Vendors R-Z

Raj Technologies (also called RTI) (for a Vaccine Tracker)

Type of Entity: Commercial Enterprise

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Contractor will be responsible for the provision of support services for the Vaccine Tracking Enhancements Project to provide information about Covid 19 and test results to ensure the safety of students, staff and communities. Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.

Type of PII that the Entity will receive/access: Student PII. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Rally! Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. RALLY! Education® digital products use advanced encryption technology to protect online data. The purpose of each digital product is to help students understand and master the NY Next Generation Learning Standards and prepare for the spring NY State Tests. Our digital programs stand-alone on secured website servers. There is no need to access all student PII - we only require student, teacher, and admin email addresses and school-created passwords to set up the program - no other confidential information is needed or required. Our programs do not require All transmission of data other than diagnostic student, class, and grade reports using Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational student and teacher names are stored on RALLY! Education® secured servers and are encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access and is monitored daily. All transmission of data utilizes Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational and personal information stored on RALLY! Education® servers is encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access.

Type of PII that the Entity will receive/access: Student PII. The vendor specifies that “NYC DOE is the sole owner of any student and teacher data. The only information that is needed is the student’s name and teacher email/or ID and any passwords that the site or DOE sets up. For example, teachers and students can use their assigned NYC DOE ID number as their passwords or create unique passwords”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor specifies “RALLY! Education® is the sole source provider, and we do not contract with third-party providers.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. The vendor specifies that “All data is deleted on the RALLY! Education® servers. NYC DOE is the sole owner of all reports by student, class, and grade.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All class rosters provided to RALLY! Education® are the sole owner of NYC including the reporting data. Unless directed, there is no link between NYC DOE's website and our digital products. Depending on which products are purchased, each school receives access to a password protected URL unique to each school. We use password protected logins for all access on our secured servers. Administrators, teachers, and students also receive unique passwords to access the specific level of the product. (Administrators have access to all levels purchased, teachers have access only to the students in their class or classes, students can only access their grade level.) Diagnostic Reporting tools can be found within the Administration and Teacher portals. The reports can be downloaded and shared for meetings - no other private information is needed or required. During each semester, additional classes and students can be added or updated, and NYC is the sole owner. At the end of the agreement term, NYC will have copies of the data within the system for the school year. If NYC DOE prefers that RALLY! Education® set-up the school's passwords, we will do it within the confines of what the DOE requires. If NYC DOE uses Class Link®, we follow the secured protocols as stated by Class Link® for PII (although our products do not require complete PII access). In addition, RALLY! Education® uses advanced encryption technology to protect online data. All transmission of data utilizes Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational and personal information stored on RALLY! Education® servers is encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access and is monitored daily.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor specifies “RALLY! Education® encrypts all student and teacher data. All diagnostic reports are available through a unique login. No other confidential information is needed or shared. NYC DOE is the sole owner of any student and teacher data. The only information that is needed is the student’s name and teacher email/or ID and any passwords that the site or DOE sets up. For example, teachers and students can use their assigned NYC DOE ID number as their passwords or create unique passwords.”

Ramapo for Children

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 12/2020 – 6/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Facilitation of a Youth Council for the Office of Community Schools.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Ramapo employees store and access data on a custom salesforce platform with restricted levels of access depending on the staff role. Salesforce is built with security to protect data and applications by limiting exposure of data to the users that act on it. Authentication protocols prevent unauthorized access to data by making sure each logged in user is who they say they are. Careful consideration is given to choosing the data set that each user or group of users can see, thereby limiting the risk of stolen or misused data. Specific objects (such as attendance lists or coaching notes) are only accessed by selected profiles.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Reading Plus

The exclusive purposes for which Protected Information will be used: To set up and manage your subscription to use the Reading Plus application. To set up and maintain your individual use account. To administer and protect the Reading Plus application (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). To use data analytics to improve our Reading Plus application and customer relationships and experiences. For research purposes to better understand how we can develop and improve our Reading Plus application and/or create new products to help students become better silent readers and independent learners. To send marketing communications to teachers and administrative users.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All Subcontractors sign binding NDAs that bind them to data protection agreements that Reading Plus LLC is part of. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Following expiration or termination of the agreement under which the Client purchased access to the Reading Plus web-based products or services, and upon receipt of written request from the Client, Reading Plus will destroy or, if agreed, return to the Client, the Student Records in its possession within a commercially reasonable period of time. 

[NYC DOE comment: The current agreement became effective starting on August 30, 2019 and terminates when all NYC DOE schools and/or offices cease using Reading Plus LLC’s products/services. The terms of the agreement remain effective through the period during which Reading Plus LLC possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored within the United States, encrypted in transit and at rest. We have put in place reasonable and appropriate security measures designed to prevent your personal data from being accidentally lost or used or accessed, altered or disclosed accidentally or in an unauthorized way. In addition, we have put in place policies and protocols designed to limit access to your personal data to those employees, agents, contractors and other third parties who have business need to know. 

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted in transit with SHA-256 with RSA encryption. Data is encrypted at rest with AES-256 encryption algorithm.

Really Great Reading Company

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Really Great Reading’s Products are designed to provide foundational reading skill instruction for students in grades PK‐12 via Teacher Online Tools, Reading Playgrounds, and Virtual Implementation Training Courses for our Phonics Suite Programs. Really Great Reading receives and accesses PII for purposes of providing students with practice opportunities within Really Great Reading’s Reading Playground digital platform and facilitating the monitoring of student performance and progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data in motion is secured with standard HTTPS protocol Transport Layer Security (TLS). Data stored at rest is encrypted, as are its automated backups, read replicas, and snapshots using Amazon AWS RDS encryption. Keys are managed with the AWS Key Management Service (KMS). All data is stored in a password protected database with strong password requirements, server-based firewall limiting data access to those end‐points necessary, and limits to development roles that have access to production data. Only business‐necessary PII will be stored. RGR applications are hosted in Amazon Web Services (AWS). More information about the physical security of AWS data centers may be found on the AWS website. Access to PII and application data will be limited to only those employees who necessarily require access to data in the performance of their role with projects. Employees, who have access to PII must complete Security Awareness Training (Coursera) and demonstrate awareness and discretion in their day‐to‐day practices related to security and handling of sensitive information. Employees must sign or acknowledge these policies as they relate to their role. Background checks are conducted on all employees. In the event of unauthorized access or data breach related to the client's application data, RGR will provide requisite notification in accordance with Section 5(f) of this Agreement.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Red Circle Solutions (for School App Express)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. School App Express is a product that provides custom apps for schools, which schools can operate through a website. The app sends out push notifications, makes mass calls (when schools are closed, etc.), sends mass emails, and sends mass text messages as well. School App Express does not collect or store any data for students or parents that is not related to messaging and communication.

Type of PII that the Entity will receive/access: Student PII and Other: Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is encrypted by Azure Transparent Data Encryption. Employees must use MFA to access cloud services.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rediker Software

Regents Booster

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We created an online learning program with a controlled environment where each student can advance at his or her own pace. The full high school curriculum on certain Science and history subjects is now being offered in digital format and allows for note-taking, highlighting, audio, bookmarking, encyclopedia lookup for further research, search options, and Translations helping students who have difficulty reading or for those students that English is their second language. The digital eBook copy can also be used together with the printed copy further enabling the retention of the materials taught in class.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, specifically “Amazon secure data centers using AWS and GCP technology.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have a Platform that has implemented industry best in class security, privacy, and compliance controls. Regent Boosters has a platform that is CCPR, GDPR, PCI DSS compliant, with a star level 1 certificate. Our Physical Infrastructure is hosted & managed by the Amazon Secure Data Centers and uses AWS and GCP Technology and is constantly managed for Risk and undergoes recurring assessments to ensure compliance to industry best standards. All student/ user data is hosted in the USA, Data is encrypted in transit (SSL/TLS) and at rest AES 256.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Remind101

The exclusive purposes for which Protected Information will be used: Remind will process Personally Identifiable Student Information (PISI) as necessary to perform the Services pursuant to the Terms of Service (https://www.remind.com/terms-of-service), and as further instructed by relevant parties in its use of the Services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Remind will use a vendor risk management process to evaluate new vendors and monitor existing vendors on an annual basis. The following review areas are considered for vendors with whom personal data is exchanged: Compliance Status, Compliance Report Details, if applicable, Contractual Terms (confidentiality and data protection), Data Retention, and Data Security Controls.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Remind will adhere to the obligations set forth in our Privacy Notice and other Terms and Policies published at https://www.remind.com/terms-of-service.

[NYC DOE comment: The current agreement became effective starting on April 10, 2020 and terminates when all NYC DOE schools and/or offices cease using Remind101, Inc.’s products/services. The terms of the agreement remain effective through the period during which Remind101, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Remind will store data in cloud-based data centers located in the United States.

How the data will be encrypted (described in such a manner as to protect data security): Data transmitted across untrusted networks will be protected in transit using TLS V1.2 and will be stored at rest in an encrypted state using AES-256 bit encryption.

Renaissance Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/1/2021 – 9//14/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To fulfill the services requested by NYC DOE (e.g. to provide Renaissance educational products to NYC DOE school Customers). [DOE comment: The educational products included are Renaissance Accelerated Reader, Freckle, myIGDIs for Preschool, myON, Renaissance Star Assessments, and Lalilo.]

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is stored in the United States for all Renaissance products except Lalilo. Lalilo PII is currently stored on servers located in France but we anticipate moving to US servers for our US Lalilo customers in the near future; PII is encrypted at rest and hosted in the cloud by Amazon Web Services (AWS). PII transferred on the Internet is over HTTPS. Backups are also handled by AWS and backups are also encrypted at rest.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Renzulli Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/1/2021 – 6/30/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Renzulli Learning is an interactive online system that provides students with a personalized learning environment, allowing teachers to easily differentiate instruction to increase engagement and achieve higher academic performance. Renzulli Learning has resources that promote and enable ALL students to pursue their interests, providing equity, innovation and creativity for grades Pre-K through 12. Students are empowered by doing creative, imaginative projects that provide rigorous learning outcomes.

The Renzulli Profiler quickly identifies student strengths, interests, learning and expression styles and then matches each student with thousands of personalized engaging Enrichment Activities. Renzulli Learning features robust student grouping which supports our revolutionary strength-based Project Based Learning (PBL) system.

Research shows that Renzulli Learning benefits all Students including:

• Gifted and Talented Students
• High Achieving Students
• At Risk Students
• Students with Special Needs
• English Language Learners (ELL)

Renzulli Learning supports the development of 21st Century Learning Skills for all students, including: critical thinking, creative problem solving, creativity, time management, communication, teamwork, and global competency through our Global Collaboration module. The system has been used by millions of students across the globe, consistently increasing engagement which research demonstrates will lead to higher achievement. Renzulli Learning is available to all students throughout the school year, before, during, and after school, and all throughout the summer as well!

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Renzulli Learning utilizes LightEdge Solutions, Inc. an ISO/IEC 2700:2013 certified company with Corporate Headquarters in Des Moines, Iowa. LightEdge uses several third-party systems to manage data. The systems reside within LightEdge’s internal network and utilizes a web-based application only accessible from the corporate network or through a cloud provider using single sign-on (SSO) to access data. Vulnerability assessments and penetration testing are performed on a monthly and annual basis to identify threats. Any identified security vulnerabilities are triaged by their security team and monitored through resolution. Policies are in place that prohibit the transmission of sensitive information over the internet unless it is encrypted. Risk mitigation activities include the identification, selection, and development of control activities that reduce the assessed risks. LightEdge maintains administrative, technical, and physical safeguards to protect confidential information including provisioning, controlling, and monitoring of physical access into the data centers and office facilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Replications

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/2021 – 1/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are providing Community School Support services that include parent outreach, attendance support, and after school programming. We use PII for the purposes of contacting family members so we can coordinate services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Device Security – EDR deployed on every laptop and workstation to provide security throughout the environment. MFA deployed on M365 accounts storing all relevant data within OneDrive & SharePoint. Document encryption capabilities when sharing sensitive data. Training was provided on best practices. BitLocker encryption enabled on all devices in case of loss or theft. Change Management – Access to additional information not previously approved must be approved by a director or manager prior to release.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rising Ground

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As part of City Council’s “Crisis Management Services” initiative, Rising Ground provides trauma-informed therapy and support to teens within two NYC public schools. Our Youth for Change programs offers individual and group counseling on topics such as consent, health relationships, self-image, coping skills, healthy masculinity, mediation, and offer socioemotional support. Additionally, we co-facilitate health classes and offer mediation sessions. We also train staff and administrators regarding strategies to integrate healthy relationships and communication skills.

Rising Ground staff do not have access to student records or school systems. As standard counseling practice, personal contact information is collected, from the students themselves, to remain in contact with students (i.e. should they miss a scheduled appointment). This enables a counselor to contact a student when they miss an appointment to ensure they are okay and reschedule. Information collection is NOT required to receive services, but rather to assist in student engagement. There is no access to educational records. Personal identifying information (such as names, phone numbers and/or email addresses) are solely used to engage students in the therapeutic services we provide. Information is kept on a securely-saved electronic spreadsheet and not shared with anyone outside of approved program staff.

All Rising Ground staff are required to be trained and attest to confidentiality protocols which are governed by federal, state and local laws. This includes, but not limited to, social service law, child welfare, educational (FERPA), health (HIPAA) laws and regulations.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Cloud Service Provider – Expedient Cloud services solution; IaaS – Infrastructure as a Service (Servers -VMs), DRaaS – Disaster Recovery as a Service Backups for all servers and data.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Rising Ground fully appreciates the importance of sound record management and has strict policies and procedures which ensure that all records are maintained within local, state and federal laws and standards. All personnel, medical, client and financial files are maintained in accordance with our Confidentiality and Document Retention Policies. All records are filed and stored systematically, in fire-proof settings, and only employees in need of access to records are granted such access. Our Confidentiality Policy ensures that employees understand that any personally identifiable information regarding a person’s health, mental health, education, family or employment is considered confidential and that confidential information is protected by the law. Employees are strictly prohibited from inappropriate or unauthorized disclosure of

such information. To protect our software, hardware and the confidentiality of staff and client information, all internet access is filtered and monitored using antivirus, anti-spyware programs. Our Documentation Retention Policy ensures that necessary records and documents are adequately protected. Others are safely stored at a record storage facility. All employees are trained in our Confidentiality Policy, and relevant employees are trained in the Document Retention Policy. Both internal and external audits ensure that these standards are observed and that confidentiality is continually maintained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rockalingua

Type of Entity: Commercial Enterprise

Contract / Agreement Start Date: 2/2/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Rockalingua is an educational website for Spanish teachers and students. Through engaging content (videos, songs, interactive games, short stories and more) students will gain proficiency in the Spanish language. We offer two types of teacher subscriptions. The basic teacher subscription includes access to all of our resources and a generic student account so that students can access from their own devices. The Pro account gives teachers access to all of the resources and our learning management system where they can create classes, assign tasks and monitor student work. We have an integration with Google, Clever and Classlink.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Vercel.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our platform is NIST SP 800-53 certified, data is encrypted, and we are FERPA and COPPA complaint. Penetration test are regularly conducted to ensure the security of our system and all personal are trained annually.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Rosetta Stone

The exclusive purposes for which Protected Information will be used: The exclusive purposes for which “student data” or “teacher or principal data” (as those terms are defined in Education Law Section 2-d and collectively referred to as the “Confidential Data”) will be used by Rosetta Stone, Ltd. (the “Vendor”) are limited to the purposes authorized in the contract between the vendor and the NYC DOE (the “Contract”).

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Vendor will ensure that any subcontractors, or other authorized persons or entities to whom the Vendor will disclose the Confidential Data, if any, are contractually required to abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable state and federal laws and regulations (e.g., Family Educational Rights and Privacy Act (“FERPA”); Education Law §2-d; 8 NYCRR Part 121).

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Contract commences and expires on the dates set forth in the Contract, unless earlier terminated or renewed pursuant to the terms of the Contract. On or before the date the Contract expires, protected data may be exported by the School District in the client facing administrator tool and/or destroyed by the Vendor as directed by the School District. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Confidential Data provided to Vendor by the School District will be stored in the United States and protected as per the Student Records Data Privacy Policy.

How the data will be encrypted (described in such a manner as to protect data security): The Vendor will apply encryption to the Confidential Data while in motion and at rest at least to the extent required by Education Law Section 2-d and other applicable law.

Saga Innovations (Saga Education)

Samuel Field YM & YWHA

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 6/1/2022 – 5/31/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our services include individual and group counseling, college access and persistence supports, leadership development and overall barrier reduction efforts for young people. In order to properly serve our student population, we need demographic and contact information. This helps us in assigning culturally competent staff with the adequate knowledge to serve students of all abilities efficiently and properly. Access to social emotional data also supports our social work team in helping to reduce barriers to success.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All technical and physical safeguards to ensure PU is protected fall under the oversight of our Senior Director of Information Technology. Samuel Field YM & YWHA, Inc mitigates data privacy and security risks in the following manner:

• Physical Servers are behind locked doors with access limited to the IT department.
• Cloud user accounts have two factor authentications.
• Shared drives have access based on least privileges.
• If data is tagged HIPAA complaint sharing outside the domain is prohibited.
• All devices used to access student data have virus scanning software.
• Internet traffic travels through firewalls.
• Network traffic is monitored.
• Antivirus and Firewalls
• Encryption of Sensitive Data at Rest and In Transit
• Encryption and Endpoint Protection is done on Mobile Computing Devices
• There is a Formal Vulnerability Management and Software Patching Procedures
• Formal Data Backup and Recovery Procedures in Place and Tested Periodically
• There is a Formal Cyber Incident Response Plan in Place and Tested Periodically
• There is Multifactor Authentication on Corporate Email
• There is Multifactor Authentication on Corporate Network, Systems, and VPNs.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Savvas Learning Company

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Savvas provides K-12 instructional materials and related services to the DOE, some of which require PII such as student and teacher names in order to facilitate instruction and to track students’ performance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Savvas will store PII on servers in a secured facility in the United States operated by a world-class hosting provider. Savvas will maintain an information security program of policies, procedures and controls governing the processing, storage, transmission and security of data (the “Security Program”). The Security Program includes industry-standard practices designed to protect data from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. Savvas regularly tests, assesses and evaluates the effectiveness of the Security Program and may periodically update the Security Program to address new and evolving security threats, technology and practices. No such update will materially reduce the commitments, protections and overall level of security provided to customers.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Scholastic Inc (for digital curriculum)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII.

• BookFlix: Pairs animated stories from Weston Woods with best-selling nonfiction ebooks from Scholastic to build real-world knowledge and early literacy skills.
• FreedomFlix: Offers a range of text types and media on more than 70 key social studies topics spanning ten areas of core-curriculum study.
• LitCamp Powered by Literacy Pro: Combines reading and writing lessons (K-8) with a fully digital summer school approach to accelerate learning. Children are immersed in personalized learning experiences while building their social-emotional skills, knowledge and vocabulary necessary for reading comprehension success.
• PreK On My Way: A new comprehensive program that welcomes every child into the classroom, celebrating their strengths as they take the next step on their learning adventure!
• Rising Voices Libraries: Provide students with high interest, culturally relevant texts that give context to today’s world while celebrating the stories of the historically underrepresented. These books, paired with innovative teaching materials aligned to the CASEL framework, build a classroom community that broadens the world for students from all backgrounds and enables deep discussions on inclusivity, social justice, and empathy for others. Each Rising Voices collection includes a digital resource website featuring mentor videos, continued-learning resources, discussion guides, standard correlations, and more to help teachers implement the program.
• Scholastic F.I.R.S.T.: Foundations In Reading, Sounds & Text, is a highly adaptive, foundational reading program for Grades PreK–2. Through explicit phonemic awareness training and systematic phonics instruction, F.I.R.S.T.’s research-based pedagogy trains the brain to master “speed of listening.” Students become automatic in their decoding skills, preparing them to read fluently and increase their reading comprehension.
• Scholastic GO!: Offers credible, accurate, reliable content on every core-curriculum topic in a clean, easy to navigate interface.
• Scholastic Literacy: A unique blended learning approach to standards informed comprehensive literacy instruction with a focus on balancing the rigor and flexibility that educators need to meet today’s high expectations. With unparalleled access to authentic and culturally relevant texts in every area of the literacy block, Scholastic Literacy is designed to engage readers, support social-emotional development, and help students become lifelong independent thinkers, readers, and writers.
• Scholastic Literacy Pro: A blended solution for Grades K–8 that empowers teachers to ensure effective reading for all students—in and out of school. It provides students with a single resource to read ebooks and track reading progress on both print and digital titles, while giving teachers real-time, actionable data about reading levels, activities, and comprehension.
• Scholastic Magazines+: A blended, subscription-based solutions that ignites student engagement through relevant, high-interest stories and powerful digital teaching tools. Magazines in print and digital are available for grades PreK-12.
• Scholastic RISE: A short-term intervention that provides targeted, small-group instruction in reading comprehension, word study and phonics, and guided writing. Based on Jan Richardson’s The Next Step Forward in Guided Reading, the RISE framework offers daily instruction for students who are reading six to 36 months below grade-level benchmarks. With RISE Online, instructors can assign students texts, monitor student progress, and access videos and other resources to easily facilitate remote instruction. Students can access assigned texts for extra reading practice on any device.
• Scholastic W.O.R.D.: Supercharges vocabulary acquisition and strengthens reading comprehension in a new and engaging way. With a thematic approach, W.O.R.D. prepares students to think critically and creatively about the world around them. By providing deep background knowledge, W.O.R.D. presents vocabulary as a tool for building meaning across all areas of learning—reinforcing students’ retention of skills learned throughout the school year.
• ScienceFlix: Integrates age-appropriate scientific content, interactive features and intuitive navigation to build knowledge and a lasting interest in scientific discovery.
• Short Reads Digital: Engages classrooms with access to fiction and nonfiction short texts at every guided reading level, and extends learning with teacher materials to accompany each text.
• The Scholastic Leveled Bookroom 5.0: A whole-school (K-6), small-group instructional system with over 6,000 books, 780 short reads, 24/7 access to instructional resources with the digital Accelerator, and professional books and services.
• TrueFlix: Provides thousands of resources to strengthen both educator instruction and student learning of science and social studies content-area knowledge.
• Watch & Learn Library: Builds learning excitement while providing the background knowledge and vocabulary necessary for reading comprehension success.
• LitLeague: LitLeague is an exciting new program that provides a joyous and interactive literacy experience for students in an engaging social- emotional literacy learning environment where children participate in book-related activities including read-alouds, group discussions, independent reading, writing activities, games, and songs. Tailored for expanded-learning times, after-school, extended day, English language learners, and more.
• Next Step Guided Reading: The Next Step Guided Reading Assessment uses proven Assess- Decide-Guide teaching system to determine students’ reading levels and target instructional next steps. From the key text features in the assessment texts to the evidence- based comprehension questions, the Next Step Guided Reading Assessment provides teachers with a way to assess students and teach them the skills to meet higher standards.
• Scholastic Edge: Using engaging, authentic text, EDGE connects striving readers to relevant and essential content needed for future academic success.
• Scholastic REAL: REAL (Read, Excel, Achieve, Lead) is a new program devoted to giving school districts the tools needed to recruit, encourage, and equip mentors to inspire students and build literacy skills.

Scholastic collects PII to provide students and teachers with access to its digital education technology products to support the BOE’s educational goals, to benefit its students, and to support product users. More specifically, PII is used, subject to applicable law and any contractual requirements:

• To support instruction and adaptive, personalized learning o By enabling administrators and educators to tailor and optimize use of the products to the needs of a particular school, classroom or student
  • By permitting educators to review student work and monitor student performance and progress, to facilitate lesson planning
  • By providing reporting capabilities at the district, school or class level (depending on the product), including in some cases cross-product performance data
  • By enabling students to access information shared by their teachers (assignments, content), track their progress, maintain files of their work, create book collections and play educational games
  • By suggesting other content or activities to students (but not for purchase or in the form of advertising)
• To authenticate users, maintain user sessions and facilitate return access
• To communicate with Scholastic’s education customers (teachers/BOE personnel only, not students)
• To ensure products run properly and support optimal user experience
• To diagnose problems, troubleshoot issues, and provide maintenance and support
• To detect and investigate unlawful activity and protect the security of Scholastic’s products, systems and customers
• To calculate royalties

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law. The Entity also states that “In some circumstances, with permission of the education customer, student PII may be retained to facilitate rostering in a subsequent period and/or resumption of product use. Teacher/BOE staff PII may be retained as part of the parties’ business relationship and/or in connection with separate accounts such persons may have with Scholastic. Note, data deletion/destruction may take the form of permanent, irreversible overwriting or de- identification to the extent permitted by law.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. These safeguards include standards that align with the NIST cybersecurity framework. Protected data is encrypted in motion (currently with TLS 1.2 encryption) and at rest (currently with 128-bit AES encryption). Processor conducts periodic risk assessments and keeps audit trails and security logs to assess and remediate vulnerabilities and to protect data from deterioration or degradation. Additional measures include firewalls, anti-virus and intrusion detection, configuration control and automated backups. Data is classified by sensitivity, and access to data is rule- and role-based.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

School Data Corp

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. School Data Corp. helps schools see how well students are performing over the course or the school year. We track how well they are reading, writing, or performing on the tests they take. We put this information in a teacher‐friendly format so teachers and principals can see which students are doing well, and which students need additional help or support. I need to PII so that I can identify individual students by their ID number to generate reports and assign them to their subgroups.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “School Data Corp. uses Dropbox, but the information within Dropbox is encrypted and cannot be accessed or read by anyone at Dropbox. There is no sharing of unencrypted PII.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Dropbox.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All emails are encrypted. All data stored is encrypted. Our network is protected by a firewall. No paper records are maintained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

School Specialty, LLC (for Coach Digital and Catch Up with Coach)

The exclusive purposes for which Protected Information will be used: Coach Digital Platform allows students to access tests and workbook pages online for instruction, practice, or assessments. Teachers will assign content to students and use this data for progress monitoring, assessment reporting, and targeting educational gaps.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: School Specialty maintains the necessary administrative and technical requirements to safeguard the security and privacy. Our teams work on company devices or virtual desktop environments within a secure VPN and two-factor authentication. Only Platform Developers and Support Admin roles can access PII to support customers. School Specialty staff participate in an annual code of ethics certification for protecting company information and data. All data on the platform is either protected via SSH or SSL connections for intraplatform communication and via HTTPS for web communication. School Specialty staff must sign Non-Disclosure Agreements, pass a background check, and participate in a companywide Security Awareness certification annually. All contractors must adhere to company Master Service Agreements and SOWs.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: [DOE comment: School Specialty’s agreement with the DOE is dated March 8, 2021]. Data is encrypted and deleted at the request of school or school district. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: School Specialty, LLC will use Clever Rostering for student and teacher data. Data in Clever is shared at the discretion of NYC DOE. Data shared from NYC DOE SIS. School Specialty, LLC will work with the NYC DOE in processing challenges to the accuracy of student data.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The Coach Digital Platform is hosted on a domestic Amazon Web Service Environment. The Amazon VPC Environment has Enterprise Level Support and 24/7 Managed Services for Security VPC, VPN, Firewall, and endpoint Management.

How the data will be encrypted (described in such a manner as to protect data security): The data in motion is encrypted with TLS 1.2.The Coach Digital Platform collects minimal data and will utilize Clever Secure Sync and SSO [Single Sign On]:

• Teachers and Administrators: First and Last Name and Clever ID
• Students: First and Last Name, and Clever ID.

The Coach Digital Platform utilizes AWS SSL and the VPC ELBs have Security Groups with least privileges enabled. Connectria LLC is in the process of finalizing a proposal to be fully compliant with this requirement.

Schoolbinder (also called TeachBoost)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/1/2022 – 9/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TeachBoost is a performance management and educator development platform for K-12 schools. We work with NYCDOE schools and organizations to help them completely manage the evaluation, feedback, coaching, and development process for their staff, educators, and other support personnel. TeachBoost also works alongside the NYCDOE’s ADVANCE reporting system, handling the compliance requirements for DOE administrators.

We request, store, and process DOE employee PII for the sole purpose of providing these performance management and operational services. For instance, we request and store staff rosters and employee names and email addresses for employee user accounts, and we request store and process employee evaluation ratings as entered by DOE staff and administrators.

Type of PII that the Entity will receive/access: APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon AWS and Linode.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We protect PII in number of ways, summarized on our Data Security commitment at https://teachboost.com/terms/data-security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SchoolCNXT 

SchoolMint (also called SchoolRunner)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Schoolrunner is a comprehensive data management system that simplifies day-to-day operations with straightforward, powerful and actionable data. Schoolrunner makes it easy to track attendance, student behavior, grades, and more. School administrators can easily see where students or teachers are struggling and can provide the support they need. Parents can see how their kids are doing via a real-time feed in the mobile app and can even get notifications when attendance or grades drop below certain thresholds.

The system allows for greater ease of use than current systems and also offers more flexibility so that schools can use data to achieve their goals. For example, some schools want to move to a mastery-based grading system which Schoolrunner supports. Schoolrunner also offers parents communication with built-in automated language translation to any of over 100 languages.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Users and employees are permissioned to access the information they need based on their role in the system while restricting them from accessing information not needed for their role. Data and backups are encrypted in transit and at rest. Access to key infrastructure services are limited to a small number of engineering leaders and are protected by multi-factor authentication. Monitoring, logging, and alerting systems provide additional layers of security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Scoir

Seesaw Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• General Description: Seesaw is the most intuitive, robust and easy to use cloud-based K-5 digital portfolio in the education space. Seesaw Lessons are Standards-Aligned, Ready-to-Teach & Flexible supplementary curriculum resources that are design for PK-5th grade classrooms. Lessons adapt to whole class, centers, and independent learning in any setting.
• Account Information: When teachers, parents, family members, or school administrators create an account on Seesaw we collect their name, email address, password, and profile picture. Seesaw may also collect an adult user phone number if its entered into their Account Settings. Teachers using Seesaw to communicate with Families may add a family member’s email or phone number to Seesaw in order to send messages or updates about school work to the appropriate parent or family member. Students cannot create an account by themselves, but must be invited to a Seesaw class by a teacher or school administrator. Where students have permission to use Seesaw, Seesaw collects personally identifiable information about them including their names, email addresses, and profile picture. This information may be entered by a teacher or the student or populated from the student’s account with a third party sign-in service, such as their Google account.
• Journal Content: Seesaw collects content that is added to a class or student journal. This content may be photos, drawings, files, notes, hyperlinks, and other ways of documenting student learning. Seesaw regularly add types of information that can be uploaded to a Journal, and these are all covered by this Policy. Comments on posts in a class journal are also collected. These comments may be text, or if Seesaw is allowed to access the microphone on the device, voice recordings. Journal Content that is uploaded by a student or teacher may be considered a student education record as defined by FERPA.
• Messages: Seesaw collects messages that are sent and received in Seesaw by teachers, family members, and students.
• Activities: Teachers may use Seesaw to create activities to use with their students. Activities may include text or voice instructions for how to complete the activity, an example of a correct response or a template for students to edit.
• Activity Author Profiles: Teachers who choose to publish activities to the Community Activity Library or the Activity Library managed by their school or district can also create an Activity Author Profile. This includes the name and profile picture they choose to publish on their Author Profile, as well as their school name and location.
• Communications: Seesaw collects any information sent to us directly, such as email communications. Information from a users Google Account or other Third-Party Sign-in Service: Seesaw allows teachers, parents, family members, and students (after being invited by a teacher) to sign up for and log into our service using a Google or Clever Account. Teachers can also create student accounts on behalf of students in their class. When Seesaw creates an account using one of these Third-Party Services, we use the name, profile picture, and email address (if available) provided by these services.
• Log Data: When using Seesaw, log data is received such as IP address, browser type, operating system, device information, and mobile carrier. In addition, information such as the referring web page, referring search terms, and pages visited may be received or collected. If Seesaw is being used by a teacher, parent, or administrator, Seesaw may use that IP address to determine the approximate location for the purposes of sending customized marketing and other information about our products.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Seesaw routinely conducts 3rd party security audits to verify the security and integrity of our systems and internal controls. Data is stored in access-controlled data centers operated by industry leading partners with years of experience in large-scale data centers with 24/7 monitoring. We routinely monitor our systems for security breaches and attempts at inappropriate access. Journal content (e.g. photos, video, audio, and other content added to a Seesaw journal) is encrypted in transit and at rest. Seesaw uses TLS 1.3 security at the network level to ensure account information and journal content is transmitted securely. We have also adopted an internal data access policy that restricts access to personally identifiable information to a limited number of employees with a specific business need (such as for technical support). Data is also accessible to our sub-processors, who are required to sign a Data Processing Agreement that limits their ability to access and use data.  

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Shutterfly Lifetouch

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Shutterfly Lifetouch, LLC ("Lifetouch" or "Entity") is a trusted provider of school photography services throughout North America since 1936. In preparation for Picture Day, Lifetouch collects certain roster data from the school or district, to be used solely as follows:

• To produce and deliver to schools the products and services as described in the Photography Services Agreement (the "School Deliverables");
• To deliver Picture Day notices on behalf of the school and provide parents of students photographed opportunities to purchase student and class pictures and yearbooks;
• To verify parent authorization to order student photographs; and
• As otherwise specified by the Agreement.

For the avoidance of doubt, this Agreement does not apply to (a) information collected from customers who opt to purchase products directly from Lifetouch and/or establish a Lifetouch family account; or (b) Lifetouch photographs, except as incorporated into the School Deliverables.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Lifetouch has implemented a variety of physical, technical, and organizational security measures to help protect School Data from unauthorized access and use.

• Facilities. Lifetouch produces portraits and School Service Items within its own U.S.-based photo labs. Lifetouch data, including School Data, is maintained in cloud-based storage or in on-premises data centers that meet or exceed industry standards for cybersecurity. All facilities and systems are protected by strong physical security controls such as restricted role-based access, ID cards, entry logs and video monitoring. We have a secure backup process and utilize high availability systems and equipment to maintain availability.
• Networks. Devices storing or providing access to School Data are protected with the same multi-layered security strategies that we use to protect Lifetouch's sensitive and confidential business records. Image databases supporting our photo processing labs and websites are separated from associated data files containing identifiable information, and all databases are protected by firewalls, monitoring, vulnerability scanning and authentication procedures. We apply intrusion prevention methods and perform regular network penetration testing and code scanning on a periodic basis using both internal and authorized third party testing services and. Our systems enable secure transmission of School Data from and to the Lifetouch network with encryption technologies. School Data is segregated from other databases in our systems and is securely disposed of when no longer needed. Devices or media containing or accessing School Data are password-protected and encrypted and stored in secure, locked areas when not in use. Laptops and tablets used by our field are also protected by software that, in the event of theft, notifies Lifetouch immediately if the device is connected to any network and allows Lifetouch to remotely erase the device.
• Personnel. Lifetouch's policy is to collect, use, and disclose personal information only in ways that are consistent with our respect for an individual's privacy. We require Lifetouch employees to sign confidentiality agreements as a condition of employment, and we provide training on the appropriate use and handling of School Data. Access to School Data is limited to those who need it to perform their jobs, and when our employees are instructed to only access School Data secure channels (like the Lifetouch Portal). We also take appropriate measures to enforce these policies.
• Enterprise. A comprehensive set of IT policies based on ISO 27001/2, PCI-DSS, OWASP and/or NIST frameworks and standards, as applicable, governs information systems practices and procedures throughout the Lifetouch enterprise. Additionally, Lifetouch partners with secure payment processing platforms like PayPal to handle payment card data when the families we serve make their portrait purchases. Additionally, the Lifetouch Portal is designed and maintained to exceed the standards of the Software & Information Industry Association's Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Signal Vine, Inc.

The exclusive purposes for which Protected Information will be used: Segment contacts, personalize and trigger outgoing text messages to students and/or parents. [NYC DOE Comment: Signal Vine is a tool used to engage and communicate with students, families, and staff.]

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: No subcontractors have access to NYC DOE personal data. Signal Vine staff access is limited to the team supporting your account. All access is logged.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Protected Information is removed from the platform within 30 days of the expiration of the agreement, and cycles out of backups 14 days later.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored within the United States. All data is stored on Amazon Web Services and conforms to SOC 2, ISO 27001 and DoD standards.

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest via Amazon’s TDE service and in transit via TLS 1.2+

SimTutor

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SIMTICS is a cloud-based service with simulations and other supporting media, designed for learning how to perform clinical and medical imaging procedures. The Service is provided by SimTutor Inc (SimTutor). Each SIMTICS module covers one procedure, skill or topic. In most cases a module contains the following media: Video demonstration of the procedure; Explanatory text; Anatomy images related to the procedure, in 2D and 3D format; A multi-choice quiz; Simulation scenarios for the user to learn and practice the procedure interactively and test their skill.

The school provides us with student first/last names and a DOE-issued email address, so students have a unique username and their in-app activity can be tracked individually and kept separate from other students’ data. The SIMTICS system tracks the user’s activity in the app (study time, and scores in simulations and quizzes). Each learner’s activity data is recorded in their personal SIMTICS logbook and can be accessed only by that named user and by teachers and administrative users with the necessary privilege.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SimTutor is SOC 2 certified and has robust systems, system architecture, and procedures in place to ensure student data is protected. SOC 2 is a compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. SOC 2 certification is the result of a detailed annual audit by a qualified third party auditor. SimTutor has been SOC 2 certified for three years.

Our information security procedures to protect PII cover the following areas:

• Data classification – at SimTutor, school/student data is classified at the highest level of confidentiality, above our own company data
• Selection, documentation, and implementation of security controls
• Daily security checks of our systems and infrastructure
• Annual assessments of security controls and updates as necessary
• Careful authorization, changes to, and termination of information system access
• Maintenance of restricted access to system configurations, user functionality, master passwords, powerful utilities, and security devices
• Management of user access and roles – only employees with a job requirement (i.e. customer and technical support) are given access to PII
• Security training is part of employee onboarding and Maintenance and support of the security system and necessary backup and offline storage
• An incident response system, tested at least annually, to ensure rapid action in the event of an issue occurring.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Smartest EDU (also called Formative)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: Starting 10/3/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Normal operation and use of Formative’s platform, including reporting on student performance. Formative receives data such as student names, logins, emails, and work generated within the platform. We use this data to allow teachers to assign assessments within the Formative platform, create performance reports, and ensure that rostering within Formative aligns with rostering in Clever, Classlink, or other systems.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Formative’s IT Security and Data Privacy strategy prioritizes detection, analysis, and response to known, anticipated, or unexpected threats; this strategy also emphasizes the effective management of risks as well as resilience against data incidents. Formative continuously strives to meet or exceed the industry’s information-security best practices and apply controls to protect our clients and the organization. Formative reviews of its systems against applicable state, federal, and internal regulations as well as against controls associated with NIST CSF, SOC2, ISO, GDPR, FERPA, CCPA, CPRA, CPA, VCDPA, and UCPA. Formative maintains an Information Security and Privacy Program which, along with security personnel embedded in each of our business units, consists of a centralized group that establishes information security mandates, evaluates adherence to these mandates, and detects & responds to incidents. Formative frequently adjusts this program to ensure ongoing suitability. The Information Security and Privacy Program regularly assesses the sufficiency of Formative’s controls.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SOLVED Consultancy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SOLVED helps school administrators and teachers analyze student data so that they can make better instructional decisions based on this data. Schools have multiple data sources from different assessments administered throughout the year. In order to use data efficiently and effectively to inform instructional practices and the use of resources and to analyze student data, SOLVED developed the Assessment Dashboard, which is a platform built within the NYCDOE servers using Google Data Studio (which is part of the Google Workspace Cloud where all NYCDOE accounts and information live). This platform helps Principals, Assistant Principals, and Teachers to look at all their students’ assessment information in one centralized location. Only staff belonging to individual schools are authorized to access their platform, and never parents, guardians, or students.

SOLVED needs to have access to this PII to build this platform for schools. SOLVED displays the PII received in the Assessment Dashboard and this PII does not leave the NYCDOE servers as it is uploaded to the NYCDOE Google Cloud and SOLVED uses Google Data Studio to display PII to Principals, Assistant Principals, and Teachers who are authorized to log in with their @schools.nyc.gov accounts (which are Google accounts).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “SOLVED uses the NYCDOE’s Google Workspace Cloud to store PII, which are part of the NYCDOE servers. Google Workspace Cloud is a subcontractor for the NYCDOE. The PII does not leave the NYCDOE servers.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “None of the PII that SOLVED is given leaves the NYCDOE servers as it is stored in the Google Workspace Cloud of the NYCDOE. Hence, there is no data return because the data does not leave the NYCDOE servers.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “SOLVED uses the NYCDOE’s Google Workspace Cloud to store PII which are part of the NYCDOE servers. Google Workspace Cloud is a subcontractor for the NYCDOE. The PII does not leave the NYCDOE servers.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The PII is stored in the NYCDOE’s Google Workspace Cloud and the NYCDOE servers. Hence, many of the technical (i.e. data encryption) and physical (i.e. physical servers) safeguards to keep this data safe is controlled by the NYCDOE.

SOLVED as multiple administrative and operational safeguards to ensure the highest rigor of data protection. These are:

• For all roles within SOLVED, the hiring process ensures the candidate has the necessary competence to perform the role and can be trusted to take on the role, especially for roles related to the use, management, or protection of data or PII. Data protection responsibilities are communicated to employees as part of the on-boarding process.
• Background checks are required prior to employing SOLVED employees, regardless of if a competitive recruitment process is used.
• All SOLVED employees are required to sign a Non-Disclosure Agreement before being granted access to any data. Upon termination of employment, staff are reminded of confidentiality and non-disclosure agreements.
• All new staff must complete an approved Security Awareness training prior to, or within 30 days of, being granted access to any data. In this training, all new staff are provided with relevant data policies and protocols to allow them to properly protect data. All new staff then must acknowledge they have received and agree to adhere to the SOLVED data policies and protocols before being granted access to any data.
• All staff must complete an annual security awareness training.
• SOLVED provides all employees an anonymous process for reporting violations of information security policies or procedures.
• Staff found to have violated SOLVED’s data policy or protocols may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

South Asian Youth Action (SAYA)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/1/2021 – 6/30/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As part of SAYA’s Crisis Management Initiative at Richmond Hill High School, our team monitors program quality and effectiveness in three areas: school attendance, college access support, and social and emotional impact. In order to track data and measure effectiveness of our programs, our staff secure student PII and make use of the Department of Education databases, including Skedula and Enroll NYC, as well as Apricot - Social Solutions, which is a customized database used by SAYA across all of our sites. These databases house and track a number of metrics, including attendance and college enrollment. SAYA staff gather PII data points from our participants, teachers, and other school administrators to measure and gauge youth improvement within these metrics. Through data gathered, our Community School Director and team continually determine how SAYA programming and intervention can best benefit our students and improve their performances.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. South Asian Youth Action (SAYA) will undertake the following safeguards and security protocols to ensure PII will be continually protected:

• Only individuals who will be working on a project that needs PII information will be allowed to use a PII machine.
• Machines accessing PII information will be allocated strictly for the use of accessing PII data.
• Information is protected by strong passwords, consisting of 10 characters or more and a combination of numbers, uppercase and lowercase letters, and special symbols.
• A screen lock will be implemented on dedicated PII machines. The screen lock will be set to turn on within 2 minutes of inactivity.
• Breaches will be immediately brought to the attention of SAYA's Executive Director and technology security specialist. Our technology security specialist will then immediately evaluate and determine the extent and severity of the breach. Upon summarizing findings (no later than 1 day upon learning of the incident), we will report the incident to the appropriate NYC DOE department.
• PII will not be stored on personal computers.
• PII will not be stored on public computers.
• SAYA will make every attempt possible to only store PII data on encrypted servers and not on locally encrypted computers.
• PII data will only be used, seen, or shared with people to fulfill the duties associated with the particular PII.
• PII data will not be left open on a screen when it’s not in use.
• Physical PII data (papers) will not be left unattended

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Sparkler

The exclusive purposes for which Protected Information will be used: To provide the service, directly and in coordination with the BOE. Aggregated non-identifiable data may also be used to improve the service.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Data protection and security requirements that meet or exceed these requirements are a part of Sparkler’s privacy policy and all employment and contracting agreements used by Sparkler.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The agreement starts on signing, and will extend no more than a year, or until terminated by either party. Protected information held by Sparkler will be deleted at any time at the instigation of either users or the DOE, and at any rate under Sparkler’s policies will be deleted no later than one year after the end of the agreement.

[NYC DOE comment: The current agreement became effective starting on April 1, 2020 and terminates when all NYC DOE schools and/or offices cease using Sparkler’s products/services. The terms of the agreement remain effective through the period during which Sparkler possesses or otherwise is in control of covered protected information.] 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US, using the commercially reasonable protections afforded by AWS. Further provisions are described in the Recipients Terms of Use and Privacy Policy.

How the data will be encrypted (described in such a manner as to protect data security): Sparkler is using the industry standard AES-256 encryption algorithm to encrypt all data on the server. For encrypting network communications and establishing the identity of the app, Sparkler is using industry standard SSL/TLS protocols.

Sphero (for Sphero EDU)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Use of Sphero’s Sphero EDU application available at edu.sphero.com, and all related client applications, with which students learn, code, and play with Sphero robots. Depending on if and what type of user accounts are created, PII can contain first name, last initial, email address, and date or birth. Name and email information is used solely for the purpose of creating user accounts. Date of birth is used for the purpose of checking age of consent of the user.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Sphero ensures that data is encrypted both in motion and at rest. The Sphero Edu platform runs in an Amazon Web Services (AWS) facility (please see full details here: https://aws.amazon.com/security/). Personnel are only given access to data on an as-needed basis. AWS provides extensive protection in the form of secure physical facilities, permissions and identity policies, rapid patching and updating of systems, firewalls, network threat detection and response, and scalability to respond to denial of service attacks. PII data is always password protected in addition to being encrypted.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Spruce Technology (for GAMA)

Type of Entity: Commercial Enterprise

Contract / Agreement Terms: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. Email studentprivacy@schools.nyc.gov with questions about contract dates for specific projects.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Spruce teams will be working with DOE stakeholders in developing a Grades, Attendance, and Messaging application (GAMA) Gradebook Project which will support the grading feature for school-based users. As part of this project, team members will access data from multiple systems that store Location Data, Student Data, Class Roster, Schedules, Teacher data. All of these data sets are necessary to drive the grading functionality. There will be no data migration performed as part of this project. All access to systems and data will be within DOE’s network.

Type of PII that the Entity will receive/access: Student PII. Spruce team members using DOE provisioned VDI may access Location Data, Student Data, Class Roster, Schedules and Teacher data as part of the solution development process.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or to a successor contractor at the NYCDOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. “All DOE data that is considered private, sensitive, or higher classification will only be accessed by Spruce team within DOE environment using DOE issued equipment such VDI/Servers etc.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All DOE data that is considered private, sensitive, or higher classification will only be accessed by Spruce team within DOE environment using DOE issued equipment such VDI / Servers etc. Plus the technical design of the GAMA Gradebook ensures that the design and architecture conforms with all citywide security standards and will get all necessary approvals from DOE Security team prior to go live in production.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Spruce Technology (for Return to School)

Type of Entity: Commercial Enterprise

Contract / Agreement Terms: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. Email studentprivacy@schools.nyc.gov with questions about contract dates for specific projects.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Return To School (RTS) is COVID-19 case tracking and reporting solution for NYC DOE students and staff. Cases are reported to the Situation Room by phone, online portal, or surveillance test results. Case processing include access to student personally identifiable information such as student name, date of birth, and OSIS ID.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or to a successor contractor at the NYCDOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Microsoft Azure Government Community Cloud (GCC).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. There are several levels of protecting the system integrity and data privacy:

• Infrastructure Level:
  • Microsoft Government Community Cloud (GCC) FedRAMP High
  • Azure Active Directory as central Identity Provider
  • OAuth2 Encryption Flow
• System Level:
  • Mandatory Authentication
    • Pre-approved user name and account
    • Password with a required complexity level
    • Multi-factor Authentication (MFA)
  • Mandatory Authorization
    • Role-based security
    • Object-based security
    • Field-level security

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Spruce Technology (for Special Education applications)

Type of Entity: Commercial Enterprise

Contract / Agreement Terms: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. Email studentprivacy@schools.nyc.gov with questions about contract datesfor specific projects.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Spruce teams will be working with DOE stakeholders in developing and enhancing an existing solution that the DOE already has for Special Education use cases. Many of the enhancements will be related to provider assignment and impartial hearing related application. As part of this project, team members will need access to integrated systems that store Special Education data today. All access to systems and data will be within DOE’s network.

Type of PII that the Entity will receive/access: Student PII and Spruce teams will need access to the following systems: SESIS, PA, HIS and related Data Warehouses to collaborate with DOE stakeholders on the enhancements for Special Education applications.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII will be stored.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In order to protect the information entrusted to Spruce, Spruce is committed to uphold its administrative, operational and technical safeguards and practices which are a part of its standard professional services approach. Those safeguards include:

• A 4-step Security Management Process
  • Risk Analysis – identifying potential security risks, and determining probability of occurrence and magnitude
  • Risk Management – implementing measures to reduce risk to acceptable levels
  • A Sanction Policy – requiring employees to sign a statement of adherence, and implementing appropriate actions against Spruce team members who fail to comply with the security policies and procedures required
  • An Information Systems Activity Review – Spruce regularly reviews of records of information systems activity when available and applicable, such as VPN logs, access reports, or security incident tracking reports
• Assigned Security Responsibilities – Individuals in the Spruce’s Professional Services Cyber Security team, along with the CTO office, are responsible for the operational responsibilities and for development and implementation of policies and procedures.
• Workforce Security – Spruce has processes in place to identify and control which members of its team need to, and can access secure information, as well as an authorization and clearance processes. Individuals of the project will be specifically named and cleared to access the student information by NYC DOE authorized personnel. Computer systems to be utilized will be Spruce-owned and secured equipment that will be assigned to each team member as needed. This equipment will only be used to connect to DOE environment and all activities related to student data will be done on DOE equipment within DOE network either via VDI, Server, Database etc. If additional team members need to access information, an authorization and clearance process will be in place with identified supervisors for approvals. Spruce also has proper termination procedures in place to remove access to information and systems in the event and employee or contractor leaves the organization voluntarily or involuntarily.
• Information Access Management – Spruce operates under need-to-access rules, restricting by default access to information and systems to only those people with a need for access. Only those employees or contractors with explicit needs for this project will be granted access, and only the type of access they need in order to perform their job will be granted. This minimizes the risk on inappropriate disclosure, alteration or destruction. In addition, the student data is never retrieved outside of DOE environment (both on-premise and cloud tenant) thus reducing the risk further.
• Security Awareness and Training – Spruce has an internal training program for new and existing employees, including security reminders, training on phishing and malicious software, and password management.
• Security Incident Procedures – Spruce team members are trained to respond to security incidents, including preserving evidence, mitigating the situation when possible, documenting the incident and outcome, and evaluating incidents as a normal part of ongoing risk management.
• Contingency Planning – Contingency planning establishes strategies for recovering access to data should the organization experience an emergency or other occurrence, such as a power outage and/or disruption of critical business operations. In the “Special Ed App Support Project”, Spruce will be enhancing a solution that is already hosted within DOE’s infrastructure (on-premise and cloud tenant) which will host the data. External hosting or cloud hosting is not part of the considered enhancements including any work related to disaster recovery etc. Current capabilities DOE already has may apply for contingency planning purposes since this project is not related to creating a new solution.
• Evaluation – Spruce conducts regular evaluations to establish that an appropriate level of security is being maintained during project execution. These periodic evaluations are usually every 1 or 2 years. We recommend that DOE also follow similar practices as part of the operating model for our solution.
• Facility Access Controls – In the event of physical access needed, Spruce will work with DOE to obtain appropriate access and follow existing security guidelines for its personnel, including proper access control validation procedures and maintenance records.
• Workstation Use & Workstation Security – Equipment issued by Spruce is for the sole use of Spruce projects, and workstations are encrypted and password protected. Spruce will use NYC DOE issued virtualized environment for accessing student data so that all the data remains within DOE’s network and equipment.
• Device and Media Controls – Spruce trains its team on how to properly handle disposal, reuse and backup of media and devices.
• Access Control – Spruce follows access control best practices, including identifying and naming the unique users that will need access to data, encrypting data on all its laptops, and configuring sessions to automatically log off after a period in inactivity.
• Person or Entity Authentication – Spruce has stringent authentication controls in place to ensure individuals are who they claimed, including in-person interviews, multiple forms of state-issued identification reviewed upon hire, and background checks.
• Transmission Security – Spruce will be leveraging DOE’s VPN for connectivity to DOE network and accessing student data, assumption is that the entire channel is encrypted, and anticipates data will stay within the confines of the DOE environment (on premise and cloud tenant).

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

St. John’s University's School of Education (for Project RAISE)

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: 1/31/2022 – 1/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Resilience, Access, and Imagination for Success in Education (henceforth Project RAISE), consists of the following components:

• Supplemental Instruction
• Counseling Services
• Tutoring Services
• Mentoring Services
• Parent Engagement Services
• Professional Development; and
• Extended Year Program

St. John’s University’s Project RAISE is a program designed to provide Title I supplemental instructional services and related services under the Every Student Succeeds Act (ESSA) for Title I eligible students, parents, and teachers at nonpublic schools in New York City. To this end, all students from Pre Kindergarten through grade 12, as well as their parents and teachers who are eligible for Title I assistance, will benefit from Project RAISE. Pre-Kindergarten to grade-12 students from families in poverty grapple with numerous challenges in terms of their emotional, physical, social, and cognitive development. These challenges adversely affect their academic success. The primary goal of Project RAISE—which is intended to provide Title I nonpublic schools supplemental instructional services—is to afford students from Pre Kindergarten through grade 12 with the opportunity to receive supplemental instruction in the areas of English! language arts/reading, mathematics, English as a Second Language (ESL), social studies, and technology, as well as Pre-Kindergarten services to help them succeed in these subjects. The primary location for services will be in New York City nonpublic schools serving students from pre-kindergarten to twelfth grade, and that select St. John’s University as their service provider

Data collected will be for the purpose of invoicing/billing the participating non-public schools in the City of New York. The data will include the following: Student ID Number; Grade Level; and School Name.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. This correspondence articulates elements of the St. John’s University cyber security and privacy infrastructure as it relates to the academic research infrastructure for the New York State Department of Education grant award supported by faculty in the St. John’s University School of Education.

St. John’s University has taken a risk-based approach to cyber and information security by ensuring the confidentiality, integrity, and availability of its information assets. The University has a viable program that balances the people, processes and technologies and focuses on the management of the security program, user awareness, research platform, and operations. The details are as follows:

Security Program: Our Security Program is comprised of several strategies that include, but are not limited to:

• A viable IT Governance model and reporting structure
• University-wide and department-specific Information Technology (IT) and Security policies and standards
• A Vulnerability and Patch Management (VPM) program (policies, standards, processes, and procedures) to proactively address potential vulnerable and unpatched systems and applications of critical and non-critical information assets.
• Multi-factor authentication to minimize authentication threats
• An IT risk management framework based on the NIST Cyber Security framework to manage IT risks consistently and continuously.
• Adequate security awareness and training of faculty and staff, including staff that handles personally identifiable information (PII)
• Processes and techniques to address the end-user computing threats
• Data maps for PII that is transmitted, processed, and stored within the University.
• Records/data that are classified into three groups
• Active records that are stored in a primary storage medium
• Data is retained for a regulated specified period according to the University’s retention schedule

The subcontractor is held to the same standards described above.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ST Math - MIND Research Institute

The exclusive purposes for which Protected Information will be used: Personally Identifiable Student Information (PISI) will be used to enroll/roster students into the ST Math program as well as collect usage and performance data as related to the program (i.e. progression through the program, mastery of standard, time on the program). 

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: MIND Research Institute requires all employees that will handle PISI to agree to and sign our employee handbook which details requirements each employee must adhere to in order to ensure the security of user data. Additionally, MIND Research Institute provides scheduled training and refresher training on best practices in the handling of data and requires employees to participate. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI received from a LEA is de-identified or deleted in a reasonable period of time after the relationship between MIND Research Institute and the LEA has been terminated.

[NYC DOE comment: The current agreement became effective starting on September 18, 2019 and terminates when all NYC DOE schools and/or offices cease using ST Math’s products/services. The terms of the agreement remain effective through the period during which ST Math possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): MIND Research Institute's infrastructure is hosted within the United States. We design and implement our systems to provide resiliency against server, segment, and geographic failure, through the implementation of a clustered redundant architecture that yields highly available service endpoints. which provide resiliency against server, segment, and geographic failure. We utilize service providers whose systems have been certified for compliance with security standards including ISO 27001. 

How the data will be encrypted (described in such a manner as to protect data security): Unauthorized access of User data is a real risk facing the users of today's electronic information services. MIND Research Institute strives to keep informed of these risks, and we work diligently to combat them. One method of protecting User data is to utilize cryptography to prevent data visibility in the event of its unauthorized access. MIND Research Institute leverages cryptography to protect user data in the following two ways:

• Data in Transit. Our services support Transport Layer Security (“TLS”) to encrypt User communications (TLS 1.0 or greater and only the strongest ciphers). Data transferred between our Site and its end Users (including credential submission, data uploads, and data downloads) are sent over TLS connections, which protect such data using strong encryption, so that data in transit is kept in a private channel between the intended User and our systems.
• Data at Rest. User data that contains personally identifying information, when “at-rest” (i.e., when in storage) is encrypted using industry standard AES-256. There are two types of "at rest" storage:
• Database. Database server disk storage is “volume” encrypted (i.e., encrypted at the level of the database).
• User Files. User files are individually encrypted before being recorded on long-term, secondary storage systems.

Strategic Inquiry Consulting

Type of Entity: LLC

Contract / Agreement Term: 3/1/2022 – 2/28/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Coaching support for teachers and school leaders in developing student writing skills. PII is received in the form of electronic student work files (showing progress toward skill mastery, which contain student names and handwriting).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google Workspace.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SIC will maintain reasonable technical, administrative and physical safeguards to protect PII including storing in an online portal that provides data encryption and has built-in security designed to detect and block threats like spam, phishing and malware.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

STRIDES Via Transportation 

• Via shall use 256-bit SSL when transmitting sensitive data over the internet.
• Wireless network transmissions will be encrypted. 
• Audit logs that contain sensitive data will be sanitized or removed from the logs.
• Via uses AWS Key Management Service as the main KMS. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect our keys.
• AWS KMS is integrated with AWS CloudTrail to provide audit logs of all key usage.
• All endpoints that connect to Via’s network are disk-encrypted using industry-standard encryption. Personal client information is never stored on the client-side device

Study.com

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Identifying students, communicating assignments, composing classrooms, recording and reporting grades, and tracking progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access to Protected Data is limited only to trained System Administrators within Study.com. Key FOBs are required to enter the facility and servers are locked in a keyed cage. All AWS servers are on a restricted Virtual Private Network. We log any unauthorized attempts to access this network or the Protected Data contained on the network. All analytics, features, and data processing are done internally on physical Study.com owned servers racked in a secure facility.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Suntex International (also called First in Math)

The exclusive purposes for which Protected Information will be used: We do not absorb, display or store any sensitive data in this process. As part of a typical data sync, the district will provide information regarding the school buildings, the classroom that exist, and the teachers that are assigned to those classrooms. Lastly, a list of students and what classes they belong to is provided. In the most common application, these files are transmitted nightly through Clever. The syncing process will automatically establish accounts, preserving the teacher/student relationship. As this relationship changes, and students move to a different classroom, or school building this change is reflected in vendor’s website. If student no longer appears in the data feed, the student will be held in a reset/deactivated status until they appear again. Teachers that are no longer teaching the classrooms associated with the program will be removed as indicated by the feed. There are some cases where the relationship is not correctly reflected in the SIS, or the student’s classroom assignment is ambiguous. In this case the teacher may use tools to find students that are deactivated or exist in an unassigned pool for that grade level using a drag and drop tool. The teacher may also examine a roster and determine that a student is either no longer in that classroom, or that they no longer exist within that school, or reset a password, though passwords are not relevant when an SSO sign in method is being used. A building level administrator may have additional tools to move students to different classrooms within the building.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:  Suntex does not use subcontractors. Company employees follow proper policy in handling data for initial import of district data, trouble-shooting, customer service. We take reasonable measures to protect the confidentiality of the Data as required by federal and state laws and regulations applicable. We establish technical and physical security measures to ensure the confidentiality, integrity and availability of the Data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Traditionally, we retain the current school year and one-year prior of data. Before each school year we purge any older data. At the end of the contract period or upon request, information will be returned to a NYC DOE, or at such point that the Data are no longer needed for the purpose referenced in this Agreement, or, at the sole discretion of NYC DOE, securely destroyed, and all electronic Data purged from the network in a manner that does not permit retrieval of the data.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov. ]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored within the Atlanta Data Center of Aptum Technologies, 106 Jefferson Street, Suite 300, San Antonio TX 78205 (Formerly Cocego-Peer1), a top-tier and leading hosting provider. Multiple approaches to data security include physical security (CCTV, biometric access control, on-site guards), network and application protection, including DDoS protection, hardware fire, load balancer, and access through VPN only. The next layer of security includes alert logic monitoring and McAfee enterprise anti-virus. Web Site access is only allowed using SSL (2048-bit). The environment is kept clean, installing only the necessary applications and features, and is kept up-to-date with the latest security patches. 

How the data will be encrypted (described in such a manner as to protect data security): All data in motion will be encrypted either via Secure HTTP (HTTPS), SFTP, or another approved encryption mechanism. In general, Email send and receive is protected by TLS in its transmission, but is not generally an acceptable means of passing confidential information.

Sussman Education Company, Inc. for Lightswitch Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Sussman Education Company, Inc., for Lightswitch Learning offers FAMIS e-catalog approved culturally responsive/social emotional, and parent engagement offerings in print and digital format through their textbook contract. 80% of the offerings feature minority authors and subjects. Sussman is applying for a software contract so schools can order site-based one-year subscriptions for their eBook content. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Type of PII that the Entity will receive/access: Entity will not receive or access PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Challenges to Data Accuracy. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

SVAM International (for DOE’s Compliance Systems Modernization Project)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2023 – 7/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Compliance Systems Modernization Project focuses on implementing any modifications and enhancements to support any updated business policies/processes and relevant Federal, State and City mandates.

Type of PII that the Entity will receive/access: Student PII. “Under High Level Enhancements for the OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data. However, SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Under High Level Enhancements for the OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data. However, SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity. “Under High Level Enhancements for the OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data. However, SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Please note that SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure. Under High Level Enhancements for OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Swivl (also called Satarii)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Reflectivity cloud based software service is for teachers’ and administrators’ collaborative work and professional development. In order to properly authenticate educators in the service, we collect some PII, such as name, email, job title. Student PII may be captured in the videos of teachers providing instruction, which shall be uploaded and reviewed by instructional coaches as part of the professional development process.

Type of PII that the Entity will receive/access: Student PII, and teacher name, email, and job title.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Swivl software is hosted on SOC2 compliant data centers provided through Amazon AWS and require multiple factors of authentication to gain access to the data. Swivl uses AES-256 encryption for data storage and TLS 1.2 for data transport). All infrastructure is behind industry leading firewall solutions and require VPN access with secure keys. We restrict access to customer data to a small set of security and operations specialists who need to have access as part of fulfilling their job duties. We have a continuous process of testing our security processes and services and mitigating any issues, if found. We have a dedicated security team which monitors and tests our system continuously using leading software tools.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

TalkingPoints

The exclusive purposes for which Protected Information will be used: To provide a two-way translated messaging platform between school & district administrators, teachers and parents.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: TalkingPoints has implemented strict controls over physical, environmental, and software security for all employees and contractors.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: TalkingPoints will either delete or return, within a commercially reasonable period of time but not to exceed 45 days, all personally identifiable information upon the expiration of any agreement when requested to do so by notification from the contracting party; [NYC DOE comment: The current agreement became effective starting on May 29, 2020 and terminates when all NYC DOE schools and/or offices cease using Talking Points’ products/services. The terms of the agreement remain effective through the period during which Talking Points possesses or otherwise is in control of covered protected information.] 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. Any parent, student, eligible student, teacher or principal may correct inaccurate student data or teacher or principal data that is collected. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored in the U.S. As described in Attachment B of the Agreement, TalkingPoints’s infrastructure is built on industry-tested technology and security practices.

• TalkingPoints uses encryption, firewall, and network security software.
• TalkingPoints uses single sign-on (SSO) and twofactor authentication (TFA).
• Low-level auditing software is supported for all external providers (AWS, Atlas) to record potentially malicious actions that may take place.
• TalkingPoints runs periodic penetration tests, then logs and resolves discovered issues.
• All TalkingPoints clients use TLS/SSL when communicating with our servers.
• TalkingPoints has a host-based intrusion detection system to detect unauthorized access to production hosts.
• Audit logs are sent to a central location for storage and analysis. Access to production servers and interaction with production systems is audited and logged.

How the data will be encrypted (described in such a manner as to protect data security): All student data or teacher or principal data is stored on cloud servers within the United States and protected with industry standard and best practices procedures, including AES256-CBC encryption when in transit and when stored at rest.

Teachers College, Columbia University (for the Reading and Writing Project)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 12/1/2021 – 11/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Teachers College Reading and Writing Project may review and use student protected information as part of professional development in literacy in schools. Reviewing this information is necessary in order to systematically check to see if and when students have internalized key literacy skills, and to assure that instruction is differentiated in response to student needs. TCRWP staff developers also regularly lead study groups with teachers in order to provide teachers with opportunities to examine student writing, to study patterns in data, and to co-author methods and curricula. Studying student work together in this way enables teachers to thoughtfully plan next steps based on what students are actually doing. This shared work is vital to deepening teachers understanding of conducting formative assessments, and of norming across a school so as to ensure a consistent vision of excellence.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TCRWP Staff Developers may have access to student work as part of leading professional development in literacy in schools. In the event remote work is required, the Teachers College Google Drive instance will be utilized to transfer and store student writing documents. Within Google Drive, a Shared Drive will be created and appropriate access (read-only, edit, or content manager) will be assigned. Those assigned read-only access will not be able to download or share content. Additionally all subcontractors accessing PII data are required to sign a NDA. TC employees are educated and reminded of how to treat PII data and employees with access to PII data are required to sign confidentiality agreements. A copy of the NDA and confidentiality agreements are attached.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Tech4Learning, Inc.

The exclusive purposes for which Protected Information will be used: To access the Wixie online authoring tool.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: N/A - We will not share student data with subcontractors or other persons or entities.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At agreement start protected data will be uploaded by NYC DOE staff to Wixie. At agreement end protected data will be deleted unless return instructions are provided. [NYC DOE additional information: The current agreement remains effective through the period during which Tech4Line, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected data is stored in our San Diego, CA-based data center. Data is protected via biometric, physical, and logical security.

How the data will be encrypted (described in such a manner as to protect data security): Data transmitted to Wixie and data at rest will be secured using industry best practices.

TestOut Corporation (LabSim)

Texthelp Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2023 – 3/1/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Read&Write, Equatio, Snap&Read, Co:Writer are Assistive Technology Literacy toolbars for students to scaffold learning and to help them access the general education curriculum. uPAR is a reading accommodation decision making tool to help teachers determine accommodations. OrbitNote is an accessible PDF tool. Again this helps make the curriculum accessible to students with typical PDF tools but also accessibility tools to read text aloud. EquatIO is an Assistive Technology Math toolbar and a math space for students to enter math and solve math problems digitally. Again it is a critical support for students with disabilities to access the general curriculum.

Data minimization is at the core of the design of the company’s products and we only collect the necessary data to provide access and usability of our tools to our users. The core of PII is the student’s email. The student’s email is used for the student to log in to the tools and manage their preferences. In addition we collect usage data and other accommodation data for staff to make decisions about future needs of students in using these tools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS and Google.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Texthelp adhere to the principle of Privacy by Design/Default. Our software solutions are designed to use a minimal amount of PII. Texthelp are a Processor for the purposes of Processing Customer Personal Data; and we are a Controller in relation to any Processing described in our privacy and cookie policies located at www.texthelp.com. 

All personally identifiable information is used and held in accordance with our privacy and security policies.

Security controls are in place to keep Texthelp systems and data separate from other client’s data.

Policies and procedures exist to satisfy all of the 114 controls contained within Annex A of the ISO 27001 standard. These include, but are not limited to:

• ISMS 1.2 Information Security Policy
• ISMS 1.3 Product Analytics Policy
• ISMS 1.4 Access Request Policy
• ISMS 1.5 Roles/Responsibilities/Authorisations Register
• ISMS 1.6 Audit Logging Policy
• ISMS 1.7 Backup Policy
• ISMS 1.8 Encryption & Cryptographic Policy
• ISMS 1.9 Access Control Policy
• ISMS 1.11 Network Security Policy
• ISMS 1.12 Privacy Notice for Employees & Job Applicants
• ISMS 1.13 Record Retention Policy
• ISMS 1.14 Security Patching Policy
• ISMS 1.15 Infrastructure Hardening Policy
• ISMS 1.16 Vulnerability Management Policy
• ISMS 1.18 Privacy Policy for Texthelp Products
• ISMS 1.19 Security Incident Response Policy
• ISMS 1.20 Acceptable Use, Mobile & Teleworking Policy
• ISMS 1.21 Information Classification & Labelling Policy
• ISMS 1.22 Password Policy
• ISMS 1.23 Statement of Applicability
• ISMS 1.24 Risk Treatment Plan
• ISMS 1.25 Asset owner Policy
• ISMS 1.26 Secure Development Policy
• ISMS 1.27 Social Media Policy
• ISMS 1.28 Texthelp Web Properties Cookie Policy
• ISMS 1.29 Data Subject Access Request Policy
• ISMS 1.30 Texthelp Web Properties Privacy Policy
• ISMS 1.32 User Removal Policy
• ISMS 1.34 Security Disclosure Policy
• ISMS 1.36 AWS Asset Tagging Policy
• ISMS 1.38 Data Transfers Risk Assessment
• ISMS 1.40 Finance Data Handling Procedures

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thinking Maps Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our application provides both virtual resources for teachers and a virtual environment for students and teachers to create and share Thinking Maps within their school or classroom. Student First/Last Name and Login ID are the only PII required, and are used to created their accounts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Within 60 days following termination of a school’s license, the PII associated with that school shall be automatically deleted, unless otherwise directed by the school or district at that time.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is protected through standardized encryption and security in compliance with NIST guidelines. Student information is only available to users with appropriate roles and/or privileges within the system. All employees with access to such data are provided with security and privacy training, as well as being required to sign a privacy agreement with Thinking Maps Inc.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thinking Nation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/1/2023 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor will provide students and teachers of the 6th-12th grades of the NYCDOE with its specialized, proprietary history curriculum, assessments, and other related resources. Processor evaluates and grades all assessments and essays of participating students and provides them and their teachers with normed data collected from these assessments and essays. Processor will use classroom rosters provided by NYCDOE to properly aggregate and share the data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All employees have distinct logins so there is a record of all actions and edits when using PII.
• The least privileged authority is enforced to ensure that PII is used only when necessary.
• When there is an inactivity during a user's session, the platform automatically logs out the user.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thinkingmap (also called Vocabulary.com)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/8/2023 – 3/8/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Vocabulary.com provides personalized, systematic vocabulary instruction for students from 5^th grade through high school, and beyond. Beyond its core purpose of building academic vocabulary knowledge, the platform improves literacy skills in the areas of reading, writing, listening, and speaking. Since 2008, Vocabulary.com has served more than 5.1 billion questions to learners all over the world. Today the platform is used by 3.7 million students in 56,000 schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS (a cloud hosting and data analytics provider), Century Link (used for telecommunications), Google G Suite (a cloud computing, productivity, and collaboration tool) and Salesforce Inc (a Customer Relationship Management (CRM) solution); and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Vocabulary.com has implemented a variety of physical, administrative and technological safeguards designed to preserve the integrity and security of the personal information we collect and to protect against unauthorized access to data. These include internal reviews of our data collection, storage, and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data. We restrict access to personal information to IXL employees, contractors, and agents who need to know that information in order to operate, develop, or improve our services. Vocabulary.com provides encryption for customer data as follows:

• Network connections to Vocabulary’s production environment utilize Transport Layer Security (TLS) or Secure Shell (SSH);
• All data stored in Vocabulary ’s production environment is encrypted at rest using AES-256 bit encryption; and
• All data stored on Vocabulary -owned laptops is encrypted at rest. Vocabulary employs automated log collection and audit trails for production systems.
• Connections originating from untrusted networks segments will be governed by firewall rules and other security safeguards that grant the minimal access required to access the intended service provided by the company.
• System passwords and access keys are stored in a privileged location accessible only to Vocabulary security administrators, and all credentials are changed from factory default settings.
• Production systems receive regular maintenance to apply security patches; and
• Physical access to systems requires security RFID badges and biometric authentication, and is limited to IT staff performing physical maintenance.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

TPR Education

The exclusive purposes for which Protected Information will be used:To fulfill TPR’s obligations under its agreement with the DOE, including but not limited to test preparation and tutoring services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Subcontractors do not have access to confidential data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: For the term of the underlying agreement. At contract end, Protected Information will be deleted as provided in the underlying agreement between the DOE and TPR.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All data resides in the United States. Systems are protected using industry standard security practices by using a combination of encryption, role/group-based permissions, firewalls, and passwords.

How the data will be encrypted (described in such a manner as to protect data security): Data will be encrypted at rest using AES-256 at the disk level. SQL encryption on certain fields, and TLS 1.2 SSL for encryption in transit.

Tutteo Inc (also called Flat for Education)

The exclusive purposes for which Protected Information will be used: We use data solely to deliver the service Flat for Education.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All subcontractors or employees that will access personal data have agreed in writing to protect the confidentiality and security of Customer Personal Data. They also receives regular personal trainings. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: We will delete all the data that we and our sub-processors hold. NYC DOE can reach out to us in writing to ask us to return all data by secure transfer in such a format as notified by you to us.

[NYC DOE additional information: The current agreement became effective starting on December 17, 2020 and remains effective through the period during which Tutteo, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): When stored all the data is encrypted (see point below). We also ensure that all our sub-processors abide by the same level of security and best practice we commit to.

How the data will be encrypted (described in such a manner as to protect data security): All Flat for Education's platform services encrypt the data while communicating with other services, whether internal or external. The data in motion is always encrypted using either HTTPS or TLS, whether between our microservices, databases and caches services, and between the different regions of our cloud infrastructure.

Flat for Education uses cloud disk storage and object storage that are encrypted at rest using 256-bit Advanced Encryption Standard (AES-256). This includes encryption at rest of our all backups.

Urban Arts Partnership

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Urban Arts Partnership will provide Community School services to The Facing History School through the end of the contract date of June 30, 2024. Community Schools are centers of opportunity with a shared leadership model so that academics, social services and supports are integrated into the fabric of schools. Urban Arts will provide high quality arts and technology based education as well as leverage strategic partnerships to support the following Community School pillars: 1) Rigorous academic programs with strong supports to prepare all students for college, careers, and post-secondary success; 2) School-based and school-linked programs and services that, based on a needs assessment of the community, address the comprehensive needs of students and their families; and 3) partnership cultivation that demonstrates collaboration with the local community, including by engaging families and other community stakeholders. Through the Community School model, Urban Arts seeks to support the whole community through collaborative leadership, family engagement, expanding learning time and wellness support.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.  Urban Arts Partnership (UAP) and its subcontractors will collect various kinds of PII data, including students' names, emails and grade levels. Electronic PII data will be stored on our custom-built CRM Platform and each authorized employee will have access through a two-step authentication password system. The data will also be stored on our drive and accessible via a secure password and two-step authentication as well. Data that is recorded on paper will be stored in our records closet, which is locked at all times with entry restricted to the Chief Operating Officer, Operations Manager, and the Director of Programs. Our records closet lives within a building that has extensive security measures - i.e. security in the lobby, no unauthorized entry by non-UAP personnel via the elevator and floor without a unique key access card that each UAP employee is assigned. Subcontractors will be expected to adopt similarly rigorous protocols and demonstrate to UAP's satisfaction that proper protocols are in place.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, the Entity agrees that PII will be encrypted using industry-standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

The Urban Assembly

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The UA’s Program Services & Supports derive from our mission, priorities, goals and guiding principles as detailed in our workplan, and some of these services utilize student PII for monitoring and analysis, to provide customized supports for each school. The UA model serves to meet and/or exceed the NYC DOE’s program goals and respond to state and city accountability frameworks in order to drive student success at UA schools and beyond.

Support areas include Algebra Success, Social-Emotional Learning, Data Exploration and Monitoring support, Early Career and College Awareness, Alumni Success, and Leadership development. These programs focus on customized program implementation in the real and varied settings of our partner schools, which requires visibility into the actual population of classrooms and rosters. This to allow for specific, targeted, and intensive coaching and support as well as monitoring of outcomes on student-level metrics identified for each program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “As of May 2022, UA is putting this practice in place and expects it to be fully realized by July 2022: The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Vendor selected “Other: UA will safely maintain data until such time that the partnership with the NYC DOE is concluded. In that event, UA will destroy PII on a mutually agreed upon date to ensure that the data collected for this partnership is protected from unauthorized individuals.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. UA considers security of PII to be vitally important. As such, there are a range of administrative, technical, and physical safeguards in place, as described in further depth in our security policy. Safeguards include but are not limited to: endpoint protection, regular security training, encryption of organizational data, and limiting access to confidential information based on role and caseload.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Vanguard Direct

The exclusive purposes for which Protected Information will be used: To communicate information to students and/or parents/guardians on behalf of different DOE divisions.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All subcontractors are required to sign an equivalent NDA with the Processor. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All information used for the mailing will be purged from Processor’s system and a destruction certificate will be provided to the NYC DOE. [NYC DOE additional information: The current agreement became effective starting on January 13, 2021 and remains effective through the period during which Vanguard Direct, Inc. possesses or otherwise is in control of covered protected information.] 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Stored only in the US. 

How the data will be encrypted (described in such a manner as to protect data security): Data in transit will use either Secure Shell (SFTP) or TLS over FTP (FTPs). Data at rest are encrypted using 256-bit SSL (Secure Sockets Layer)

Visionaryz (for Transportation Modernization Project)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/2/2023 – 9/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As part of OPT operations, the Planning and Innovation (P&I) team is responsible for providing guidance and standards in the execution of projects. P&I creates tangible goals, aligned with the overall organization's vision, and ensure all targets are met. Guidance comes in the forms of project templates, standardized processes, standardized methodology, requirements for product development and enhancements. Currently, P&I is engaged in a pathbreaking modernization initiative. The NYC School Transportation Modernization Project will solve problems for caregivers, students, school administrators, drivers (external stakeholders) and OPT staff (Internal stakeholders). PII may be accessed to develop modernized transport initiatives.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “Visionaryz Inc. will not use subcontractors for this project.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII will be stored or hosted by Visionaryz Inc

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Safeguards include policies limiting data access, sharing data, and accessing confidential and restricted information. Visonaryz also uses of encryption, VPNs and security software, and requires training procedures for all staff on Visionaryz Data Security and Privacy Policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Vista Higher Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Vista Higher Learning creates and delivers high-quality, integrated print and digital solutions that meet the needs of all language learners—those learning a new language, improving a second language, or perfecting their native language.

Specifically, the digital solutions provide teachers with learning content, assessments, and course management tools built exclusively for language learning. Additionally, VHL solutions support common educational single sign-on (SSO), rostering, and learning management system (LMS integration standards.

VHL receives or access PII for the following purposes:

• To facilitate and enable the registration, access, and operation of VHL Digital Products;
• To respond to teacher requests for product support or customer service;
• To personalize the use of and experience with VHL Digital Products; and
• To monitor and improve the overall performance and quality of VHL Digital Products

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.  

• VHL shall only collect PII in an amount that is reasonable to accomplish legitimate business purposes or necessary to comply with other state and federal regulations;
• VHL shall limit access to PII to those persons who need it to accomplish a legitimate business purpose or otherwise comply with other state or federal regulations;
• VHL shall undergo an annual SOC 2 Type 2 Security audit by an external, professional auditing firm.
• All VHL employees, vendors and independent contractors with access to PII shall agree to confidentiality terms and undergo appropriate security training.
• VHL shall maintain and operate appropriate incident response and investigation processes and procedures in the event of unauthorized access or use of PII. These include prompt steps to mitigate the access, evaluate and respond to the events, notify users affected by the access, and engage appropriate auditors or examiners in connection with the access.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Votenet Solutions, Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/1/2022 - 5/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Votenet Solutions provides the software deployed for the nomination and election of Community and Citywide Education Councils. The nomination process involves the completion of an application which has and requires PII as it relates to the parent being nominated and the student relationship to be considered and vetted by the DOE. Once the application process concludes, the DOE who is in-charge of vetting each application, confirms the qualification and consideration of the candidate for the election. Without the PII in the application, the DOE cannot complete their vetting process. As for the voting process, we need PII in order to conduct the verification of the voter accessing the election to ensure they are voting in the council they are eligible and qualified to vote on.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The below details how the Policy establishes the Access controls among the various entities accessing its IT Systems.

• THIRD-PARTY/ VENDOR COORDINATION
  • The InfoSec Center of Excellence (InfoSec CoE) at eBallot coordinates with vendors/ third-parties to implement and maintain security controls, to safeguard eBallot information assets from unauthorized access by individuals or devices. Active Directory accounts are established through Help Desk ticket requests.
  • Vendors/ third-parties work with their eBallot development managers, account managers, and the InfoSec CoE to determine how access is managed and who, under what circumstances, may access eBallot's information assets.
  • Application Development managers serve as owners for the eBallot application systems that their teams support. Requests for application access go through the application development managers which are then further approved by both the eBallot Account Manager and the InfoSec CoE.
  • Access to specific parts of the network for administrative work is approved by the information asset owners (in most cases this is the Account Manager unless otherwise mentioned). 
• COMPLIANCE DEVIATION PENALTIES
  • For eBallot employees, failure to comply with the procedures identified in this policy may result in progressive discipline up to and including termination of employment.
  • For eBallot vendors/ third-parties/ non-eBallot personnel, failure to comply may result in removal of the individual’s ability to access and use eBallot data and systems. Employers of non-eBallot personnel will be notified of any violations and respective disciplinary action would need to be undertaken as stated on the contractual agreement with the specific vendor/ third-party.
  • All personnel employees/ vendors/ third-parties are also subject to any applicable penalties for statutory requirements compliance violations. Depending on the requirement and the nature of the violation, penalties could include fines and/or criminal charges. In addition section 4.5 speaks to the Access Management policy for Users and the strict implementation of the policy for Least Privilege Access which ensures that at no point, do any resources have unauthorized access to Votenet’s business or client data. See below.
• LEAST PRIVILEGE ACCESS
  • Both the InfoSec CoE and eBallot IT must ensure that the principle of least privilege is employed for eBallot Information Assets to ensure that users (or processes acting on behalf of users) are allowed only authorized access necessary to accomplish assigned tasks, in accordance with job duties, consistent with/ applicable Executive Orders, directives, policies, regulations, standards, and guidance.
  • For the Information Assets that it supports, eBallot IT employs the principle of least privilege, which allows only authorized accesses for users (or processes acting on behalf of users) necessary to accomplish assigned tasks in accordance with job duties
    • eBallot IT explicitly authorizes access to system utilities, by requiring that they only be made available to those with a legitimate business case.
    • eBallot IT requires that system administration accounts (e.g., root access) be limited to as small a group as possible and based on the principle of least privilege.
    • eBallot IT requires that any administrators first login as themselves (ordinary user) before escalating privileges to that of an administrator.
    • eBallot IT implements safeguards to prevent non-privileged users of Information Assets from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
    • eBallot IT restricts privileged accounts on the Information Asset to defined personnel or roles (defined in the applicable security plan).
    • eBallot IT audits the execution of privileged functions.
    • All eBallot IT-supported Information Assets prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/ countermeasures.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Walsworth Publishing Company

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 9/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII data collected is used for the publication of the yearbook. We collect students’ names, images, and grade levels, which are then printed in the final product. We collect parents’ names and addresses when they order yearbooks online, and we use their address if they have requested home delivery.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data privacy is crucial for everyone, and to ensure its protection, we rely on three key aspects: administrative, technical, and physical safeguards. Administrative safeguards involve creating policies, procedures, and guidelines to control who can access sensitive information. Technical safeguards make use of tools and technologies, such as firewalls, encryption, and passwords, to protect data from being accessed by unauthorized users. Physical safeguards are the tangible measures, like keeping files in locked cabinets or secure rooms, to prevent unauthorized access to data storage locations. These three aspects work hand‐in‐hand to maintain the privacy of our valuable personal information and keep it safe from misuse.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Wheelchairs Against Guns

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We will be privy to student PII for programing purposes only, will include to keep track of program attendance and grades if need be. The purpose of the PII will be to keep track of student who are apart of the program. WAG will conduct workshops that will include conflict resolution strategies, critical thinking techniques, self-esteem building, and financial literacy. Theses workshops will be conducted during school hours from 12pm-2:25pm Mon, Weds, And Fri for the duration of FY 22-23. There will be 2 assigned facilitators that will present the workshops to a selected body of student. The purpose of the PII will be to keep track of student who are a part of the program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Apple iCloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All staff must pass a thorough training course on the importance of storing and securing students PII to a 128 encrypted software and iCloud as our subcontracted entity. All info is wiped clean from all former employees assigned iCloud as all hardware and software is returned to WAG.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

William H. Sadlier, Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/1/2017 – 1/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. William H. Sadlier Inc., an existing contracted vendor for Educational Software with the New York City Department of Education, provides schools with programs identified within the contract on Sadlier Connect.

Sadlier Connect is a single sign-on learning platform that supports schools with content in the areas of K–12 English Language Arts, Grammar, Vocabulary, Reading, and Mathematics and supports administrators and teachers by providing easy access to high quality programs and the ability to create assignments, generate detailed reports, and identify recommended resources to lead students toward meeting the expectations of grade-level standards.

Sadlier Connect also supports learning inside and outside of NYC classrooms, students and families have access to free engaging, program-specific games and digital resources in a variety of formats (audio, video, and interactive) that can be accessed anytime, anywhere, on most Internet-accessible devices.

We will use the Personal Information that we collect from students solely for the use and benefit of the NYC DOE, including providing the Site's educational services to its registered accounts. We do not use the Personal Information that we collect from students for commercial purposes not related to the provision of the services requested by the NYC DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

“For subscriptions to Sadlier Connect, NYC DOE data will be destroyed/returned following the earliest of the following events: a written request from NYC DOE for destruction or return of data; or the date when the data is no longer needed to provide the services, or the date of the expiration or termination of the agreement.” In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Sadlier Connect uses Amazon Web Services (AWS) Key Management Service (KMS).
• All data is transferred to/from Sadlier Connect using HTTPS/TLS.
• Data is encrypted in transmission using the current SSL and TLS standards and at rest at no less than 256-bit level encryption.
• The development team primarily develops on lower tiers, and when they work in our production environment, they use scrubbed or synthetic data (i.e., email addresses and passwords are altered.)
• Vulnerabilities are triaged and repaired according to scope and severity.
• Intrusions are prevented by a defense-in-depth strategy including software and virtualized hardware firewalls and strict limitations on the personnel who are authorized to access our infrastructure. We continue to evaluate improvements to security protections. All job applicants who have accepted a job offer are required to go through a background check through an external vendor. Additionally, HR conducts reference checks for all potential employees prior to their starting with Sadlier.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Wilson Language Training Corporation

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2023 – 6/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII will be used in connection with the provision of FUN HUB, a teacher tool that provides downloadable PDFs and videos to aid in teachers instruction and professional learning.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Wilson Language Training Corporation (“WLT”) collects student name, School, grade, Fundations® Level, and Fundations assessment scores for students. With respect to educator data, WLT Corporation receives the following information: first and last name, school name, school district, school email address, and other information about the Educator’s School. WLT provides for administrative, operational, and technical safeguards, including encryption, firewalls and password protection. These safeguards meet in the requirements of applicable law, industry standards, and best practices. Safeguards include:

• User Access. Use of an account and a password is required to access our Digital Products. We do not offer Users, including Students, any way to login to our Digital Products through social media tools.
• Employee Access. Access to Customer Data is limited (through user/password credentials and two factor authentication) to those employees who require it to perform their job functions. Our employees with access to Customer Data will receive training on data privacy (including on FERPA and New York Education Law 2d) prior to receiving access and on an annual basis thereafter. All employees must sign a confidentiality agreement before they join the company, and background checks are conducted as part of the onboarding process. We conduct phishing and social-engineering awareness testing and education for our employees.
• Storage and processing. Student Data is stored in the United States. We maintain strict administrative, technical, and physical procedures to protect Customer Data stored in our servers, which are located across Tier 1 data centers that are logically and physically separated locations. Our hosting provider implements security measures in accordance with industry standards.
• Encryption. We use industry-standard TLS 1.2 encryption technology to safeguard the account registration process and sign-up information. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to building and files. Data is encrypted during transmission and at rest.
• Device Controls. We encrypt all of our employee laptops, and those devices are centrally managed and covered by anti-virus protections which are updated periodically. Laptops are password protected.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Wonder Workshop

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement has an End Date: 08/10/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We use student names (profiles) to save and progress through our curriculum and save their programs to the cloud.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Backups are encrypted. User data is only available in secured databases on the cloud. Test environments do not use production user data. Test environments use the same security controls as the production environment, with separate security keys. Data in transit encrypted via TLS. Data storage and backups encrypted with AES 256.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Worked, Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 5/16/2022 – 5/27/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Worked, Inc. is creating a 20 hour Cybersecurity Externship which is a Work Based Learning Program for NYC DOE high school students to engage with Cyber careers.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We collect the minimum amount of data required to successfully operate our programs. In the case where information is obtained from a student that is under the PII label, we only keep that sensitive within our lead teacher, leadership, and lead host team members. Everyone is trained on the right practices. All sensitive data collected in our service is encrypted and aligned with best practices and we have controls which support this collection and data use.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

WSD Digital (also called ReFrame Solutions)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/19/2021 – 7/19/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The ReFrame system is housing student first name and last name. The ReFrame System is housing parent or guardian phone number only. The system receives updated student first name and last name from school Principal. Parent phone numbers are received from school Principal. This PII data is used for communication purposes only for the Bronx Technology and Engineering Academy.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ReFrame Engage is delivered on a SaaS (Software as a Service) basis, with Cloud hosting supplied by a secure, highly reliable, and redundant AWS Cloud (using geographically diverse data backup). The application is designed to provide access to data on a need-to-know basis, always protecting PII and privacy including the segregation or suppression of sensitive data where appropriate based on Role Permissions. All data is encrypted in transit and at rest. Employees undergo annual cybersecurity training as part of HR policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Xello Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: Starting on 11/3/2021

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Xello provides college & career readiness software that allows students to discover relevant college, university, trade, military and career options based on their personality, skills, and knowledge. Xello requires certain PII in order to provision accounts for teachers and students, and for teachers to be able to interact with their students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Physical Controls:

• Environmental control (constant temperature and humidity maintenance, particulates filtration), fire suppression systems, redundant power sources and UPS backup.
• Round the clock physical security (card entry, video monitoring of the facilities).
• Data center access logs (Azure).

Technical Controls:

• Logging and auditing of network access.
• Continuous monitoring (SIEM)
• Firewall & endpoint protection.
• Network segregation.
• Encrypted data in transit through the use of TLS 1.2

Administrative Controls:

• Utilization of the principle of least privilege.
• Vulnerability testing.
• Security awareness training (including FERPA and COPPA).
• Criminal background checks on all employees.
• Employee NDAs.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Yegros Educational (for Conjuguemos)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/1/2023 – 4/1/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Entity provides a service called Conjuguemos. It’s a website for foreign language practice. Students log in and practice verb conjugations on the site, and the site keeps track of student progress and shows that progress to the student’s teacher. We collect PII so that students can create accounts and do school work on our site. This work is done with accounts so that teachers can then track student progress by looking at these student accounts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Please refer to our privacy policy (Https://conjuguemos.com/privacy) for a description of how Conjuguemos safeguards PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Zearn

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Zearn’s services are our Zearn Math School Account which includes access to Zearn Math. Zearn Math is the top-rated K-8 comprehensive math learning program for the full school year. Zearn’s instructional materials are designed to fit a range of instructional needs, including use as a digital conceptual math supplement. Zearn Math is the only EdReports top-rated math resource that connects daily core instruction, intervention, and learning acceleration in one comprehensive math program to ensure all students can be successful with grade-level math. In addition to the full Zearn Math curriculum, School Accounts offer schools and districts dedicated customer support and implementation, administrator reporting on student progress, and rostering support. Protected Information will be used only as necessary for Zearn to perform the services associated with Zearn School Accounts. The personally identifiable information will be used to roster the students, deliver Zearn’s services, and provide in-app reporting on student progress to the subscribing school district, school, or classroom.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. Entity states “PII will be securely destroyed within 30 days of expiration or termination of the applicable Services Contract. We enable this 30-day period to allow the Zearn School Account Holders time to transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option, and to ensure that if the account needs reactivated in that limited time, you retain continuity of your classroom progress. During the 30 days that your account is inactive, we do not access your account data.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services (a cloud hosting database), Heroku Enterprise (a cloud hosting application and database).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Zearn shall maintain the confidentiality of the shared student data or teacher or administrator data in accordance with federal and state law and the educational agency's policy on data security and privacy. Zearn has the following administrative, operational, and technical safeguards and practices in place to protect personally identifiable information. Zearn shall: limit internal access to personally identifiable information to only those employees or subcontractors that need access to provide the contracted services; encrypt data in transit and at rest at 128-bit encryption or better; utilize two-factor authentication prior to access to personally identifiable information; utilize antivirus and malware software on computers access personally identifiable information; conduct regular software security updates; implement additional network and physical security measures consistent with commercially reasonable security standards used to help safeguard pupil records; monitor hosted and collected data for unauthorized intrusions using network-based and host- based intrusion detection mechanisms through its cloud hosting provider; use access control and redundancy to ensure the resilience of the data collected and stored, through its third-party cloud hosting provider; destroy personal data according to internal policy and external commitments; and require Zearn staff members undergo annual privacy and security training.

Zearn will ensure that subcontractors and third-party service providers with whom Zearn shares Protected Information abide by all applicable data protection and security requirements by entering into written agreements whereby such parties will perform their obligations in a manner consistent with the data protection and security requirements outlined therein.

Protected Information will be stored in a secure data center in the United States using monitoring of the access doors, fire and security monitoring, system health and intrusion monitoring, data backups and retentions. Data storage and access will comply with the Advanced Encryption Standard (AES) with minimum of 128-bit key encryption.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Zoobean

The exclusive purposes for which Protected Information will be used: Students’ first and last name will be used to personalize the experience when logged into our application. Their email address or school district username will be used for authentication purposes in the instances where SSO [NYCDOE comment: single sign on] isn’t available. Their age and/or grade level will be used to place them into the appropriate reading challenges for their age group. Finally, their section enrollment will be used to allow their teachers access to their reading history and achievement data.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We do not share student data with subcontractors or anyone outside of full-time employees directly supporting our work with NYC DOE. All Zoobean emloyees are required to complete a background check including social security number trace, nationwide criminal database search, sex offender registry search, county criminal court search, and domestic watchlist search. Employees attend semiannual company training and performance reviews that may include, but or not limited to, abiding by all current data protection and security requirements.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: When the agreement expires and NYC DOE no longer wishes to utilize our application, all data related to their district will be fully deleted from the database and all stored backups. Once the data is fully destroyed, the application will disconnect from the preferred NYC DOE SSO & Rostering service and their sites fully decommissioned.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov. We obtain our student/teacher data directly from 3rd party vendors like Clever and Classlink, or custom integrations. In all of those instances, we have the means to import the data so it matches the data found in those services.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All information will be stored in the US.

How the data will be encrypted (described in such a manner as to protect data security): The data in the database is encrypted at rest and all data is encrypted end-to-end while in transit via TLSv1.2.