Web applications that include confidential information are designed as non-cacheable and confidential information is not included in URLs. Yeled uses TLS 1.2 encryption technology for secure transmission of data outside the internal network. Certificates used for authentication between parties are generated by recognized and trusted authorities. Yeled engages independent third parties for annual assessment of its system security. If a security breach occurs that involves unauthorized release of confidential information, Yeled will notify the relevant parties and cooperate with the applicable regulatory authorities. When confidential information is no longer needed for its primary purpose, or for its retention period, Yeled will securely destroy such confidential information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

YMCA of Greater New York

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide many services including, YMCA Afterschool and/or other extended learning time (ELT) programming and Family engagement and schoolwide events.

As a contracted community school and afterschool provider, the YMCA may require access to PII to monitor attendance in programs and contact families.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The YMCA will hold all confidential information it processes in compliance with all applicable provisions of federal, state and local law, including:

• Administrative safeguards
  • The YMCA limits access to a minimal number of authorized personnel who have a legitimate need for such access.
• Operational safeguards:
  • All documents must be stored securely. Access to storage is limited to only staff who must have access.
  • YMCA Staff manuals and trainings outline comprehensive policies for preventing and reporting security incidents.
• Technical safeguards
  • The YMCA will limit use and storage of sensitive data
  • YMCA will maintain best security practices configuration guidelines for all systems and update system at least 2x per year, if needed

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Young Audiences – New York Inc (YANY)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Young Audiences-New York Inc (YANY) provides innovative, interactive opportunities in the visual arts, music, dance, theater, and digital art to inspire young people and expand their learning. The organization engages children in a 5-step art-making process, which is aimed at expanding social networks, increasing self-awareness, and developing critical life skills. It connects educators, professional artists, and communities to foster creativity, self-expression, and cultural understanding among young people through arts learning experiences.

PII is needed to complete enrollment and registration, and ensure attendance. PII is also needed to communicate with families.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft SharePoint.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Administrative / Physical Safeguards:
  • Device Management: Company issued computing devices and phones are meant to be used only by the assigned employee.
  • Authorized Tools: All software, print or electric information will not attempt to be utilized by unlicensed software.
  • Proprietary Data:
    • All programs used by YANY or company property and protected under contract no data should be copied or given to anyone outside the organization.
    • Confidential data in storage destruction YANY takes preventative measures to ensure all confidential, protected or restricted data is safeguarded.
    • Copies of documents containing confidential data must be removed immediately from office equipment after printing, copying or faxing. Documents should not be left unattended for indefinite periods of time.
    • Paper documents with confidential, protected or restricted data that no longer need to be retained by the company shall be destroyed by a paper shredder.
    • Under no circumstances shall records potentially subject to known or reasonable anticipated investigation by a government agency or relevant in pending litigation involving YANY be destroyed.
    • Notification of Policy to Staff: Copy of the notice sent to Staff detailing organizational policies to safeguard data.
• Technical Safeguards:
  • Encryption: SharePoint encrypts all data stored in YANY’s storage solution􀍘
  • Access controls: Multi factor authentication (MFA) is enabled on company devices to protect user accounts from being accessed by unauthorized personnel. YANY’s SharePoint site has permissions implemented to stop unauthorized staff members from accessing sensitive data outside their assigned scope of work.
    • Please note: All access controls are set up during onboarding.
  • Network Security: Employ firewalls, intrusion detection and prevention systems, and regular security updates to protect against unauthorized access, malware, and other cyber threats. Network maintenance is performed on a quarterly basis.
  • Regular Data Backups: SharePoint backs up data in real time.
  • System Monitoring and Logging: RMM implemented monitoring and logging systems to detect and respond to any suspicious activities or unauthorized access attempts.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Young People’s Chorus of New York City (YPC)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. YPC will be partnering with the New York City Public Schools to provide choral music education instruction to students at participating students. Student PII is used to administer this choral music education program, including to take attendance and to create nametags for the students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. YPC maintains reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Student PII in its custody; such safeguards shall include:

• Logical access controls designed to manage access to data based on authority levels and job functions.
• Physical and environmental security of facilities and other areas containing Student PII designed to protect information for unauthorized physical access or damage.
• Organizational management and dedicated staff responsible for the development, implementation, and maintenance of YPC’s information security program.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Zearn

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Zearn’s services are our Zearn Math School Account which includes access to Zearn Math. Zearn Math is the top-rated K-8 comprehensive math learning program for the full school year. Zearn’s instructional materials are designed to fit a range of instructional needs, including use as a digital conceptual math supplement. Zearn Math is the only EdReports top-rated math resource that connects daily core instruction, intervention, and learning acceleration in one comprehensive math program to ensure all students can be successful with grade-level math. In addition to the full Zearn Math curriculum, School Accounts offer schools and districts dedicated customer support and implementation, administrator reporting on student progress, and rostering support. Protected Information will be used only as necessary for Zearn to perform the services associated with Zearn School Accounts. The personally identifiable information will be used to roster the students, deliver Zearn’s services, and provide in-app reporting on student progress to the subscribing school district, school, or classroom.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. Entity states “PII will be securely destroyed within 30 days of expiration or termination of the applicable Services Contract. We enable this 30-day period to allow the Zearn School Account Holders time to transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option, and to ensure that if the account needs reactivated in that limited time, you retain continuity of your classroom progress. During the 30 days that your account is inactive, we do not access your account data.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services (a cloud hosting database), Heroku Enterprise (a cloud hosting application and database).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Zearn shall maintain the confidentiality of the shared student data or teacher or administrator data in accordance with federal and state law and the educational agency's policy on data security and privacy. Zearn has the following administrative, operational, and technical safeguards and practices in place to protect personally identifiable information. Zearn shall: limit internal access to personally identifiable information to only those employees or subcontractors that need access to provide the contracted services; encrypt data in transit and at rest at 128-bit encryption or better; utilize two-factor authentication prior to access to personally identifiable information; utilize antivirus and malware software on computers access personally identifiable information; conduct regular software security updates; implement additional network and physical security measures consistent with commercially reasonable security standards used to help safeguard pupil records; monitor hosted and collected data for unauthorized intrusions using network-based and host- based intrusion detection mechanisms through its cloud hosting provider; use access control and redundancy to ensure the resilience of the data collected and stored, through its third-party cloud hosting provider; destroy personal data according to internal policy and external commitments; and require Zearn staff members undergo annual privacy and security training.

Zearn will ensure that subcontractors and third-party service providers with whom Zearn shares Protected Information abide by all applicable data protection and security requirements by entering into written agreements whereby such parties will perform their obligations in a manner consistent with the data protection and security requirements outlined therein.

Protected Information will be stored in a secure data center in the United States using monitoring of the access doors, fire and security monitoring, system health and intrusion monitoring, data backups and retentions. Data storage and access will comply with the Advanced Encryption Standard (AES) with minimum of 128-bit key encryption.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Zenphi

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2023 – 7/1/2024 (subject to renewal)

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Zenphi is a business process automation platform. Our customers automate their business processes using Zenphi with a few drag and drops. At Zenphi we do not store any known PIIs from clients other than the email address of the user accessing Zenphi portal. This is used for authentication, authorization and internal communication purposes only. Any other information ingested in Zenphi workflow engine as part of the workflow execution is unknown to Zenphi and is double encrypted using a key specific to the workspace. DOE schools will use Zenphi to create workflows that contain student PII.

Type of PII that the Entity will receive/access: Student PII. “Depending on the process the user automates, they may decide to use student information, etc. This information is ingested for the duration of the workflow execution and the user has the option to clean it from the workflow engine when the execution is finished. Since any data (PII and non PII) which is ingested during the workflow execution is double encrypted with workspace specific keys, and because access to our production environment is locked down, no one at Zenphi will is able to access any user workflow data.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity states “Since at Zenphi we do not know the type of data our users are ingesting, upon an official request we can only provide a copy of any existing data you have ingested. Some of this data may be encrypted and you (i.e. the Zenphi user) may need to export the raw data from within your workspace.”

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Workflow cloud storage and datastore.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Security is built into every part of our operation and platform. On top of that we are an ISO27001 certified company and follow all the known best practices. All user data is encrypted at in transit and at rest. On top of this, each workspace gets assigned a dedicated encryption key, and data at rest is double encrypted with the workspace specific keys. The keys themselves are encrypted and managed by GCP vault. The access to production environment is locked down and is only granted on absolute need basis though an audited process. The users also have the option to delete their data as soon as the flow execution is finished.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Zoobean

The exclusive purposes for which Protected Information will be used: Students’ first and last name will be used to personalize the experience when logged into our application. Their email address or school district username will be used for authentication purposes in the instances where SSO [NYCDOE comment: single sign on] isn’t available. Their age and/or grade level will be used to place them into the appropriate reading challenges for their age group. Finally, their section enrollment will be used to allow their teachers access to their reading history and achievement data.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We do not share student data with subcontractors or anyone outside of full-time employees directly supporting our work with NYC DOE. All Zoobean emloyees are required to complete a background check including social security number trace, nationwide criminal database search, sex offender registry search, county criminal court search, and domestic watchlist search. Employees attend semiannual company training and performance reviews that may include, but or not limited to, abiding by all current data protection and security requirements.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: When the agreement expires and NYC DOE no longer wishes to utilize our application, all data related to their district will be fully deleted from the database and all stored backups. Once the data is fully destroyed, the application will disconnect from the preferred NYC DOE SSO & Rostering service and their sites fully decommissioned.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov. We obtain our student/teacher data directly from 3rd party vendors like Clever and Classlink, or custom integrations. In all of those instances, we have the means to import the data so it matches the data found in those services.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All information will be stored in the US.

How the data will be encrypted (described in such a manner as to protect data security): The data in the database is encrypted at rest and all data is encrypted end-to-end while in transit via TLSv1.2.