Under FERPA and New York State Education Law §2-d, NYC DOE may disclose student information without consent to authorized third parties who have entered into written agreements with us and meet certain requirements. Such third parties must agree to comply with federal, state, and local laws, as well as the DOE’s Data Privacy and Security Policies. They also agree to comply with the DOE’s Parent Bill of Rights for Data Privacy and Security and complete a supplemental information questionnaire to provide more information to parents, students, and the public about the vendors' data security practices.
The third parties that the DOE has written agreements with include software providers, community-based organizations, researchers, and related service providers. Third parties only receive the types of student information agreed upon in the written agreement, for the schools or students that have requested to use their products or services, and only as necessary for the provision of those products or services. Please contact your school’s principal if you would like to know which vendor(s) or organization(s) your school uses or partners with.
PLEASE NOTE: The third parties listed below do not comprise a comprehensive list of “approved DOE vendors” and should not be thought of as such.
Listed in Alphabetical Order:
R K Software
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This agreement is for our firm to provide Staffing Augmentation to the DOE for a range of services including Software Development, Network Engineering, Server Deployment and Management, Business Analysis, and Project Management. All of the staff we provide will work with NYC DOE equipment and within DOE systems. No PII will be received or stored by our firm or anyone other than the staff hired to work with the DOE. R K Software Inc.’s staff members, consultants, or subcontractors working with the DOE may need to access PII to troubleshoot issues, develop initiatives, provide adequate support, communicate with relevant parties or other similar reasons.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: R K Software Inc’s staff members, consultants, or subcontractors will only access PII, they will not store, host, or collect any PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below. We will not store, host or collect and PII.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. R K Software Inc.’s staff members, consultants, and subcontractors will be trained to handle Student PII information. They will follow the security practices and protocols described in our Education Security Policy, particularly those listed in Section II on confidential information and privacy.
- R K Software Inc.’s staff members, consultants, and subcontractors keep all confidential information private through many security measures in compliance with the NIST Cybersecurity Framework. All confidential information is kept in confidence and not disclosed to anyone or any third party, not used for the benefit of R K Software Inc. or another entity, or for any other purpose than that agreed upon with the New York City Department of Education.
- R K Software Inc.’s staff members, consultants, and subcontractors use commercially reasonable efforts to secure and defend any system housing confidential information against third parties who may seek to breach the security thereof, including but not limited to breaches by unauthorized access or making unauthorized modifications to the system.
- R K Software Inc.’s staff members, consultants, and subcontractors protect all confidential information when in transit and at rest. When in transit, information and data are encrypted. When at rest, information and data are protected by passwords, firewalls, and other measures. Scripts and queries cannot penetrate the encryption or protections.
- Confidential information may be in the original format or a copy. Both are equally protected.
- When R K Software Inc. and its staff members, consultants, and subcontractors no longer need to have confidential information, the information will either be returned (in a secure way) to the New York City Department of Education or destroyed so that the data are unusable and unrecoverable.
- Any reports or applications which contain confidential information will have prominent confidentiality notices in legible-sized fonts on each page.
- Web applications containing confidential information will be non-cacheable.
- Confidential information will not appear in URLs.
- In development, test, and QA environments test data that is NOT confidential will be used.
- R K Software Inc and its staff members, consultants, and subcontractors will review and comply with any additional requirements from the New York City Department of Education.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. No PII will be stored or hosted by Entity.
Radish Education (also called Magma Math)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Magma Math is a supplemental math software for K-12 students. We receive PII through SSO platforms already used by the district in order to create accounts and set up classroom accounts for teachers.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Magma Math has administrative and technical processes to ensure the protection and confidentiality of Personally Identifiable Information (PII). Administrative safeguards include access controls and employee training on data security. Technical measures include data encryption for both stored and transmitted data. Physically, access to facilities housing sensitive data is controlled, and policies are in place for the secure handling and disposal of all devices and media that contain PII. These efforts are supported by ongoing risk assessments that help prioritize security measures and ensure effective resource allocation to mitigate data privacy risks. Together, these strategies form a comprehensive security approach designed to protect PII without compromising the integrity of Magma Math’s security practices.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Raj Technologies (also called RTI) (for a Vaccine Tracker)
Type of Entity: Commercial Enterprise
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Contractor will be responsible for the provision of support services for the Vaccine Tracking Enhancements Project to provide information about Covid 19 and test results to ensure the safety of students, staff and communities. Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.
Type of PII that the Entity will receive/access: Student PII. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”
Rally! Education
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. RALLY! Education® digital products use advanced encryption technology to protect online data. The purpose of each digital product is to help students understand and master the NY Next Generation Learning Standards and prepare for the spring NY State Tests. Our digital programs stand-alone on secured website servers. There is no need to access all student PII - we only require student, teacher, and admin email addresses and school-created passwords to set up the program - no other confidential information is needed or required. Our programs do not require All transmission of data other than diagnostic student, class, and grade reports using Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational student and teacher names are stored on RALLY! Education® secured servers and are encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access and is monitored daily. All transmission of data utilizes Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational and personal information stored on RALLY! Education® servers is encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access.
Type of PII that the Entity will receive/access: Student PII. The vendor specifies that “NYC DOE is the sole owner of any student and teacher data. The only information that is needed is the student’s name and teacher email/or ID and any passwords that the site or DOE sets up. For example, teachers and students can use their assigned NYC DOE ID number as their passwords or create unique passwords”
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor specifies “RALLY! Education® is the sole source provider, and we do not contract with third-party providers.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. The vendor specifies that “All data is deleted on the RALLY! Education® servers. NYC DOE is the sole owner of all reports by student, class, and grade.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All class rosters provided to RALLY! Education® are the sole owner of NYC including the reporting data. Unless directed, there is no link between NYC DOE's website and our digital products. Depending on which products are purchased, each school receives access to a password protected URL unique to each school. We use password protected logins for all access on our secured servers. Administrators, teachers, and students also receive unique passwords to access the specific level of the product. (Administrators have access to all levels purchased, teachers have access only to the students in their class or classes, students can only access their grade level.) Diagnostic Reporting tools can be found within the Administration and Teacher portals. The reports can be downloaded and shared for meetings - no other private information is needed or required. During each semester, additional classes and students can be added or updated, and NYC is the sole owner. At the end of the agreement term, NYC will have copies of the data within the system for the school year. If NYC DOE prefers that RALLY! Education® set-up the school's passwords, we will do it within the confines of what the DOE requires. If NYC DOE uses Class Link®, we follow the secured protocols as stated by Class Link® for PII (although our products do not require complete PII access). In addition, RALLY! Education® uses advanced encryption technology to protect online data. All transmission of data utilizes Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational and personal information stored on RALLY! Education® servers is encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access and is monitored daily.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor specifies “RALLY! Education® encrypts all student and teacher data. All diagnostic reports are available through a unique login. No other confidential information is needed or shared. NYC DOE is the sole owner of any student and teacher data. The only information that is needed is the student’s name and teacher email/or ID and any passwords that the site or DOE sets up. For example, teachers and students can use their assigned NYC DOE ID number as their passwords or create unique passwords.”
Ramapo for Children
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 12/2020 – 6/2022
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Facilitation of a Youth Council for the Office of Community Schools.
Type of PII that the Entity will receive/access: Student PII
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Ramapo employees store and access data on a custom salesforce platform with restricted levels of access depending on the staff role. Salesforce is built with security to protect data and applications by limiting exposure of data to the users that act on it. Authentication protocols prevent unauthorized access to data by making sure each logged in user is who they say they are. Careful consideration is given to choosing the data set that each user or group of users can see, thereby limiting the risk of stolen or misused data. Specific objects (such as attendance lists or coaching notes) are only accessed by selected profiles.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Reading Horizons
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Tech-enabled foundational reading instruction that helps all students reach reading proficiency.
PII: IP Addresses of users, Use of cookies, etc., Other application technology meta data, meta data on user interaction with application, standardized test scores, language information (native, or primary language spoken by student), student school enrollment, student grade level, specific curriculum programs, student scheduled courses, teacher names, English language learner information, Local (School district) ID number, Provider/App assigned student ID number, Student First and/or Last name, Program/application performance, Academic or extracurricular activities a student may belong to or participate in.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Azure, AWS, Google.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Reading Horizons enforces role-based access controls, maintain comprehensive data privacy policies, and conduct regular employee training. Technical controls includes encryption, robost network security, and vulnerability assessments.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Reading Plus
The exclusive purposes for which Protected Information will be used: To set up and manage your subscription to use the Reading Plus application. To set up and maintain your individual use account. To administer and protect the Reading Plus application (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). To use data analytics to improve our Reading Plus application and customer relationships and experiences. For research purposes to better understand how we can develop and improve our Reading Plus application and/or create new products to help students become better silent readers and independent learners. To send marketing communications to teachers and administrative users.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All Subcontractors sign binding NDAs that bind them to data protection agreements that Reading Plus LLC is part of.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Following expiration or termination of the agreement under which the Client purchased access to the Reading Plus web-based products or services, and upon receipt of written request from the Client, Reading Plus will destroy or, if agreed, return to the Client, the Student Records in its possession within a commercially reasonable period of time.
[NYC DOE comment: The current agreement became effective starting on August 30, 2019 and terminates when all NYC DOE schools and/or offices cease using Reading Plus LLC’s products/services. The terms of the agreement remain effective through the period during which Reading Plus LLC possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored within the United States, encrypted in transit and at rest. We have put in place reasonable and appropriate security measures designed to prevent your personal data from being accidentally lost or used or accessed, altered or disclosed accidentally or in an unauthorized way. In addition, we have put in place policies and protocols designed to limit access to your personal data to those employees, agents, contractors and other third parties who have business need to know.
How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted in transit with SHA-256 with RSA encryption. Data is encrypted at rest with AES-256 encryption algorithm.
ReadWorks
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ReadWorks allows students to read our material and submit responses to questions and writing prompts as part of an online class. All data is stored exclusively for educational purposes, primarily to ensure the smooth functionality of the website itself. No student PII is utilized for commercial or marketing purposes, nor is retained after a student’s use of the site is discontinued by that student’s teacher.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ReadWorks stores and processes student data in accordance with industry best practices. This includes encryption and appropriate administrative, physical, and technical safeguards including firewalls to secure Student Data from unauthorized access, disclosure, and use. We conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. We regularly perform system audits and work to ensure all of our software has the latest security-related patches and updates.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Really Great Reading Company
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 9/1/2022 – 8/31/2029
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Really Great Reading’s Products are designed to provide foundational reading skill instruction for students in grades PK‐12 via Teacher Online Tools, Reading Playgrounds, and Virtual Implementation Training Courses for our Phonics Suite Programs. Really Great Reading receives and accesses PII for purposes of providing students with practice opportunities within Really Great Reading’s Reading Playground digital platform and facilitating the monitoring of student performance and progress.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data in motion is secured with standard HTTPS protocol Transport Layer Security (TLS). Data stored at rest is encrypted, as are its automated backups, read replicas, and snapshots using Amazon AWS RDS encryption. Keys are managed with the AWS Key Management Service (KMS). All data is stored in a password protected database with strong password requirements, server-based firewall limiting data access to those end‐points necessary, and limits to development roles that have access to production data. Only business‐necessary PII will be stored. RGR applications are hosted in Amazon Web Services (AWS). More information about the physical security of AWS data centers may be found on the AWS website. Access to PII and application data will be limited to only those employees who necessarily require access to data in the performance of their role with projects. Employees, who have access to PII must complete Security Awareness Training (Coursera) and demonstrate awareness and discretion in their day‐to‐day practices related to security and handling of sensitive information. Employees must sign or acknowledge these policies as they relate to their role. Background checks are conducted on all employees. In the event of unauthorized access or data breach related to the client's application data, RGR will provide requisite notification in accordance with Section 5(f) of this Agreement.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Reconstruction US
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Program Overview: Reconstruction provides holistic, supplemental, culturally-relevant curriculum, centered on the Black experience. Our comprehensive solutions create transformative learning experiences that inspire student empowerment and equip teachers to effectively educate on culturally-responsive content. This is done through 4 services:
- LIVE INSTRUCTION - Live tutored, supplemental, culturally relevant courses centered on the Black experience delivered via our proprietary platform for K-12 students. These courses are designed for students and sold directly to school districts and community based organizations.
- CURRICULUM LICENSING - Members of school districts and community based organizations are trained by our staff to teach a set of Reconstruction math and reading courses for K-12 students.
- PROFESSIONAL DEVELOPMENT - We provide a professional learning series for K-12 educators where they will explore best practice for creating engaging and identity affirming spaces for Black scholars. Topics include: Black Boy Joy, Building Aspirational Capital, Creating a Culturally Relevant Classroom, Teaching Culturally Relevant Curriculum, Resistance Capital and more.
- ONYX - A comprehensive platform that empowers teachers to design culturally relevant lesson plans centered on the Black experience through the use of generative AI.
To effectively deliver our programming, Reconstruction requires limited Personally Identifiable Information (PII) for essential operational reasons:
- Account Creation: Student (and sometimes teacher) names and email addresses are needed to set up individual accounts for secure class enrollment and personalized learning experiences.
- Tutor Interaction: Names enable tutors to personalize communication, enhancing the educational connection.
- System Integration: Email addresses allow for integration with single sign-on platforms like Clever, simplifying course access.
- Appropriate Course Placement: Grade levels help in assigning students to courses that match their academic level, ensuring an effective learning pace.
Additional PII, such as gender/pronouns and phone numbers, may be manually entered into our system by students, but is never requested or required.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive, AWS, Hubspot.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our commitment to the protection of Personally Identifiable Information (PII) is upheld through a blend of administrative, technical, and physical safeguards tailored to prevent unauthorized access, disclosure, alteration, and destruction of data.
- Administrative Safeguards: We adhere to data protection policies and procedures that are reviewed and updated in response to changing regulations and emerging threats. Access to PII is limited to key personnel and managed through role-based access controls. Additionally, all employees and subcontractors are required to sign data confidentiality agreements to ensure an understanding and commitment to our privacy and security standards.
- Technical Safeguards: Our technical measures include robust data encryption protocols for PII at rest and in transit, ensuring data integrity and confidentiality. Our development practices are centered around security, incorporating assessments such as penetration testing and vulnerability scanning as needed to identify and remediate potential risks.
- Risk Mitigation: We have a comprehensive incident response plan in place to manage and mitigate the impacts of any data breaches or security incidents efficiently.
Our strategy is to maintain vigilance and adaptability in our security practices, ensuring the ongoing protection of PII within a framework that respects privacy and complies with relevant regulations.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Red Circle Solutions (for School App Express)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. School App Express is a product that provides custom apps for schools, which schools can operate through a website. The app sends out push notifications, makes mass calls (when schools are closed, etc.), sends mass emails, and sends mass text messages as well. School App Express does not collect or store any data for students or parents that is not related to messaging and communication.
Type of PII that the Entity will receive/access: Student PII and Other: Staff PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is encrypted by Azure Transparent Data Encryption. Employees must use MFA to access cloud services.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Rediker Software
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 3/1/2022 – 2/28/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To provide a Student information System to manage student related data as the system of record.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution; and we use Microsoft Azure to host our teacher, parent, and student products. Microsoft is not a subcontractor but a Cloud service provider which is a company that provides a cloud-based platform, infrastructure, application, or storage services, usually for a fee. We do not provide access or provide consent to any Microsoft Representative to work on our servers or databases that are provisioned to our customers. Access to customer data by Microsoft operations and support personnel is denied by default. Microsoft does not inspect, approve, or monitor applications that customers deploy to Azure. Moreover, Microsoft does not know what kind of data customers choose to store in Azure. Microsoft does not claim data ownership over the customer information that's entered in Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Rediker Software Inc. has implemented security policies and standards that govern and protect customers’ data. Our policies and standards are periodically revised and updated to comply with laws and regulations such as FERPA, COPPA, GDPR, HIPPA, PCI-DSS, NYE DOE Standards, and more. Rediker Software Inc. is committed to safeguarding the confidentiality, integrity, and availability of customers’ data by adopting:
- Secure Access Control
- Data Segregation
- Data Redundancy
- Encryption
- Data and Application Security
All platforms are highly secure and are equipped with standardized measures to manage, monitor, and protect our customers’ data.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Reel Stories Teen Filmmaking
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Reel Teen Filmmaking, inc. provides media arts instruction, media arts education professional development, and media arts services. In the event that Reel Teen Filmmaking, inc. instructs New York City public school students, only the names and school email addresses of those students will be attained in order to report attendance and assign/collect media assignments.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and
written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive (under Reel Works secured server and organization account).
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Reel Works will classify PII in terms of sensitivity and store that PII in a restricted file that only 1 authorized user can access. Reel Works has established an acceptable usage policy for accessing PII. This policy defines who can access NYC DOE student PII and the acceptable way(s) to use it to reinforce proper PII access and usage. When you upload a file of any type to Google Drive, as Reel Works intends on its secured server, it is stored securely in world-class data centers. Data is encrypted in-transit and at-rest.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Regents Booster
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 9/1/2022 – 8/31/2029
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We created an online learning program with a controlled environment where each student can advance at his or her own pace. The full high school curriculum on certain Science and history subjects is now being offered in digital format and allows for note-taking, highlighting, audio, bookmarking, encyclopedia lookup for further research, search options, and Translations helping students who have difficulty reading or for those students that English is their second language. The digital eBook copy can also be used together with the printed copy further enabling the retention of the materials taught in class.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, specifically “Amazon secure data centers using AWS and GCP technology.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have a Platform that has implemented industry best in class security, privacy, and compliance controls. Regent Boosters has a platform that is CCPR, GDPR, PCI DSS compliant, with a star level 1 certificate. Our Physical Infrastructure is hosted & managed by the Amazon Secure Data Centers and uses AWS and GCP Technology and is constantly managed for Risk and undergoes recurring assessments to ensure compliance to industry best standards. All student/ user data is hosted in the USA, Data is encrypted in transit (SSL/TLS) and at rest AES 256.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Remind101
The exclusive purposes for which Protected Information will be used: Remind will process Personally Identifiable Student Information (PISI) as necessary to perform the Services pursuant to the Terms of Service (https://www.remind.com/terms-of-service), and as further instructed by relevant parties in its use of the Services.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Remind will use a vendor risk management process to evaluate new vendors and monitor existing vendors on an annual basis. The following review areas are considered for vendors with whom personal data is exchanged: Compliance Status, Compliance Report Details, if applicable, Contractual Terms (confidentiality and data protection), Data Retention, and Data Security Controls.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Remind will adhere to the obligations set forth in our Privacy Notice and other Terms and Policies published at https://www.remind.com/terms-of-service.
[NYC DOE comment: The current agreement became effective starting on April 10, 2020 and terminates when all NYC DOE schools and/or offices cease using Remind101, Inc.’s products/services. The terms of the agreement remain effective through the period during which Remind101, Inc. possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Remind will store data in cloud-based data centers located in the United States.
How the data will be encrypted (described in such a manner as to protect data security): Data transmitted across untrusted networks will be protected in transit using TLS V1.2 and will be stored at rest in an encrypted state using AES-256 bit encryption.
Renaissance Learning, Inc.
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Renaissance provides three general categories of services:
- Educational Assessment (including mylGDls, Fundamentals, and Star Assessments)
- Practice and Instruction (AR, Freckle, Lalilo, myON); and
- Insights and Analytics (eSchoolData, Schoolzilla, and Analytics).
PII is used to create user accounts, administer assessments and develop reports, and track student progress.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Microsoft Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is stored in the United States for all Renaissance products, including Lalilo. Renaissance’s information security program implements technical, physical, and administrative controls to safeguard customer data. Renaissance’s information security program implements layered security set of technical, physical, and administrative controls to safeguard customer data. Our Security processes and controls substantially follow industry recognized standards, including the FIPS 200 standard and NIST Special Publication 800-53.
Technical controls include: data loss prevention, encryption (in-transit and at rest), role-based access control, endpoint detection and response, managed detection and response, next-generation firewalls, segmented design, patching, system hardening, vulnerability scanning, dynamic application security testing, penetration testing, network monitoring, system monitoring, and traffic analysis.
Physical controls include: AWS and Azure provided services, a physical security program that is audited as part of the SOC 2 Type 2 examination of controls.
Administrative controls include: risk management program, a standing incident response team, security education and training programs, as well as a compliance program. We monitor systems 24 hours a day, 7 days a week and any suspicious activity is promptly investigated.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Renzulli Learning
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 4/1/2021 – 6/30/2022
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Renzulli Learning is an interactive online system that provides students with a personalized learning environment, allowing teachers to easily differentiate instruction to increase engagement and achieve higher academic performance. Renzulli Learning has resources that promote and enable ALL students to pursue their interests, providing equity, innovation and creativity for grades Pre-K through 12. Students are empowered by doing creative, imaginative projects that provide rigorous learning outcomes.
The Renzulli Profiler quickly identifies student strengths, interests, learning and expression styles and then matches each student with thousands of personalized engaging Enrichment Activities. Renzulli Learning features robust student grouping which supports our revolutionary strength-based Project Based Learning (PBL) system.
Research shows that Renzulli Learning benefits all Students including:
- Gifted and Talented Students
- High Achieving Students
- At Risk Students
- Students with Special Needs
- English Language Learners (ELL)
Renzulli Learning supports the development of 21st Century Learning Skills for all students, including: critical thinking, creative problem solving, creativity, time management, communication, teamwork, and global competency through our Global Collaboration module. The system has been used by millions of students across the globe, consistently increasing engagement which research demonstrates will lead to higher achievement. Renzulli Learning is available to all students throughout the school year, before, during, and after school, and all throughout the summer as well!
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Renzulli Learning utilizes LightEdge Solutions, Inc. an ISO/IEC 2700:2013 certified company with Corporate Headquarters in Des Moines, Iowa. LightEdge uses several third-party systems to manage data. The systems reside within LightEdge’s internal network and utilizes a web-based application only accessible from the corporate network or through a cloud provider using single sign-on (SSO) to access data. Vulnerability assessments and penetration testing are performed on a monthly and annual basis to identify threats. Any identified security vulnerabilities are triaged by their security team and monitored through resolution. Policies are in place that prohibit the transmission of sensitive information over the internet unless it is encrypted. Risk mitigation activities include the identification, selection, and development of control activities that reduce the assessed risks. LightEdge maintains administrative, technical, and physical safeguards to protect confidential information including provisioning, controlling, and monitoring of physical access into the data centers and office facilities.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Replications
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Replications staff develop and implement community schools and 21st CLC programs in elementary, middle, and high schools in the Bronx, Brooklyn, and Manhattan. Under the leadership of the Community School Director, and in collaboration with the school’s administration, Replications encourages student participation in academic enrichment and extended learning time activities, combats absenteeism, provides mental health services and supports parent engagement in the activities of the school, and the overall environment and culture of the school is improved.
PII is required to contact students and families to support student attendance and family and community engagement and, track and maintain student progress.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Veeam.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Replications policies and practices are designed to ensure PII is properly collected, protected, and stored. Specifically, the policy states that:
- Replications’ IT Coordinator will be responsible for setting up and maintaining the electronic PII system using computers and other equipment to be stored in his office.
- Replications’ IT Coordinator will regularly conduct spot checks to ensure that PII data is properly collected, encoded, and stored.
- The IT Coordinator will ensure that the PII electronic data system is segregated from and stored in a different space from other data systems kept by Replications.
- Access to the electronic PII systems will be limited to staff with a need-to-know designation.
- Student files are to be kept in locked filing cabinets in the Community School Director’s offices.
- Access to student and family files and information is limited to staff with a need to have such access.
- Mandatory training will be provided to all staff on the requirements and importance of the agency’s confidentiality PII policy.
- Student information, records, and data are not to be disclosed by any member of Replications to any other organization, agency, other entity or individual except as authorized by law or via signed consent by the person whose PII is being requested.
- The creation of new user accounts and participation in virtual group meetings must also align with the policies regarding collection and distribution of PII.
- Replications is committed to practicing Universal Precautions/Standard Protocol & Procedures and to comply with all Federal, State, City, and DOE confidentiality, privacy, and security laws and practices.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Rising Ground (for Community Schools services)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2021 – 6/30/2024, extended to 6/30/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Rising Ground holds two Community School contracts (RFPs 1341 and 1191) A core service of Community School provider is assistance with student attendance. As such, Rising Ground staff will have access to personal biographic information to contact families regarding student’s attendance. Additionally, Rising Ground staff will have access to Individual Education Plan (IEP) and English Language Learner (ELL) information to assist school administration in assuring plans and supportive services are in place.
Information collection is NOT required to receive services, but rather to assist in student engagement. Personal identifying information (such as names, phone numbers and/or email addresses) are solely used to engage students in the services we provide. Information is kept on a securely-saved electronic spreadsheet and not shared with anyone outside of approved program staff.
All Rising Ground staff are required to be trained and attest to confidentiality protocols which are governed by federal, state and local laws. This includes, but not limited to, social service law, child welfare, educational (FERPA), health (HIPAA) laws and regulations.
Data may be aggregated for internal reporting purposes. This information is not used for research purposes.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Cloud service provider: Expedient Cloud services solution: IaaS – Infrastructure as a Service (Servers -VMs) DRaaS – Disaster Recovery as a Service Backups for all servers and data.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Rising Ground fully appreciates the importance of sound record management and has strict policies and procedures which ensure that all records are maintained within local, state and federal laws and standards. All personnel, medical, client and financial files are maintained in accordance with our Confidentiality and Document Retention Policies. All records are filed and stored systematically, in fire-proof settings, and only employees in need of access to records are granted such access. Our Confidentiality Policy ensures that employees understand that any personally identifiable information regarding a person’s health, mental health, education, family or employment is considered confidential and that confidential information is protected by the law. Employees are strictly prohibited from inappropriate or unauthorized disclosure of such information. To protect our software, hardware and the confidentiality of staff and client information, all internet access is filtered and monitored using antivirus, anti-spyware programs. Our Documentation Retention Policy ensures that necessary records and documents are adequately protected. Others are safely stored at a record storage facility. All employees are trained in our Confidentiality Policy, and relevant employees are trained in the Document Retention Policy. Both internal and external audits ensure that these standards are observed and that confidentiality is continually maintained.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Rising Ground (for Crisis Management Services)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2021 – 6/30/2022
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As part of City Council’s “Crisis Management Services” initiative, Rising Ground provides trauma-informed therapy and support to teens within two NYC public schools. Our Youth for Change programs offers individual and group counseling on topics such as consent, health relationships, self-image, coping skills, healthy masculinity, mediation, and offer socioemotional support. Additionally, we co-facilitate health classes and offer mediation sessions. We also train staff and administrators regarding strategies to integrate healthy relationships and communication skills.
Rising Ground staff do not have access to student records or school systems. As standard counseling practice, personal contact information is collected, from the students themselves, to remain in contact with students (i.e. should they miss a scheduled appointment). This enables a counselor to contact a student when they miss an appointment to ensure they are okay and reschedule. Information collection is NOT required to receive services, but rather to assist in student engagement. There is no access to educational records. Personal identifying information (such as names, phone numbers and/or email addresses) are solely used to engage students in the therapeutic services we provide. Information is kept on a securely-saved electronic spreadsheet and not shared with anyone outside of approved program staff.
All Rising Ground staff are required to be trained and attest to confidentiality protocols which are governed by federal, state and local laws. This includes, but not limited to, social service law, child welfare, educational (FERPA), health (HIPAA) laws and regulations.
Type of PII that the Entity will receive/access: Student PII
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Cloud Service Provider – Expedient Cloud services solution; IaaS – Infrastructure as a Service (Servers -VMs), DRaaS – Disaster Recovery as a Service Backups for all servers and data.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Rising Ground fully appreciates the importance of sound record management and has strict policies and procedures which ensure that all records are maintained within local, state and federal laws and standards. All personnel, medical, client and financial files are maintained in accordance with our Confidentiality and Document Retention Policies. All records are filed and stored systematically, in fire-proof settings, and only employees in need of access to records are granted such access. Our Confidentiality Policy ensures that employees understand that any personally identifiable information regarding a person’s health, mental health, education, family or employment is considered confidential and that confidential information is protected by the law. Employees are strictly prohibited from inappropriate or unauthorized disclosure of
such information. To protect our software, hardware and the confidentiality of staff and client information, all internet access is filtered and monitored using antivirus, anti-spyware programs. Our Documentation Retention Policy ensures that necessary records and documents are adequately protected. Others are safely stored at a record storage facility. All employees are trained in our Confidentiality Policy, and relevant employees are trained in the Document Retention Policy. Both internal and external audits ensure that these standards are observed and that confidentiality is continually maintained.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Riverside Assessments (also called Riverside Insights)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Riverside Insights uses PII exclusively for the purposes of delivering and improving educational and clinical assessment services. Examples of such uses include rostering students/examinees, inputing assessment responses, scoring assessments, and providing customer service.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
Administrative Safeguards: Riverside follows Role-Based Access Controls, granting access only to authorized individuals who have a need to access information as part of their work responsibilities. Personnel complete regular cybersecurity training, and Riverside conducts social engineering simulations throughout the course of the year, assigning additional training to individuals who fail the simulations.
Technical Safeguards: Riverside conducts quarterly vulnerability scans and annual penetration testing on the application. We are in the process of implementing an end point protection solution provided by SentinelOne and use the Rapid7 suite of products to detect potential incidents and threats. PII is encrypted both at rest and in transit. All data stored on Riverside’s systems is protected with file system, network share, claims, application, or database specific access control lists. Riverside uses email gateway products provided by Sophos to centrally manage spam protection mechanisms, including signature definitions, in order to reduce the introduction of malicious software to client systems.
Physical Safeguards: The application is hosted in SSAE16 SOC 2 Type 2 audited hosting centers. Our third-party managed hosting provider maintains facilities that designed from the ground up to minimize risk of power and climate control failure. Our hosting provider performs periodic testing and auditing of their facilities. All facilities have full battery and generator power, so in case of an outage, power is maintained indefinitely.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Riveting Results
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 9/16/2024 – 6/30/2025.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Riveting Results provides a 9th and 10th grade English Language Arts software-based curriculum. The program provides curriculum content to enable teachers to teach their students how to read and write about advanced texts. Schools provide students’ first and last name and emails to enable google sign-on and to access student-level data regarding their performance. No third party is involved in the compilation or analysis of data.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud Services.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Data Storage Location
- The Riveting Results® platform is a cloud-based application.
- Our servers that store student information and student data are located on the Google Cloud platform located in the United States.
- We do not store any student data outside of the US.
- Network-Level Security Measures
- The Riveting Results® platform servers are hosted in a cloud environment.
- Our hosting provider implements network-level security measures in accordance with industry standards.
- Server-Level Security Measures
- Access to production servers is limited to a small, identified group of operation engineers who are trained specifically for those responsibilities.
- Google Cloud handles all security updates on the server level.
- The servers have intrusion detection, configuration control, monitoring/alerting, and automated backups.
- RR constantly monitors for vulnerabilities in our software
- Computer/Laptop/Device Security Measures
- RR employs a full IT staff that manages and secures its corporate and employee IT systems. Access to all RR computers and laptops is password-controlled. RR sets up teacher and administrator accounts for Riveting Results® platform so that they are also password-controlled.
- We support customers that use single sign on (SSO) technology for accessing the Riveting Results® platform.
- Encryption
- The Riveting Results® platform is only accessible via https and all public network traffic is encrypted with the latest encryption standards.
- Encryption of data at rest and in motion is implemented for all data stored in the Riveting Results® platform system.
- Employee and Contractor Policies and Procedures
- RR limits access to student-identifiable data and customer data to those employees, contractors and subcontractors who need to have such access in order to allow RR to provide quality products and services to its customers. RR requires all employees, contractors and subcontractors who have access to RR servers and systems to sign confidentiality agreements. RR requires its employees and contractors and subcontractors who have access to student data to participate in annual training sessions on IT security policies and best practices. These sessions are conducted virtually and cover the following topics:
- Introduction to Student Privacy Laws
- Definition of Personally Identifiable Information (PII)
- Handling of Student Data
- Data Security Best Practices
- Data Retention and Disposal
- Employee Responsibilities
- Data Sharing and Third Parties
- Incident Response and Reporting
- Training and Awareness
- Q&A Session
- In the case of our large cloud service providers, we have reviewed their privacy and security policies and they comply with the requirements of the NDA. Any employee who ceases working at RR is reminded of his or her confidentiality obligations at the time of departure, and network access is terminated at that time. RR has audit logs whenever PII is accessed.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Roads to Success
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 9/07/2023 – 6/26/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Roads to Success is the lead partner at PS/MS 57, the James Weldon Johnson Academy, our only community school located in East Harlem, where we serve 527 students in grades 3K-8. PII is essential for implementing our programs, facilitating targeted interventions through case conferencing, advisement sessions, and data trend observation, ultimately contributing to students' academic success and well-being.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft OneDrive.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Roads to Success Community School Contract at MS 57 employs a comprehensive approach to protect Personally Identifiable Information (PII) and mitigate data privacy and security risks. While the full details of our safeguards are sensitive and proprietary, we can provide an overview of our measures:
- Administrative Safeguards:
- The executive team and our IT department are responsible for overseeing and implementing our data protection protocols.
- Regular training programs are conducted for all personnel who handle PII, ensuring awareness of data privacy laws, security practices, and our internal policies.
- Access to PII is strictly controlled and limited to authorized personnel on a need-to-know basis, with user roles and permissions carefully defined and monitored.
- We conduct thorough background checks and reference screenings for all employees and contractors who handle PII.
- Technical Safeguards:
- PII is stored in secure, encrypted databases with access controls and multi-factor authentication mechanisms in place to prevent unauthorized access.
- Robust firewalls, intrusion detection systems, and advanced threat detection technologies are deployed to safeguard against external threats.
- Regular software updates and patch management ensure that security vulnerabilities are promptly addressed.
- Data transmission is encrypted using industry-standard protocols to prevent interception and unauthorized access.
- Physical Safeguards:
- Physical access to our data centers and server rooms is restricted to authorized personnel only, with strict access controls, surveillance, and security measures in place.
- Facilities housing PII are equipped with environmental controls to ensure optimal conditions for data storage.
- Risk Mitigation:
- We conduct regular risk assessments and vulnerability assessments to identify and address potential security gaps.
- Incident response plans are developed and regularly tested to ensure swift and effective actions in case of data breaches or security incidents.
- We maintain strong partnerships with cybersecurity experts and engage in ongoing threat intelligence monitoring.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
RocketLit
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. RocketLit, Inc. offers the Rocketlit and InnerOrbit platforms, which are adaptive educational platforms designed to help students learn various subjects, including science and social studies and assess their understanding and application of their knowledge and skills through assessments. InnerOrbit.com is a website that supports students, teachers, and administrators with Science assessments, activities, reports, and professional learning. RocketLit is an adaptive reading platform that tailors science and/or history assignments to participating students’ reading levels. Teachers can register their students so that they may access the materials.
RocketLit will receive PII for the purposes of allowing students, teachers, and admin to login to the platform, build or administer assessments and view reports. Students will take assessments , view reports on progress, and receive teacher feedback.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. RocketLit prioritizes the protection and security of its users’ personal information, and maintains a series of safeguards designed to protect against any unauthorized disclosure or access to users’ personal information. All employees are given background checks and privacy/compliance training every 6 months across the organization. All student and teacher data is stored in the Google Cloud Platform. Google Cloud firewalls are fully embedded in the cloud networking fabric. Passwords are hashed one-way using the latest hashing algorithms. Google Cloud SQL Databases store all data which is encrypted during transfer using SHA-256 with RSA Encryption SSL Certificates.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Robo Wunderkind
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Robo Wunderkind is a turnkey solution for children to learn 21st century skills. Our emphasis is on robotics and coding within the subjects of STEAM. Students can build any robot or smart device they can imagine with our kits and program them in 3 different programming languages to progress from simple to complex projects. Our content is project based and aligned with curriculum standards. PII is required to create student accounts, keep each student’s projects their project assessments, and grading history saved and associated with their accounts to provide feedback to the student, and provide an intuitive platform for teachers to track student progress.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Digital Ocean.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. On the administration side, Robo Wunderkind has company standards in place to have 2FA on all accounts, and role based permissions on all accounts associated with development to ensure no unauthorized access can be given to PII. Digital Ocean’s NY3 server where the PII shall be kept is certified to SOC 2 Type II, SOC 3 Type II and PCI-DSS standards to ensure the digital and physical security of the data kept, and to alert of data risks and breaches. In the event of a data breach it is our policy to alert all of our users of this event so it can be dealt with swiftly and transparently.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Rockalingua
Type of Entity: Commercial Enterprise
Contract / Agreement Start Date: 2/2/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Rockalingua is an educational website for Spanish teachers and students. Through engaging content (videos, songs, interactive games, short stories and more) students will gain proficiency in the Spanish language. We offer two types of teacher subscriptions. The basic teacher subscription includes access to all of our resources and a generic student account so that students can access from their own devices. The Pro account gives teachers access to all of the resources and our learning management system where they can create classes, assign tasks and monitor student work. We have an integration with Google, Clever and Classlink.
Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Vercel.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our platform is NIST SP 800-53 certified, data is encrypted, and we are FERPA and COPPA complaint. Penetration test are regularly conducted to ensure the security of our system and all personal are trained annually.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Rosetta Stone
The exclusive purposes for which Protected Information will be used: The exclusive purposes for which “student data” or “teacher or principal data” (as those terms are defined in Education Law Section 2-d and collectively referred to as the “Confidential Data”) will be used by Rosetta Stone, Ltd. (the “Vendor”) are limited to the purposes authorized in the contract between the vendor and the NYC DOE (the “Contract”).
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Vendor will ensure that any subcontractors, or other authorized persons or entities to whom the Vendor will disclose the Confidential Data, if any, are contractually required to abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable state and federal laws and regulations (e.g., Family Educational Rights and Privacy Act (“FERPA”); Education Law §2-d; 8 NYCRR Part 121).
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Contract commences and expires on the dates set forth in the Contract, unless earlier terminated or renewed pursuant to the terms of the Contract. On or before the date the Contract expires, protected data may be exported by the School District in the client facing administrator tool and/or destroyed by the Vendor as directed by the School District.
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Confidential Data provided to Vendor by the School District will be stored in the United States and protected as per the Student Records Data Privacy Policy.
How the data will be encrypted (described in such a manner as to protect data security): The Vendor will apply encryption to the Confidential Data while in motion and at rest at least to the extent required by Education Law Section 2-d and other applicable law.
Rubrik
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Entity will provide data backup and recovery services. Entity will not use any PII for any purpose other than as reasonably necessary for Entity to provide the services procured by NYC DOE. Entity’s data protection platform will offer NYC DOE third-party, secure backup & recovery capabilities for NYC DOE's M365 tenant. Entity will be creating immutable, air-gapped copies of select e-mailboxes, instant messaging platforms, and file sharing and document management systems, or such other types of data sources for which NYC DOE elects to utilize the Entity services. These copies will be kept in Rubrik's secure Azure tenant for retention and fast operational recovery.
Type of PII that the Entity will receive/access: Other: “Type of PII submitted to Processor or Rubrik Service is solely within the discretion of NYC DOE and may include, but not be limited to names, addresses, e-mails, personnel files, student records, and more.”
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Upon expiration or termination of the services, NYC DOE will have thirty (30) days to retrieve any data or information contained within the Entity’s platform, including any PII. After the thirty (30) day grace period, the NYC DOE instance on the Entity’s system, including any PII remaining therein, will be permanently deleted by Entity.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: “While it is unlikely this request would come to Entity as a backup and recovery provider, Entity agrees to follow the procedures outlined above, to the extent the person or persons making the request identify that they are affiliated with the NYC DOE account. Entity will work with the requestor to redirect them to the source of their data, using commercially reasonable efforts to notify the NYC DOE if Entity believes the requestor may be associated with NYC DOE.”
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. “To the extent NYC DOE has licensed an Entity service offering for which NYC DOE is hosted by Entity (as of the Effective Date, these offerings are: Rubrik-hosted M365 and Rubrik Cloud Vault) then the NYC DOE instance will be hosted on Microsoft Azure.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. With respect to data security, Entity uses AES-256 for data at-rest and data in-flight encryption. All critical customer configuration information is encrypted using modern cryptography via CSP Managed Encryption Keys. Sensitive fields in the database are encrypted using an encryption framework built on top of CSP’s Cloud Key Management Service and Cloud IAM. A key management process is in place to facilitate key rotation and revocation. All backup data is encrypted using the AES 256-bit algorithm. All communications with Entity’s UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2+) over public networks.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Saga Innovations (Saga Education)
The exclusive purposes for which Protected Information will be used: Protected Information will be exclusively used for the educational purposes intended within the contracted services, to enable and enhance the tutoring experience of the participating NYC DOE students.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All subcontractors and other authorized persons will be subject to data protection and security policies and agreements that encompass, at a minimum, the requirements under the non-disclosure agreement with the NYC DOE.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Protected Information will be destroyed, or to the extent requested by NYC DOE and possible, returned to NYC DOE.
[NYC DOE comment: The current agreement became effective starting on April 15, 2020 and terminates when all NYC DOE schools and/or offices cease using Saga Education’s products/services. The terms of the agreement remain effective through the period during which Saga Education possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored in the US. Data storage, cloud servers and services are located in state-of-the-art Amazon Web Service (AWS) data centers, or comparable cloud-service provider data centers with many years of experience in designing, constructing, and operating large-scale data centers.
Our operations team is trained and experienced with respect to state-of-the-art security mechanisms and policies for cloud-based services. We employ engineers and managers who have worked in other domains with critical security and availability concerns including military systems, satellite communications systems, and the website operations of large multinational companies.
We routinely audit our systems for security vulnerabilities, proactively monitor security-related websites and other outlets for information on new vulnerabilities and best practices, and make system updates as needed.
AWS data centers (and all of our production servers and services) are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. When a storage device has reached the end of its useful life, data center procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals.
Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network used by our systems. We use a wide variety of automated monitoring systems to provide a high level of service performance and availability. These monitoring systems are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. Our systems are extensively instrumented to monitor key operational metrics. Alarms are configured to automatically notify operations and management personnel when early-warning thresholds are crossed on these metrics. AWS security monitoring tools help identify several types of denial of service attacks, including distributed, flooding, and software/logic attacks. Woot Math and AWS have additional protections in place against common attack vectors including Distributed Denial Of Service Attacks, Man in the Middle Attacks, IP Spoofing, Port Scanning, Packet Sniffing, Injection Attacks, and Cross-Site Scripting Attacks.
Our systems are architected for high availability; its core systems are deployed in N+1 and N-to-N redundancy configurations; and the system is protected against single points of failure. Servers are maintained across multiple availability zones. Each availability zone are all redundantly connected to multiple tier-1 Internet providers. In addition to discrete uninterruptible power supply and onsite backup generation facilities, each is fed via different grids from independent electrical utilities. Because of this architecture, our services are resilient in the face of most failure modes, including natural disasters or system failures.
We have, in addition, a comprehensive disaster recovery strategy. We have push-button automation to stand-up and tear-down of our entire production server and service environment, and we can quickly and easily build out our infrastructure as needed in new geographical regions. We routinely test our disaster recovery capabilities by standing up new server in a new data center and restoring all data from backup. Nightly backups of all customer data are securely stored in multiple geographic regions within the US.
Changes to Woot Math systems are typically pushed into production in a phased deployment sequence, with careful monitoring and testing throughout the phases. Rollback procedures for production deployments are automated and documented.
How the data will be encrypted (described in such a manner as to protect data security): Protected Information in electronic form will be encrypted both in transit and when at rest in databases or similar electronic storage environments. All user data and communicated website data is sent over secure HTTPS and SSL protocols that are designed to protect against eavesdropping, tampering, and message forgery. Password credentials are securely encrypted using cryptographic hashes and protected with variable cryptographic salts. Non-reversible hashes of more sensitive information (email addresses, phone numbers) are used in place of the actual data within our systems to the greatest extent possible.
Sam Labs
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SAM Labs software app “SAM Studio” is an educational coding platform for kindergarten - 8th grade students to learn the basic foundations of coding, allowing students to pair with hardware blocks to bring the code to life. Our lessons range across different focus areas of STEAM and Computer Science, and can be used in specialist courses like STEM Specials, Computer Science Class, general education environments, and Makerspaces.
We are a subscription service. In order for students and teachers to access the platform, we only require an email address. Teachers are currently rostered by our Customer Success team once the subscription date is set. This includes the teacher name and email aligned to the school NCES ID. The teacher’s name can be any chosen username that will appear in their account profile. This does not need to be the teacher’s real name; it can be a chosen username or nickname if desired. Once rostered, then teachers and admin will have instant access.
Teachers can manually create classes and upload student rosters on their own. When rostering, the only PII required from students is a working email. SAM Labs will never send email to these student accounts; this is only to create a unique identifier for the student being rostered. The student’s name can be any chosen username that will appear in their account profile. This does not need to be the student’s real name; it can be a chosen username or nickname if desired as the teacher uploads the roster. Once the .csv is uploaded, the student can access the account with the same email address.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SAM Labs is like a superhero for your data! We understand that your information is precious, and we have a number of ways to keep it safe, just like a superhero protecting the city.
- Magic Shields (Encryption): We use a sort of magic shield called ‘encryption’ that scrambles your data into a secret code while it’s being sent or stored. Only the right ‘key’ can unscramble it, so it’s safe from bad guys trying to peek!
- Secret Passcodes (Access Controls & Authentication): Just like a secret superhero base, only people who really need to see your information can access it, and they need special passcodes. We also double-check everyone’s identity before letting them in!
- Super-Secure Fortresses (Physical Security Measures): We team up with Amazon Web Services (AWS), who provide us with super-secure fortresses (data centers) around the world to store your information. These fortresses have top-notch security like fences, guards, cameras, and even environmental controls to protect against things like fire.
- Time Capsules (Data Backup and Retention): We regularly put copies of your data in a digital ‘time capsule’, just in case we need to go back in time and restore any lost information.
- Security Check-ups (Regular Security Assessments): Like regular health check-ups, our security experts regularly inspect our safety measures to ensure they’re still super strong. At SAM Labs, your data’s safety is our mission. If you have any questions about how we keep your information safe or want to report any issues, feel free to contact us at privacy@samlabs.com. We’re here to help!
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Samuel Field YM & YWHA
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Samuel Field YM & YWHA has worked to identify key PII, as defined in 34 CFR § 99.3, that it must receive to provide contracted services to youth and families. Services provided will include counseling and interventions with key personnel including social workers, to develop and implement afterschool activities, special community events, family engagement and referral to community resources and linkages. The collection of key PII will allow for us to appropriately record and track enrollment, attendance data and facilitate counseling. Where appropriate, PII data collection will be collected through the program’s informed consent application, which include parent consent to disclose student and family names; addresses; and student information including DOB, race/ethnicity gender, disability status, English Language Learners status. The collection of this key PII will allow for the program to efficiently report on key cohort characteristics and to make certain that recruitment and service delivery effectively target/address the populations targeted for this proposal submission. The purpose of the collection of student and family names will be used to ensure record attendance and safe sign-outs of the program daily. This data is essential to ensure that our program provides a safe and secure environment for all students that we serve. Key staff will utilize this data to make sure that students are appropriately accounted for at all times while scheduled to be in programming. It is imperative that attendance data is collected as it directly informs the culmination of key program outcomes, including the number of students that participate in services for the target hours of service as well as attendance performance indicators for specific categories. Due to the nature of the service, it is possible that counseling notes will include PII as defined as “Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.” These notes are necessary to ensure continued, effective mental health support for those receiving the services.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Exponent Partners/Salesforce.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- A child’s PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with state and federal law.
- A centralized staff person is responsible for supervision and monitoring appropriate safeguards, policies, and practices in place to protect the data.
- Staff will participate in mandatory 2-part training about applicable laws, policies, and safeguards associated with industry standards and best practices; consistent with NYC DOE’s data security and privacy policy.
- Encryption, firewalls and password protection will be mandatory for all emails and cloud usage to electronically transmit sensitive PII information.
- Samuel Field YM & YWHA, Inc. will not maintain copies of participant’s PII once PII is no longer needed for the educational purpose/ for which the DOE has disclosed PII.
Samuel Field YM&YWHA Inc. invested in a highly secure system, Exponent Partners. Exponent Partners is a system that requires unique usernames and passwords that must be changed frequently for protection. Access to programs and permission settings will be determined by staff and administrative usage; staff will only receive access to PII as needed to perform their job responsibilities. All data is naturally encrypted while being stored in a user access system via secure HTTPS connection. In addition, there is regular security code scanning to assess if there are any susceptibilities in the system.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Sapling Intelligence
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2024 – 6/30/2024.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Sapling Intelligence, Inc. offers an AI writing assistant that integrates with popular applications (such as Google Workspace and Microsoft office) in order to provide writing recommendations. Recommendations include grammar/spelling corrections as well as stylistic recommendations. Sapling receives names and emails of users for account provisioning. Text typed in editable fields in applications where Sapling is integrated is also processed by Sapling in order to provide writing suggestions.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Virtual Private Cloud (VPC) with default deny settings
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Multi-factor authentication in order to access cloud services
- Continuous monitoring that Sapling follows industry best practices
- External pen testing (annual)
- SOC 2 Type II compliance
- Options for managing where Sapling is available
- Role-based access controls and SSO for end users
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Savvas Learning Company
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2022 – 6/30/2029
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Savvas provides K-12 instructional materials and related services to the DOE, some of which require PII such as student and teacher names in order to facilitate instruction and to track students’ performance.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Savvas will store PII on servers in a secured facility in the United States operated by a world-class hosting provider. Savvas will maintain an information security program of policies, procedures and controls governing the processing, storage, transmission and security of data (the “Security Program”). The Security Program includes industry-standard practices designed to protect data from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. Savvas regularly tests, assesses and evaluates the effectiveness of the Security Program and may periodically update the Security Program to address new and evolving security threats, technology and practices. No such update will materially reduce the commitments, protections and overall level of security provided to customers.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
SCAN-Harbor
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2021 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SCAN-Harbor provides services under the Community Schools strategy demonstrating the an integrated focus on academics, health and mental health services, social services, expanded learning opportunities (afterschool and summer enrichment activities), positive youth development, and family and community partnership, is critical to improving student achievement and bolstering equitable outcomes for all students, including vulnerable populations.
PII is being accessed to assess need and to track service outcomes. Data is used to identify students with low and chronic attendance, to provide food, clothes and toiletries to those students that live in temporary housing and services to the students in need of mental health counseling.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365 OneDrive.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Some physical files used are maintained by SCAN-Harbor, and others are owned by the New York City Department of Education. Physical files managed by SCAN-Harbor are housed in a locked file cabinet in the Program Office. Digital data is stored electronically via a secured cloud-based program whose encryption at rest and in communication uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. This policy only applies to those in SCAN-Harbor's exclusive possession. At the end of the retention period determined by the contract or upon request, SCAN-Harbor will return and securely delete or destroy PII. All information will be returned to the NYC DOE after the agreed retention period, or at such point that the data is no longer needed for the purpose referenced in this agreement, or, at the sole discretion of DOE, securely destroyed. All electronic data purged from the network in a manner that does not permit retrieval of the data following these procedures.
Secure Deletion: Electronic data is securely erased using industry-standard data destruction methods. This may involve overwriting data multiple times or using specialized software to ensure data cannot be recovered.
Deletion Timeline: Once a file in One Drive has been marked for deletion, it is placed in a recycling bin as a means of recovery for accidental deletion. After 30 days the file is securely deleted and cannot be recovered even by IT administrators.
All paper files will be shredded using SCAN-Harbor's secure data shredding system.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Scholastic Inc (for digital curriculum)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII.
- BookFlix: Pairs animated stories from Weston Woods with best-selling nonfiction ebooks from Scholastic to build real-world knowledge and early literacy skills.
- FreedomFlix: Offers a range of text types and media on more than 70 key social studies topics spanning ten areas of core-curriculum study.
- LitCamp Powered by Literacy Pro: Combines reading and writing lessons (K-8) with a fully digital summer school approach to accelerate learning. Children are immersed in personalized learning experiences while building their social-emotional skills, knowledge and vocabulary necessary for reading comprehension success.
- PreK On My Way: A new comprehensive program that welcomes every child into the classroom, celebrating their strengths as they take the next step on their learning adventure!
- Rising Voices Libraries: Provide students with high interest, culturally relevant texts that give context to today’s world while celebrating the stories of the historically underrepresented. These books, paired with innovative teaching materials aligned to the CASEL framework, build a classroom community that broadens the world for students from all backgrounds and enables deep discussions on inclusivity, social justice, and empathy for others. Each Rising Voices collection includes a digital resource website featuring mentor videos, continued-learning resources, discussion guides, standard correlations, and more to help teachers implement the program.
- Scholastic F.I.R.S.T.: Foundations In Reading, Sounds & Text, is a highly adaptive, foundational reading program for Grades PreK–2. Through explicit phonemic awareness training and systematic phonics instruction, F.I.R.S.T.’s research-based pedagogy trains the brain to master “speed of listening.” Students become automatic in their decoding skills, preparing them to read fluently and increase their reading comprehension.
- Scholastic GO!: Offers credible, accurate, reliable content on every core-curriculum topic in a clean, easy to navigate interface.
- Scholastic Literacy: A unique blended learning approach to standards informed comprehensive literacy instruction with a focus on balancing the rigor and flexibility that educators need to meet today’s high expectations. With unparalleled access to authentic and culturally relevant texts in every area of the literacy block, Scholastic Literacy is designed to engage readers, support social-emotional development, and help students become lifelong independent thinkers, readers, and writers.
- Scholastic Literacy Pro: A blended solution for Grades K–8 that empowers teachers to ensure effective reading for all students—in and out of school. It provides students with a single resource to read ebooks and track reading progress on both print and digital titles, while giving teachers real-time, actionable data about reading levels, activities, and comprehension.
- Scholastic Magazines+: A blended, subscription-based solutions that ignites student engagement through relevant, high-interest stories and powerful digital teaching tools. Magazines in print and digital are available for grades PreK-12.
- Scholastic RISE: A short-term intervention that provides targeted, small-group instruction in reading comprehension, word study and phonics, and guided writing. Based on Jan Richardson’s The Next Step Forward in Guided Reading, the RISE framework offers daily instruction for students who are reading six to 36 months below grade-level benchmarks. With RISE Online, instructors can assign students texts, monitor student progress, and access videos and other resources to easily facilitate remote instruction. Students can access assigned texts for extra reading practice on any device.
- Scholastic W.O.R.D.: Supercharges vocabulary acquisition and strengthens reading comprehension in a new and engaging way. With a thematic approach, W.O.R.D. prepares students to think critically and creatively about the world around them. By providing deep background knowledge, W.O.R.D. presents vocabulary as a tool for building meaning across all areas of learning—reinforcing students’ retention of skills learned throughout the school year.
- ScienceFlix: Integrates age-appropriate scientific content, interactive features and intuitive navigation to build knowledge and a lasting interest in scientific discovery.
- Short Reads Digital: Engages classrooms with access to fiction and nonfiction short texts at every guided reading level, and extends learning with teacher materials to accompany each text.
- The Scholastic Leveled Bookroom 5.0: A whole-school (K-6), small-group instructional system with over 6,000 books, 780 short reads, 24/7 access to instructional resources with the digital Accelerator, and professional books and services.
- TrueFlix: Provides thousands of resources to strengthen both educator instruction and student learning of science and social studies content-area knowledge.
- Watch & Learn Library: Builds learning excitement while providing the background knowledge and vocabulary necessary for reading comprehension success.
- LitLeague: LitLeague is an exciting new program that provides a joyous and interactive literacy experience for students in an engaging social- emotional literacy learning environment where children participate in book-related activities including read-alouds, group discussions, independent reading, writing activities, games, and songs. Tailored for expanded-learning times, after-school, extended day, English language learners, and more.
- Next Step Guided Reading: The Next Step Guided Reading Assessment uses proven Assess- Decide-Guide teaching system to determine students’ reading levels and target instructional next steps. From the key text features in the assessment texts to the evidence- based comprehension questions, the Next Step Guided Reading Assessment provides teachers with a way to assess students and teach them the skills to meet higher standards.
- Scholastic Edge: Using engaging, authentic text, EDGE connects striving readers to relevant and essential content needed for future academic success.
- Scholastic REAL: REAL (Read, Excel, Achieve, Lead) is a new program devoted to giving school districts the tools needed to recruit, encourage, and equip mentors to inspire students and build literacy skills.
Scholastic collects PII to provide students and teachers with access to its digital education technology products to support the BOE’s educational goals, to benefit its students, and to support product users. More specifically, PII is used, subject to applicable law and any contractual requirements:
- To support instruction and adaptive, personalized learning o By enabling administrators and educators to tailor and optimize use of the products to the needs of a particular school, classroom or student
- By permitting educators to review student work and monitor student performance and progress, to facilitate lesson planning
- By providing reporting capabilities at the district, school or class level (depending on the product), including in some cases cross-product performance data
- By enabling students to access information shared by their teachers (assignments, content), track their progress, maintain files of their work, create book collections and play educational games
- By suggesting other content or activities to students (but not for purchase or in the form of advertising)
- To authenticate users, maintain user sessions and facilitate return access
- To communicate with Scholastic’s education customers (teachers/BOE personnel only, not students)
- To ensure products run properly and support optimal user experience
- To diagnose problems, troubleshoot issues, and provide maintenance and support
- To detect and investigate unlawful activity and protect the security of Scholastic’s products, systems and customers
- To calculate royalties
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law. The Entity also states that “In some circumstances, with permission of the education customer, student PII may be retained to facilitate rostering in a subsequent period and/or resumption of product use. Teacher/BOE staff PII may be retained as part of the parties’ business relationship and/or in connection with separate accounts such persons may have with Scholastic. Note, data deletion/destruction may take the form of permanent, irreversible overwriting or de- identification to the extent permitted by law.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. These safeguards include standards that align with the NIST cybersecurity framework. Protected data is encrypted in motion (currently with TLS 1.2 encryption) and at rest (currently with 128-bit AES encryption). Processor conducts periodic risk assessments and keeps audit trails and security logs to assess and remediate vulnerabilities and to protect data from deterioration or degradation. Additional measures include firewalls, anti-virus and intrusion detection, configuration control and automated backups. Data is classified by sensitivity, and access to data is rule- and role-based.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
School Data Corp
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. School Data Corp. helps schools see how well students are performing over the course or the school year. We track how well they are reading, writing, or performing on the tests they take. We put this information in a teacher‐friendly format so teachers and principals can see which students are doing well, and which students need additional help or support. I need to PII so that I can identify individual students by their ID number to generate reports and assign them to their subgroups.
Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “School Data Corp. uses Dropbox, but the information within Dropbox is encrypted and cannot be accessed or read by anyone at Dropbox. There is no sharing of unencrypted PII.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Dropbox.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All emails are encrypted. All data stored is encrypted. Our network is protected by a firewall. No paper records are maintained.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
School Specialty, LLC (for Coach Digital and Catch Up with Coach)
The exclusive purposes for which Protected Information will be used: Coach Digital Platform allows students to access tests and workbook pages online for instruction, practice, or assessments. Teachers will assign content to students and use this data for progress monitoring, assessment reporting, and targeting educational gaps.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: School Specialty maintains the necessary administrative and technical requirements to safeguard the security and privacy. Our teams work on company devices or virtual desktop environments within a secure VPN and two-factor authentication. Only Platform Developers and Support Admin roles can access PII to support customers. School Specialty staff participate in an annual code of ethics certification for protecting company information and data. All data on the platform is either protected via SSH or SSL connections for intraplatform communication and via HTTPS for web communication. School Specialty staff must sign Non-Disclosure Agreements, pass a background check, and participate in a companywide Security Awareness certification annually. All contractors must adhere to company Master Service Agreements and SOWs.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: [DOE comment: School Specialty’s agreement with the DOE is dated March 8, 2021]. Data is encrypted and deleted at the request of school or school district.
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: School Specialty, LLC will use Clever Rostering for student and teacher data. Data in Clever is shared at the discretion of NYC DOE. Data shared from NYC DOE SIS. School Specialty, LLC will work with the NYC DOE in processing challenges to the accuracy of student data.
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The Coach Digital Platform is hosted on a domestic Amazon Web Service Environment. The Amazon VPC Environment has Enterprise Level Support and 24/7 Managed Services for Security VPC, VPN, Firewall, and endpoint Management.
How the data will be encrypted (described in such a manner as to protect data security): The data in motion is encrypted with TLS 1.2.The Coach Digital Platform collects minimal data and will utilize Clever Secure Sync and SSO [Single Sign On]:
- Teachers and Administrators: First and Last Name and Clever ID
- Students: First and Last Name, and Clever ID.
The Coach Digital Platform utilizes AWS SSL and the VPC ELBs have Security Groups with least privileges enabled. Connectria LLC is in the process of finalizing a proposal to be fully compliant with this requirement.
School Specialty (for ThinkLink)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 10/5/2023 – 10/4/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ThinkLink is an online learning management system in which students use to access content specific to their learning. PII is used to track student performance.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administratively, we have robust policies and procedures that are overseen by a team of security professionals, ensuring stringent management and monitoring of access to PII.
Technologically, we utilize state-of-the-art encryption methods and firewalls. We also employ physical measures to secure our premises and data centers, ensuring that only authorized personnel have access.
Additionally, we employ proactive strategies such as intrusion detection systems and vulnerability scans to identify and address potential security risks before they escalate.
Periodic reviews and audits are conducted to ensure that our security measures meet or exceed industry standards and regulatory requirements.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Schoolbinder (also called TeachBoost)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 10/1/2022 – 9/30/2029
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TeachBoost is a performance management and educator development platform for K-12 schools. We work with NYCDOE schools and organizations to help them completely manage the evaluation, feedback, coaching, and development process for their staff, educators, and other support personnel. TeachBoost also works alongside the NYCDOE’s ADVANCE reporting system, handling the compliance requirements for DOE administrators.
We request, store, and process DOE employee PII for the sole purpose of providing these performance management and operational services. For instance, we request and store staff rosters and employee names and email addresses for employee user accounts, and we request store and process employee evaluation ratings as entered by DOE staff and administrators.
Type of PII that the Entity will receive/access: APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon AWS and Linode.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We protect PII in number of ways, summarized on our Data Security commitment at https://teachboost.com/terms/data-security.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
SchoolCNXT
The exclusive purposes for which Protected Information will be used: All PISI will be used to provide the SchoolCNXT family engagement services.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: SchoolCNXT agrees that all subcontractors will be bound to and comply with the requirements set forth herein.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: SchoolCNXT will house and maintain the data until the NYC DoE requests in writing that the data be destroyed. Insofar as there may be temporary lapses in the agreement from year to year, SchoolCNXT will abide by the most recent agreement in letter and spirit until a new one is executed.
[NYC DOE comment: The current agreement became effective starting on September 23, 2019 and terminates when all NYC DOE schools and/or offices cease using SchoolCNXT, Inc.’s products/services. The terms of the agreement remain effective through the period during which SchoolCNXT, Inc. possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All NYC DoE data is stored in the United States.
How the data will be encrypted (described in such a manner as to protect data security): All data is encrypted both in transit via SSL and at rest at the database and disk levels utilizing encryption services provided by AWS.
SchoolMint (also called SchoolRunner)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Schoolrunner is a comprehensive data management system that simplifies day-to-day operations with straightforward, powerful and actionable data. Schoolrunner makes it easy to track attendance, student behavior, grades, and more. School administrators can easily see where students or teachers are struggling and can provide the support they need. Parents can see how their kids are doing via a real-time feed in the mobile app and can even get notifications when attendance or grades drop below certain thresholds.
The system allows for greater ease of use than current systems and also offers more flexibility so that schools can use data to achieve their goals. For example, some schools want to move to a mastery-based grading system which Schoolrunner supports. Schoolrunner also offers parents communication with built-in automated language translation to any of over 100 languages.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Users and employees are permissioned to access the information they need based on their role in the system while restricting them from accessing information not needed for their role. Data and backups are encrypted in transit and at rest. Access to key infrastructure services are limited to a small number of engineering leaders and are protected by multi-factor authentication. Monitoring, logging, and alerting systems provide additional layers of security.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Schools That Can
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 9/1/2023 – 8/31/2028.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. STC teaches a proprietary Career Readiness curriculum in high schools to help prepare students for their future. We administer exit tickets at the end of each career readiness lesson that we are deliver to NYC public high schools. These exit tickets are no more than 5 questions and they seek to identify student engagement in the lesson so we can evaluate our content and report back to the school about our progress. To realize this result we need access to limited student information that consists of: Student Name, Teacher Name, Student School Email Address, Teacher contact information. Similarly we administer pre- and post-studies at the beginning of the course and at the end to assess learning.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google and SurveyMonkey.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administratively, the Entity will continue to implement data privacy policies and procedures for employees and regularly monitor who has access to PII. Furthermore, employees and contractors will continue to take regular training. The organization will review its incident response plan on a quarterly basis and identify any new organization threats as part of its quarterly security review. Technically, the organization employs industry standard encryption methodology and access authentication (MFA). Software systems are regularly updated to protect against the latest threats. For physical safeguards, the organization uses secure facilities are all data storage and uses access control via physical key access. Employee devices are secured in safe locations and all building locations have environmental controls. Data and any physical disposal is completed with shredding when not needed.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
SchoolStatus
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.
- ClassTag and SchoolStatus Connect, a communication platform powered by holistic student data to drive meaningful engagement with families when it matters most
- TeachBoost / SchoolStatus Boost, and TeachBoost Coach / SchoolStatus Coach , a teacher evaluation and coaching tool for educator effectiveness and compliance
- School Innovations and Achievement (SI&A) and SchoolStatus Attend, an attendance management platform for truancy prevention
- SchoolNow, a website design, content management, and hosting solution.
- Smore, a tool to develop newsletters with enhanced aesthetics and readability
- Operoo and SchoolStatus Forms and Flows, allows schools to achieve operational efficiency and reduce spending by automating workflows for all paper-based forms including onboarding packets, extracurricular activities and parent communications.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Data Centers - SchoolStatus is hosted at Amazon data centers, running on Amazon Web Service (AWS). These data centers provide physical security around the clock, state of the art fire suppression, redundant utilities, Internet connections. AWS is also NIST compliant among other certifications. See: https://aws.amazon.com/compliance
- Network Security - Your data is protected between you and our systems. We use encryption with respect to traffic between you and our servers. Sensitive data is stored encrypted our servers as well (encryption at rest) for an additional layer of security.
- System Security - We update our systems periodically. For example, our virtual systems are replaced on a regular basis to reduce the window of a potential compromise.
- Restricted Access - Our policy is that only people who reasonably need access, get access. Where access is within our control (i.e., with respect to our staff), access to systems that hold and process sensitive data is limited to our reasonably necessary staff. Please note that we generally do not control how schools or their staff may access or use data; you should contact them to understand their data privacy and security practices. We log access.
- Penetration Testing - We double check our work with an external group that looks for mistakes that put your data at risk. When they identify issues, we quickly remediate them and retest.
- Reliability - We use scalable cloud technology to maintain a high level of uptime. If an individual data center fails, our systems keep going.
- Data Backup - We backup and test our backups on a regular basis. If something goes very wrong, we can bring back our systems in a short period of time.
Of course, please note that no system can guarantee 100% security or eliminate the risk of any vulnerability or compromise.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
SCO Family of Services (Learning to Work)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2023 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SCO’s LTW program is designed to complement the academic component of each transfer high school. The program aims to provide support to over-aged and under-credited students, helping them complete their academic requirements to earn a high school diploma. Our LTW program assists students in acquiring the tools and competencies needed to succeed in their pursuit of postsecondary education, training, and career development. PII is essential for coordinating educational efforts, offering internship opportunities, and monitoring attendance and academic progress.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SCO has implemented the following safeguards to protect the security of PII:
- Administrative Safeguards:
- A designated Security Officer and Privacy Officer responsible for the development and implementation of privacy and security policies and procedures that outline how PII is collected, used, stored, and shared.
- Access to PII is limited to authorized individuals on a need-to-know basis and only as permitted under the law.
- All SCO employees and contractors who access PII receive training on SCO’s policies and procedures and Federal and State laws governing privacy and security of PII.
- Physical Safeguards:
- Established rules for authorizing and restricting access to SCO’s computers, network, applications, workstations, mobile devices, and areas where PII is accessible.
- Policies and procedures to ensure that PII stored or transported on storage devices and removable media is appropriately controlled and managed.
- SCO requires the use of keycards to access locations where data is stored.
- Technical Safeguards:
- SCO utilizes internal and external systems that are inaccessibly by unauthorized individuals, including assigned User ID and passwords, firewalls, anti-virus protection and multi-factor authentication.
SCO uses encryption of data in transit and storage, access controls, and implementing regular and encrypted backups.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Scoir
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 3/1/2022 – 2/28/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Scoir provides a software-as-a-service platform intended to guide high school students in their post-secondary pursuits (the “Services”). The Services enable students to search for and learn about collegiate, scholarship, and career opportunities; to engage with high school counselors and college admissions representatives during the college selection and admissions process; to solicit from high school faculty and administrators the creation and delivery of application-related documents; and to create, manage, and submit their applications for admission to institutions of higher education. The Services include a college guidance management system that enables high schools and their affiliated organizations to monitor and assist students in their post-secondary planning; to engage and collaborate with students, parents and guardians, and college admissions representatives; to manage the creation and delivery of application-related documents to colleges; and to collect, analyze, and report on student engagement, academic achievements, and application outcomes.
Type of PII that the Entity will receive/access: Student PII, and at the discretion of BOE, Processor may also receive/access:
- Names, title, and email addresses of schools teachers and/or administrators; and
- Names, addresses, and email addresses of parents and guardians.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Scoir maintains an Information Security program to ensure that we are continuously monitoring and mitigating risk as a company. As part of that Scoir maintains several layers of security around the information we store and process. Scoir will provide security and privacy training for our employees to teach the importance of securing PII. Scoir follows the principle of least privilege for access to our data and systems, and this access is reviewed at least annually. Scoir uses several layers of technical controls such as industry standard encryption, system monitoring, code reviews, automated testing, etc. to protect our data, systems, networks, and other infrastructure. As part of our Information Security program Scoir will reassess risks to all of our systems at least annually and enhance controls as necessary.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Screencastify
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2023 – 6/30/2024.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Screencastify provides video recording, editing and sharing software tools and services designed for use in classroom educational settings. Students may be directed by their teachers to create and submit video and audio recordings as part of classroom assignments. PII is required to identify students to their submitted video and audio recordings in connection with the services.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud data centers located in the United States that maintain their own rigorous industry standard certifications and compliance offerings.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Screencastify has designated a privacy officer responsible for information security governance and maintains privacy policies and practices that support compliance with the Family Educational Rights and Privacy Act (“FERPA”), the Children's Online Privacy Protection Act (“COPPA”) and other applicable laws. Screencastify provides regular privacy and security awareness training, including training on applicable laws that govern the handling of PII, to its employees who will have access to PII. Screencastify limits internal access to education records and PII to those individuals that are determined to have legitimate educational interests within the meaning of §2-d and FERPA. Screencastify uses encryption technology and other suitable means to protect the PII in Screencastify’s custody, whether in motion or at rest, from unauthorized disclosure using a technology or methodology specified by the secretary of the U.S. Department of Health and Human Services in guidance issued under P.L. 111-5, Section 13402(H)(2), or any other technology or methodology specifically authorized by applicable statute, regulation or the New York State Education Department.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Securly
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2024 – 6/30/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Securly receives, accesses, and uses PII exclusively for the purpose of providing Securly’s Classroom solution to schools/school districts. Securly Classroom is a classroom management tool enabling teachers understand student activities online, for both in-school classes, remote learning, or a hybrid combination of the two. Securly Classroom gives teachers:
- A thumbnail view of all screens in the class, including open tabs, so they know that their students are engaged in classwork;
- The ability to send class-wide announcements, start chats with individual students, or recognize students with raised hands/seeking assistance;
- Seamlessly push lesson content directly to student screens, ensuring students make the most out of valuable class time;
- The ability to check the browsing history of their students that occurred during class, while administrators can view all the history of all students;
- The option to received a summary email for each class listing participating students, most accessed sites, and other info.
Classroom can be deployed in any K-12 classroom where school-provided and/or student owned devices are used for teaching purposes.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and/or ElasticSearch Clouds.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Securly's mission is to foster safe and focused learning environments through technology, while keeping students healthy and engaged. In pursuit of this mission, we support our school customers in building cultures of trust and safety by maintaining a comprehensive written information security program built on enterprise-level data security and privacy practices aligned with NIST Standard 800-53. For example:
- We encrypt all student data in transit and at rest, and our student safety and wellness solutions have attained compliance with SOC 2 information security standards.
- Securly provides training to those with access to protected information on federal and state laws governing confidentiality of student/teacher/school data at onboarding and annually thereafter. Training covers confidentiality obligations, information security, compliance, and data protection, including the requirements of relevant laws and regulations, as well as Securly’s information security policies and expectations.
- Securly limits access to student, teacher, and district data to employees or authorized service providers who: (1) are contractually bound to protect such data from unauthorized access, use, or disclosure; (2) receive training on relevant data protection laws and regulations; and (3) adhere to a written information security program reflecting industry best practices for data security aligned with NIST Standard 800-53.
- Physical access to information assets and company workspaces is restricted through the use of key cards, key codes and/or physical keys. Physical access to sensitive information assets (i.e., servers, distributable media, paper documents) is restricted to authorized individuals.
- Securly has adopted a SOC2 compliant information security incident response policy and plan, that addresses: incident preparation and prevention, detection and analysis, incident notification, containment, eradication, recovery, and post-incident review. The incident response plan is exercised on a regular basis, at least annually. In the event of a breach or suspected breach of any privacy or security measures described herein that has become known to Securly, Securly will immediately notify affected Customers.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Seesaw Learning
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.
- General Description: Seesaw is the most intuitive, robust and easy to use cloud-based K-5 digital portfolio in the education space. Seesaw Lessons are Standards-Aligned, Ready-to-Teach & Flexible supplementary curriculum resources that are design for PK-5th grade classrooms. Lessons adapt to whole class, centers, and independent learning in any setting.
- Account Information: When teachers, parents, family members, or school administrators create an account on Seesaw we collect their name, email address, password, and profile picture. Seesaw may also collect an adult user phone number if its entered into their Account Settings. Teachers using Seesaw to communicate with Families may add a family member’s email or phone number to Seesaw in order to send messages or updates about school work to the appropriate parent or family member. Students cannot create an account by themselves, but must be invited to a Seesaw class by a teacher or school administrator. Where students have permission to use Seesaw, Seesaw collects personally identifiable information about them including their names, email addresses, and profile picture. This information may be entered by a teacher or the student or populated from the student’s account with a third party sign-in service, such as their Google account.
- Journal Content: Seesaw collects content that is added to a class or student journal. This content may be photos, drawings, files, notes, hyperlinks, and other ways of documenting student learning. Seesaw regularly add types of information that can be uploaded to a Journal, and these are all covered by this Policy. Comments on posts in a class journal are also collected. These comments may be text, or if Seesaw is allowed to access the microphone on the device, voice recordings. Journal Content that is uploaded by a student or teacher may be considered a student education record as defined by FERPA.
- Messages: Seesaw collects messages that are sent and received in Seesaw by teachers, family members, and students.
- Activities: Teachers may use Seesaw to create activities to use with their students. Activities may include text or voice instructions for how to complete the activity, an example of a correct response or a template for students to edit.
- Activity Author Profiles: Teachers who choose to publish activities to the Community Activity Library or the Activity Library managed by their school or district can also create an Activity Author Profile. This includes the name and profile picture they choose to publish on their Author Profile, as well as their school name and location.
- Communications: Seesaw collects any information sent to us directly, such as email communications. Information from a users Google Account or other Third-Party Sign-in Service: Seesaw allows teachers, parents, family members, and students (after being invited by a teacher) to sign up for and log into our service using a Google or Clever Account. Teachers can also create student accounts on behalf of students in their class. When Seesaw creates an account using one of these Third-Party Services, we use the name, profile picture, and email address (if available) provided by these services.
- Log Data: When using Seesaw, log data is received such as IP address, browser type, operating system, device information, and mobile carrier. In addition, information such as the referring web page, referring search terms, and pages visited may be received or collected. If Seesaw is being used by a teacher, parent, or administrator, Seesaw may use that IP address to determine the approximate location for the purposes of sending customized marketing and other information about our products.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Seesaw routinely conducts 3rd party security audits to verify the security and integrity of our systems and internal controls. Data is stored in access-controlled data centers operated by industry leading partners with years of experience in large-scale data centers with 24/7 monitoring. We routinely monitor our systems for security breaches and attempts at inappropriate access. Journal content (e.g. photos, video, audio, and other content added to a Seesaw journal) is encrypted in transit and at rest. Seesaw uses TLS 1.3 security at the network level to ensure account information and journal content is transmitted securely. We have also adopted an internal data access policy that restricts access to personally identifiable information to a limited number of employees with a specific business need (such as for technical support). Data is also accessible to our sub-processors, who are required to sign a Data Processing Agreement that limits their ability to access and use data.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Shutterfly Lifetouch
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2022 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Shutterfly Lifetouch, LLC ("Lifetouch" or "Entity") is a trusted provider of school photography services throughout North America since 1936. In preparation for Picture Day, Lifetouch collects certain roster data from the school or district, to be used solely as follows:
- To produce and deliver to schools the products and services as described in the Photography Services Agreement (the "School Deliverables");
- To deliver Picture Day notices on behalf of the school and provide parents of students photographed opportunities to purchase student and class pictures and yearbooks;
- To verify parent authorization to order student photographs; and
- As otherwise specified by the Agreement.
For the avoidance of doubt, this Agreement does not apply to (a) information collected from customers who opt to purchase products directly from Lifetouch and/or establish a Lifetouch family account; or (b) Lifetouch photographs, except as incorporated into the School Deliverables.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Lifetouch has implemented a variety of physical, technical, and organizational security measures to help protect School Data from unauthorized access and use.
- Facilities. Lifetouch produces portraits and School Service Items within its own U.S.-based photo labs. Lifetouch data, including School Data, is maintained in cloud-based storage or in on-premises data centers that meet or exceed industry standards for cybersecurity. All facilities and systems are protected by strong physical security controls such as restricted role-based access, ID cards, entry logs and video monitoring. We have a secure backup process and utilize high availability systems and equipment to maintain availability.
- Networks. Devices storing or providing access to School Data are protected with the same multi-layered security strategies that we use to protect Lifetouch's sensitive and confidential business records. Image databases supporting our photo processing labs and websites are separated from associated data files containing identifiable information, and all databases are protected by firewalls, monitoring, vulnerability scanning and authentication procedures. We apply intrusion prevention methods and perform regular network penetration testing and code scanning on a periodic basis using both internal and authorized third party testing services and. Our systems enable secure transmission of School Data from and to the Lifetouch network with encryption technologies. School Data is segregated from other databases in our systems and is securely disposed of when no longer needed. Devices or media containing or accessing School Data are password-protected and encrypted and stored in secure, locked areas when not in use. Laptops and tablets used by our field are also protected by software that, in the event of theft, notifies Lifetouch immediately if the device is connected to any network and allows Lifetouch to remotely erase the device.
- Personnel. Lifetouch's policy is to collect, use, and disclose personal information only in ways that are consistent with our respect for an individual's privacy. We require Lifetouch employees to sign confidentiality agreements as a condition of employment, and we provide training on the appropriate use and handling of School Data. Access to School Data is limited to those who need it to perform their jobs, and when our employees are instructed to only access School Data secure channels (like the Lifetouch Portal). We also take appropriate measures to enforce these policies.
- Enterprise. A comprehensive set of IT policies based on ISO 27001/2, PCI-DSS, OWASP and/or NIST frameworks and standards, as applicable, governs information systems practices and procedures throughout the Lifetouch enterprise. Additionally, Lifetouch partners with secure payment processing platforms like PayPal to handle payment card data when the families we serve make their portrait purchases. Additionally, the Lifetouch Portal is designed and maintained to exceed the standards of the Software & Information Industry Association's Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Signal Vine, Inc.
The exclusive purposes for which Protected Information will be used: Segment contacts, personalize and trigger outgoing text messages to students and/or parents. [NYC DOE Comment: Signal Vine is a tool used to engage and communicate with students, families, and staff.]
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: No subcontractors have access to NYC DOE personal data. Signal Vine staff access is limited to the team supporting your account. All access is logged.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Protected Information is removed from the platform within 30 days of the expiration of the agreement, and cycles out of backups 14 days later.
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored within the United States. All data is stored on Amazon Web Services and conforms to SOC 2, ISO 27001 and DoD standards.
How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest via Amazon’s TDE service and in transit via TLS 1.2+
SimTutor
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SIMTICS is a cloud-based service with simulations and other supporting media, designed for learning how to perform clinical and medical imaging procedures. The Service is provided by SimTutor Inc (SimTutor). Each SIMTICS module covers one procedure, skill or topic. In most cases a module contains the following media: Video demonstration of the procedure; Explanatory text; Anatomy images related to the procedure, in 2D and 3D format; A multi-choice quiz; Simulation scenarios for the user to learn and practice the procedure interactively and test their skill.
The school provides us with student first/last names and a DOE-issued email address, so students have a unique username and their in-app activity can be tracked individually and kept separate from other students’ data. The SIMTICS system tracks the user’s activity in the app (study time, and scores in simulations and quizzes). Each learner’s activity data is recorded in their personal SIMTICS logbook and can be accessed only by that named user and by teachers and administrative users with the necessary privilege.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SimTutor is SOC 2 certified and has robust systems, system architecture, and procedures in place to ensure student data is protected. SOC 2 is a compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. SOC 2 certification is the result of a detailed annual audit by a qualified third party auditor. SimTutor has been SOC 2 certified for three years.
Our information security procedures to protect PII cover the following areas:
- Data classification – at SimTutor, school/student data is classified at the highest level of confidentiality, above our own company data
- Selection, documentation, and implementation of security controls
- Daily security checks of our systems and infrastructure
- Annual assessments of security controls and updates as necessary
- Careful authorization, changes to, and termination of information system access
- Maintenance of restricted access to system configurations, user functionality, master passwords, powerful utilities, and security devices
- Management of user access and roles – only employees with a job requirement (i.e. customer and technical support) are given access to PII
- Security training is part of employee onboarding and Maintenance and support of the security system and necessary backup and offline storage
- An incident response system, tested at least annually, to ensure rapid action in the event of an issue occurring.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Smart Science Education
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 1/1/2024 – 8/1/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Smart Science Labs is a virtual science lab system which allows students to do science labs online in place of hands-on science labs where the materials, time, equipment or space is not available. In many urban schools science labs have been missing from science classes for decades due to degradation of science facilities and a lack of funding to replace or rebuild the physical science lab. Smart Science Labs have been in use by schools in the USA for over 20 years for a variety of needs including alternative education, ELL learners (Smart Science works in 100 languages), special ed and self paced learners, virtual academies and traditional schools who lack science lab facilities. PII is used to create student log in access to the virtual labs and track student performance on the virtual labs - staff members can see the progress of each student identified by their name and OSIS number. The resource is fully integrated with Clever and if the school choses to deploy access through Clever then no PII will be used or stored by Smart Science Education because of Clever’s use of encrypted usernames and passwords to the host resource.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Administrative safeguards: Access limited to the CEO of the company and the tech team; All tech team personal who have access have signed confidentiality agreement;
- Technical safeguards: Encryption of data in transit and storage, access controls, and implementing regular and encrypted backups is standard practice for our platform; Test and development servers do not use any real world student or teacher data; All data is entered into a password protected cloud based database that employs current industry standards, hosted in the Google Cloud (GCP).
- Operational safeguards: Company does not host any physical data or create physical copies of data. The offices of Smart Science Education are secured. All systems are cloud based and online only. All employees follow best practices. Tech lead has protocols including notifying the CEO and board so they may take action immediately.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
SMART Technologies (for Lumio)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Lumio is a digital learning platform and will only access or use PII when necessary to provide Lumio. Lumio lets educators combine and edit teaching resources, including PDF, Google, and PowerPoint files to create one engaging lesson. Lumio allows educators to liven up a lesson with ad and comment-free YouTube clips. Easily illustrate a concept without wasting time switching to different tabs. Effortlessly engage every student on any device using Lumio’s dynamic, collaborative web-based learning platform. PII is required for users to login.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Student PII will be destroyed when (i) no longer required to provide the service; (ii) upon request by the DOE; or (iii) the end of the school year (July 1) once the service agreement expires. Teacher accounts will be destroyed within one year of the inactivity or expirey [sic] of the service agreement.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Google Cloud.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Privacy and security are at the core of our product design. Whether in room, on mobile devices or at a distance, SMART solutions enable interactive and collaborative workflows with built-in features to ensure user information is safe and protected. Customer data is hosted using best-in-class Amazon Web Services and Google Cloud data centers with ISO 27001 and SOC 2/3 certifications. There are no additional privacy settings needed in SMART products because we don’t want you to share anything except the bare minimum required. Being proactive, our product design captures as little personally identifiable information as possible. Students are not required to provide any identifiable information. They can log in using their existing Google or Microsoft credentials, or choose to connect anonymously with guest access. Data is only visible to whom the teacher personally gives access to, and shared lessons never include student data.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Smartest EDU (also called Formative)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: Starting 10/3/2022
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Normal operation and use of Formative’s platform, including reporting on student performance. Formative receives data such as student names, logins, emails, and work generated within the platform. We use this data to allow teachers to assign assessments within the Formative platform, create performance reports, and ensure that rostering within Formative aligns with rostering in Clever, Classlink, or other systems.
Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review).
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Formative’s IT Security and Data Privacy strategy prioritizes detection, analysis, and response to known, anticipated, or unexpected threats; this strategy also emphasizes the effective management of risks as well as resilience against data incidents. Formative continuously strives to meet or exceed the industry’s information-security best practices and apply controls to protect our clients and the organization. Formative reviews of its systems against applicable state, federal, and internal regulations as well as against controls associated with NIST CSF, SOC2, ISO, GDPR, FERPA, CCPA, CPRA, CPA, VCDPA, and UCPA. Formative maintains an Information Security and Privacy Program which, along with security personnel embedded in each of our business units, consists of a centralized group that establishes information security mandates, evaluates adherence to these mandates, and detects & responds to incidents. Formative frequently adjusts this program to ensure ongoing suitability. The Information Security and Privacy Program regularly assesses the sufficiency of Formative’s controls.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
SmartPass
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2023 – 6/30/2024.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SmartPass is a digital hall pass system designed to replace traditional physical hall passes in educational institutions. It allows teachers and administrators to monitor student movements in real-time, ensuring safety and accountability. The platform offers features such as analytics, pass limits, and encounter prevention, making it easier to manage and oversee student activity during school hours. PII is used to create accounts and to display the information to teachers and administrators.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud within the United States.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We endeavor to protect the privacy of your account and other personal information we hold in our records, and we use industry standard data security measures to protect your personal information. This includes: (1) only storing your personal information under our control, (2) using two-factor authentication for our personnel to access your personal information, (3) implementing physical access controls to those areas where personal information is stored, (4) limiting access to your personal information to only those of our personnel who need to have that access to do their jobs, and (5) encrypting all of your personal information both in transit and at rest. We also regularly conduct audits of our security practices to make sure that they are up to date.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
SmartStart Education
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SmartStart Education, LLC is an educational services company that provides staffing and tutoring services. For tutoring, we seek to provide high-impact tutoring services to students striving to read and perform math proficiently in grades kindergarten to 12th grade. Tutoring services will be provided in -person at the students’ schools. We seek to align our tutoring to students’ individual needs. Having access to students’ data, such as IEP, report cards, and New York State test scores, allows us to provide tutoring that is more targeted to individual needs.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft SharePoint.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data will be served on a password-protected secure server. Only employees who have direct contact with students or their supervisors will have access to student data.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Smashcut
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Smashcut will provide a learning management system specifically designed for the teaching and learning of the visual and media arts. This program will be limited to high school students in grades 9-12 Student user accounts are required to access the program curriculum. PII is necessary initially for students to create a Smashcut user account. Once the student account is created, the PII is used for the following platform activities: Accessing the class syllabus, watching video lessons, submitting assignments, joining group projects, participating in class discussions, receiving and sharing project feedback with their teachers and classmates.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We conduct training sessions for all employees and contractors on data privacy, security practices, and compliance requirements. We ensure all employees are aware of the importance of protecting personal information and the specific protocols they must follow. All access to Smashcut systems - if provided - happens through role-based IAM (identity and access management) user accounts to authorized team members. Team members can only access systems with Multi-Factor Authentication. All access to systems is monitored and logged. Additionally:
- All data stored on cloud with physical and logical security controls; no local storage or physical access for employees.
- Access limited to authorized personnel with two-factor authentication.
- Strict role-based access controls and policies for all staff.
- Multi-Factor Authentication (MFA) for system access.
- Regular training on data privacy and security practices.
- All system access is monitored and logged.
- Cloud infrastructure managed by authorized staff via two-factor authenticated VPN.
- Serverless architecture with encrypted data transmission (TLS, DTLS, SRTP).
- Real-time encrypted data backups; data masking to protect sensitive information.
- Quarterly security reviews and continuous risk management.
- Code changes undergo rigorous review, testing, and security analysis before deployment.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Smile New York Outreach
Type of Entity: Article 28 licensed health care facility
Contract / Agreement Term: 7/1/2024 – 6/30/2032.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor will receive Protected Health Information from DOE in order to fulfill its role as a provider of dental services. Under the Health Information and Accountability Act, Processor is identified as a Covered entity when handling PII and therefore subject to extend required protections of PII under HIPAA. The PII obtained from DOE is utilized in the provision of dental services to students.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “As a health care provider patient records are retained, at minimum, in accordance to section 29.2 (a)(3) of the Rules of the Board of Regents or in accordance to company policy. Any student information that is not integrated into the patient treatment record will be destroyed upon termination of services.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Physical safeguards to protect PII include encrypting all data in transit and at rest both in our administrative office and while performing clinical duties at the school location, limiting physical access to equipment that stores historical PII records to required staff, access to that equipment requires badge access, personal PIN's, and biometric scans. Administrative and logical access to data requires staff to have a username and password to applications to view PII, and once in only have access to records that are required to perform their duties.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
SOLVED Consultancy
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SOLVED helps school administrators and teachers analyze student data so that they can make better instructional decisions based on this data. Schools have multiple data sources from different assessments administered throughout the year. In order to use data efficiently and effectively to inform instructional practices and the use of resources and to analyze student data, SOLVED developed the Assessment Dashboard, which is a platform built within the NYCDOE servers using Google Data Studio (which is part of the Google Workspace Cloud where all NYCDOE accounts and information live). This platform helps Principals, Assistant Principals, and Teachers to look at all their students’ assessment information in one centralized location. Only staff belonging to individual schools are authorized to access their platform, and never parents, guardians, or students.
SOLVED needs to have access to this PII to build this platform for schools. SOLVED displays the PII received in the Assessment Dashboard and this PII does not leave the NYCDOE servers as it is uploaded to the NYCDOE Google Cloud and SOLVED uses Google Data Studio to display PII to Principals, Assistant Principals, and Teachers who are authorized to log in with their @schools.nyc.gov accounts (which are Google accounts).
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “SOLVED uses the NYCDOE’s Google Workspace Cloud to store PII, which are part of the NYCDOE servers. Google Workspace Cloud is a subcontractor for the NYCDOE. The PII does not leave the NYCDOE servers.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “None of the PII that SOLVED is given leaves the NYCDOE servers as it is stored in the Google Workspace Cloud of the NYCDOE. Hence, there is no data return because the data does not leave the NYCDOE servers.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. “SOLVED uses the NYCDOE’s Google Workspace Cloud to store PII which are part of the NYCDOE servers. Google Workspace Cloud is a subcontractor for the NYCDOE. The PII does not leave the NYCDOE servers.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The PII is stored in the NYCDOE’s Google Workspace Cloud and the NYCDOE servers. Hence, many of the technical (i.e. data encryption) and physical (i.e. physical servers) safeguards to keep this data safe is controlled by the NYCDOE.
SOLVED as multiple administrative and operational safeguards to ensure the highest rigor of data protection. These are:
- For all roles within SOLVED, the hiring process ensures the candidate has the necessary competence to perform the role and can be trusted to take on the role, especially for roles related to the use, management, or protection of data or PII. Data protection responsibilities are communicated to employees as part of the on-boarding process.
- Background checks are required prior to employing SOLVED employees, regardless of if a competitive recruitment process is used.
- All SOLVED employees are required to sign a Non-Disclosure Agreement before being granted access to any data. Upon termination of employment, staff are reminded of confidentiality and non-disclosure agreements.
- All new staff must complete an approved Security Awareness training prior to, or within 30 days of, being granted access to any data. In this training, all new staff are provided with relevant data policies and protocols to allow them to properly protect data. All new staff then must acknowledge they have received and agree to adhere to the SOLVED data policies and protocols before being granted access to any data.
- All staff must complete an annual security awareness training.
- SOLVED provides all employees an anonymous process for reporting violations of information security policies or procedures.
- Staff found to have violated SOLVED’s data policy or protocols may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Sooth Inc
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Sooth.fyi is a subscription-based, curated internet search engine specifically designed for students and educators to conduct online, internet research without running into ads, chatbots, dubious sources, or commercial content found on other search engines. Sooth.fyi uses a proprietary, human curated search index comprised of thousands of the web's most reliable and diverse primary sources of news, research, and information that can't be found in traditional academic research databases.
Sooth.fyi also includes many unique tools and collaboration features that accelerate student productivity when conducting online research. For example, Sooth.fyi includes a citation generator, bookmarking and research collection folders, notetaking tools, a misinformation toolkit, and a personalized news aggregator.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure Cloud Services.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Sooth.fyi implements the following measures to ensure the technical and physical safeguarding of PII:
- Sooth Inc. is NIST 800 compliant (cyber security posture)
- All Sooth Inc. data, including user Personally Identifiable Information (PII), is securely stored and managed on Microsoft’s Azure Cloud Services platform.
- Sooth Inc. collects only the minimum PII required in order to operate a safe, secure, functional, and enjoyable platform.
- All PII is encrypted while in transit and while at rest.
- All employees and contractors conduct annual cyber security and privacy compliance training.
- Sooth Inc. Compliance Officer conducts annual audits against a comprehensive checklist derived from NYC DOE requirements, COPPA, FERPA, PPRA, and all other applicable federal, state, and local data privacy laws and regulations.
- Sooth Inc. implements role-based access control systems to enforce minimum necessary access to PII based on job responsibilities.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
South Asian Youth Action (SAYA)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2021 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As part of SAYA’s Community School programming at Richmond Hill High School, our team monitors program quality and effectiveness in three areas: school attendance, college access support, and social and emotional impact. In order to track data and measure the effectiveness of our offerings, our staff secure student PII and make use of the Department of Education databases, as well as Apricot - Social Solutions, which is a customized database used by SAYA across all of our sites. These databases house and track a number of metrics, including attendance and college enrollment. SAYA staff gather PII data points from our participants, teachers, and other school administrators to measure and gauge youth improvement within these metrics. Through data gathered, our Community School Director and team continually determine how SAYA programming and intervention can best benefit our students and improve their performances.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Workspace, Apricot - Social Solutions.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access control methods to be used shall include:
- Auditing of attempts to log on to any device on the company network
- Automatic updates implemented on all systems
- Server access rights
- Active file and email intrusion detection (implemented with Google Workspace for Non-Profits)
- Active Network Intrusion detection and automatic emails to IT team to inform of the situations.
- Firewall permissions
- Web authentication rights
- Database access rights
- Encryption at rest and in flight
- Network segregation
- Yearly user training concerning the handling of sensitive information and PII will be provided. Additionally, this data security policy will be available to any SAYA staff member or contractor. This also applies to contractors and third party vendors who for whatever unforeseen circumstance would need access to sensitive information.
Access control applies to all networks, servers, workstations, laptops, mobile devices, web applications, websites, cloud storages, cloud databases, and any other form of cloud service that contain sensitive or PII data.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
South Bronx Overall Economic Development Corporation
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As the CBO our initiative is focused on enhancing student performance and well-being through a range of integrated programs and services. These include healthcare, mentorship, expanded learning opportunities, adult education and other support services for middle school and high school programming. Our goal is to address the diverse needs of students, engage their families, and strengthen the broader community.
The purposes for receiving and accessing personally identifiable information (PII) include managing student records, ensuring accurate enrollment, and coordinating participation in our services. This information allows us to tailor program activities to meet the specific needs and interests of students. We utilize data on students' academic interests, extracurricular preferences, and special needs to design and implement programs effectively. Additionally, we track student participation to monitor their progress. This evaluation helps us assess the effectiveness of our programs.
In summary, our project focuses on providing targeted programs and services to support student development. Accessing and using PII is essential for managing enrollment, coordinating activities, communicating with stakeholders, evaluating program effectiveness, and meeting regulatory reporting requirements, all while maintaining strict controls over data sharing to ensure compliance and protect privacy.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks
Administrative Safeguards:
- Policy Development: Our company has established comprehensive policies and procedures specifically tailored to the handling of Personally Identifiable Information (PII). These policies outline the proper protocols for accessing, storing, and transmitting PII, ensuring that all staff members are aware of their responsibilities in safeguarding sensitive information. Such as, but not limited to: password policy, online session management and security policy.
- Role-Based Access Control: Access to PII are strictly controlled based on roles and responsibilities. Employees are granted access only to the information necessary for performing their duties, and access permissions are regularly reviewed and updated as needed.
- Training and Awareness: Training sessions are conducted to educate employees about data privacy and security best practices, including the proper handling of PII. Staff members are trained to recognize potential security threats such as phishing attacks and are instructed on how to respond appropriately.
Physical Safeguards:
- Restricted Access: Physical access to facilities where PII is stored or processed is restricted to authorized personnel only. Access controls such as keys and surveillance cameras are employed to monitor and control entry.
Data Privacy and Security Risk Mitigation:
- Regular Audits and Assessments: The Company conducts regular audits and assessments of its data privacy and security practices to identify potential vulnerabilities and areas for improvement. These assessments help ensure that safeguards are effectively implemented and maintained over time.
- Incident Response Plan: In the event of a security incident or data breach, the company has established an incident response plan to guide the organization's response and minimize the impact on affected individuals. This plan includes procedures for investigating incidents, notifying stakeholders, and implementing remediation measures to prevent future occurrences.
By implementing these administrative and physical safeguards, along with proactive risk mitigation measures, the company demonstrates a strong commitment to protecting PII and maintaining the privacy and security of its data.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Sparkler
The exclusive purposes for which Protected Information will be used: To provide the service, directly and in coordination with the BOE. Aggregated non-identifiable data may also be used to improve the service.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Data protection and security requirements that meet or exceed these requirements are a part of Sparkler’s privacy policy and all employment and contracting agreements used by Sparkler.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The agreement starts on signing, and will extend no more than a year, or until terminated by either party. Protected information held by Sparkler will be deleted at any time at the instigation of either users or the DOE, and at any rate under Sparkler’s policies will be deleted no later than one year after the end of the agreement.
[NYC DOE comment: The current agreement became effective starting on April 1, 2020 and terminates when all NYC DOE schools and/or offices cease using Sparkler’s products/services. The terms of the agreement remain effective through the period during which Sparkler possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US, using the commercially reasonable protections afforded by AWS. Further provisions are described in the Recipients Terms of Use and Privacy Policy.
How the data will be encrypted (described in such a manner as to protect data security): Sparkler is using the industry standard AES-256 encryption algorithm to encrypt all data on the server. For encrypting network communications and establishing the identity of the app, Sparkler is using industry standard SSL/TLS protocols.
Speak Agent
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 11/15/2023 – 11/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Speak Agent, Inc. receives PII for the sole purpose of delivering supplemental instruction. "Speak Agent" is an instructional software platform that includes "Math+Language" and "Science+Language" programs for grades K to 12, providing digital lessons and activities that run on its cloud-based platform. These programs supplement the school district's math and science curriculum. Specifically, PII is needed in order to (1) provide secure login through single sign-on; (2) connect students with the correct class sections, teachers, and grade-appropriate instructional materials; and (3) provide students with expressive language opportunities (writing, speaking, and representing) and individualized feedback.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and/or Heroku.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII data are securely stored using cloud hosting facilities that meet ISO 27001 and PCI Level 1 requirements. PII may be viewed only by authorized district and Processor users. Processor secures and manages usernames, passwords, and other means of gaining access to PII at levels recommended by NIST SP800-171 (password complexity, encryption, and re-use).
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Sphero (for Sphero EDU)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Use of Sphero’s Sphero EDU application available at edu.sphero.com, and all related client applications, with which students learn, code, and play with Sphero robots. Depending on if and what type of user accounts are created, PII can contain first name, last initial, email address, and date or birth. Name and email information is used solely for the purpose of creating user accounts. Date of birth is used for the purpose of checking age of consent of the user.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Sphero ensures that data is encrypted both in motion and at rest. The Sphero Edu platform runs in an Amazon Web Services (AWS) facility (please see full details here: https://aws.amazon.com/security/). Personnel are only given access to data on an as-needed basis. AWS provides extensive protection in the form of secure physical facilities, permissions and identity policies, rapid patching and updating of systems, firewalls, network threat detection and response, and scalability to respond to denial of service attacks. PII data is always password protected in addition to being encrypted.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Spruce Technology
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Spruce Technology, Inc. provides information technology consulting services for the New York City Department of Education, including the implementation, integration, customization, testing, and support of technology platforms licensed and hosted by other providers; custom design, development, testing, and support of technology solutions; cybersecurity advisory services; user interface design and development; and provision of specialized technology staff. We require access to PII to develop initiatives, troubleshoot issues, create reports and provide adequate support to all patrons.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII will be stored or hosted by Entity.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All DOE data that is considered private, sensitive, or higher classification will be accessed by Spruce team within DOE environment using DOE issued equipment such VDI / Servers etc. Plus the technical design of the PSAL ensures that the design and architecture conforms with all citywide security standards and will get all necessary approvals prior to go live in production.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
St. John’s University's School of Education (for Project RAISE)
Type of Entity: Research Institution or Evaluator
Contract / Agreement Term: 1/31/2022 – 1/30/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Resilience, Access, and Imagination for Success in Education (henceforth Project RAISE), consists of the following components:
- Supplemental Instruction
- Counseling Services
- Tutoring Services
- Mentoring Services
- Parent Engagement Services
- Professional Development; and
- Extended Year Program
St. John’s University’s Project RAISE is a program designed to provide Title I supplemental instructional services and related services under the Every Student Succeeds Act (ESSA) for Title I eligible students, parents, and teachers at nonpublic schools in New York City. To this end, all students from Pre Kindergarten through grade 12, as well as their parents and teachers who are eligible for Title I assistance, will benefit from Project RAISE. Pre-Kindergarten to grade-12 students from families in poverty grapple with numerous challenges in terms of their emotional, physical, social, and cognitive development. These challenges adversely affect their academic success. The primary goal of Project RAISE—which is intended to provide Title I nonpublic schools supplemental instructional services—is to afford students from Pre Kindergarten through grade 12 with the opportunity to receive supplemental instruction in the areas of English! language arts/reading, mathematics, English as a Second Language (ESL), social studies, and technology, as well as Pre-Kindergarten services to help them succeed in these subjects. The primary location for services will be in New York City nonpublic schools serving students from pre-kindergarten to twelfth grade, and that select St. John’s University as their service provider
Data collected will be for the purpose of invoicing/billing the participating non-public schools in the City of New York. The data will include the following: Student ID Number; Grade Level; and School Name.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. This correspondence articulates elements of the St. John’s University cyber security and privacy infrastructure as it relates to the academic research infrastructure for the New York State Department of Education grant award supported by faculty in the St. John’s University School of Education.
St. John’s University has taken a risk-based approach to cyber and information security by ensuring the confidentiality, integrity, and availability of its information assets. The University has a viable program that balances the people, processes and technologies and focuses on the management of the security program, user awareness, research platform, and operations. The details are as follows:
Security Program: Our Security Program is comprised of several strategies that include, but are not limited to:
- A viable IT Governance model and reporting structure
- University-wide and department-specific Information Technology (IT) and Security policies and standards
- A Vulnerability and Patch Management (VPM) program (policies, standards, processes, and procedures) to proactively address potential vulnerable and unpatched systems and applications of critical and non-critical information assets.
- Multi-factor authentication to minimize authentication threats
- An IT risk management framework based on the NIST Cyber Security framework to manage IT risks consistently and continuously.
- Adequate security awareness and training of faculty and staff, including staff that handles personally identifiable information (PII)
- Processes and techniques to address the end-user computing threats
- Data maps for PII that is transmitted, processed, and stored within the University.
- Records/data that are classified into three groups
- Active records that are stored in a primary storage medium
- Data is retained for a regulated specified period according to the University’s retention schedule
The subcontractor is held to the same standards described above.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
St. Nicks Alliance Corp (Community Schools)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2022 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. St. Nicks Alliance (SNA) is a community-based organization contracted by the NYCDOE to provide services at:
- The Williamsburg High School of Art and Technology, Brooklyn, NY 11206: These services provide integrated student support, expanded and enriched learning time and extended learning time opportunities, active family and community engagement, and collaborative leadership and practices. These supports and programs help to ensure consistent attendance, academic recovery, relationship building and leadership inside and outside the school community.
- John Ericsson Middle School 126, Brooklyn, NY 11222. These services provide integrated student support, expanded and enriched learning time and extended learning time opportunities, active family and community engagement, and collaborative leadership and practices. These supports and programs help to ensure consistent attendance, academic recovery, relationship building and leadership inside and outside the school community.
- PS 150 Christopher, Brooklyn, NY 11212. These services provide integrated student support, expanded and enriched learning time and extended learning time opportunities, active family and community engagement, and collaborative leadership and practices. These supports and programs help to ensure consistent attendance, academic recovery, relationship building, and leadership inside and outside the school community.
Protected Information may be collected or accessed by authorized SNA representatives to support students with attendance and credit accumulation. We may examine academic data (i.e. grades on assignments, courses, or exams); daily attendance statistics, demographic and disciplinary history, contact information, survey responses, and/or Other Protected Information. This data is used to track student progress toward attendance and credit accumulation and to tailor services to each student.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data storage can be in electronic or non-electronic formats (such as paper surveys), including data files and databases. Non-Electronic data is stored in the United States in locked cabinets in SNA main office (located at 2 Kingsland Avenue, Brooklyn, NY 11211} or Bushwick Community High School at 231 Palmetto St., Brooklyn, NY 11221)), as required by regulatory agencies (ie. NYS Department of Health). The lock's key or combination is exclusively shared with authorized staff.
For electronic data storage, SNA uses password-protected computers. The password is changed every 60-180 days and is only accessible to SNA staff members responsible for analyzing the data. Data storage requirements are thoroughly discussed with SNA staff both during onboarding of new staff and ongoing during training on Federal and State laws governing confidentiality to any officers, employees, or assignees who have access to student data or teacher or principal data to ensure compliance with our regulations and SNA internal data storage plan that protects confidentiality and safety of PII. Do not use educational records for any other purpose than those explicitly authorized in the contract.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
St. Nicks Alliance Corp (Learning to Work)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/01/2015 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. St. Nicks Alliance (SNA) is the community-based organization contracted by the NYCDOE to provide the Learning-To-Work program at Bushwick Community High School, Brooklyn, NY. These services assist students with attendance improvement and dropout prevention through individual and group counseling, case management, and post-secondary planning, among other evidence-based strategies.
Protected Information may be collected or accessed by authorized SNA representatives to support students with attendance and credit accumulation. We may examine academic data (i.e. grades on assignments, courses, or exams); daily attendance statistics, demographic and disciplinary history, contact information, survey responses, and/or Other Protected Information. This data is used to track student progress toward attendance and credit accumulation and to tailor services to each student.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data storage can be in electronic or non-electronic formats (such as paper surveys), including data files and databases. Non-Electronic data is stored in the United States in locked cabinets in SNA main office (located at 2 Kingsland Avenue, Brooklyn, NY 11211} or Bushwick Community High School at 231 Palmetto St., Brooklyn, NY 11221)), as required by regulatory agencies (ie. NYS Department of Health). The lock's key or combination is exclusively shared with authorized staff.
For electronic data storage, SNA uses password-protected computers. The password is changed every 60-180 days and is only accessible to SNA staff members responsible for analyzing the data. Data storage requirements are thoroughly discussed with SNA staff both during onboarding of new staff and ongoing during training on Federal and State laws governing confidentiality to any officers, employees, or assignees who have access to student data or teacher or principal data to ensure compliance with our regulations and SNA internal data storage plan that protects confidentiality and safety of PII. Do not use educational records for any other purpose than those explicitly authorized in the contract.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
ST Math - MIND Research Institute
The exclusive purposes for which Protected Information will be used: Personally Identifiable Student Information (PISI) will be used to enroll/roster students into the ST Math program as well as collect usage and performance data as related to the program (i.e. progression through the program, mastery of standard, time on the program).
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: MIND Research Institute requires all employees that will handle PISI to agree to and sign our employee handbook which details requirements each employee must adhere to in order to ensure the security of user data. Additionally, MIND Research Institute provides scheduled training and refresher training on best practices in the handling of data and requires employees to participate.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI received from a LEA is de-identified or deleted in a reasonable period of time after the relationship between MIND Research Institute and the LEA has been terminated.
[NYC DOE comment: The current agreement became effective starting on September 18, 2019 and terminates when all NYC DOE schools and/or offices cease using ST Math’s products/services. The terms of the agreement remain effective through the period during which ST Math possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): MIND Research Institute's infrastructure is hosted within the United States. We design and implement our systems to provide resiliency against server, segment, and geographic failure, through the implementation of a clustered redundant architecture that yields highly available service endpoints. which provide resiliency against server, segment, and geographic failure. We utilize service providers whose systems have been certified for compliance with security standards including ISO 27001.
How the data will be encrypted (described in such a manner as to protect data security): Unauthorized access of User data is a real risk facing the users of today's electronic information services. MIND Research Institute strives to keep informed of these risks, and we work diligently to combat them. One method of protecting User data is to utilize cryptography to prevent data visibility in the event of its unauthorized access. MIND Research Institute leverages cryptography to protect user data in the following two ways:
- Data in Transit. Our services support Transport Layer Security (“TLS”) to encrypt User communications (TLS 1.0 or greater and only the strongest ciphers). Data transferred between our Site and its end Users (including credential submission, data uploads, and data downloads) are sent over TLS connections, which protect such data using strong encryption, so that data in transit is kept in a private channel between the intended User and our systems.
- Data at Rest. User data that contains personally identifying information, when “at-rest” (i.e., when in storage) is encrypted using industry standard AES-256. There are two types of "at rest" storage:
- Database. Database server disk storage is “volume” encrypted (i.e., encrypted at the level of the database).
- User Files. User files are individually encrypted before being recorded on long-term, secondary storage systems.
Staten Island Makerspace
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide project based STEM lessons for visiting school groups at our location or we provide lessons at schools. We also provide professional development workshops for educators at our location or at schools. PII may be issued for the purposes of preparing materials and lesson plan that is appropriate for grade level and number of students..
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Educat