Vendors R-Z

Raj Technologies

The exclusive purposes for which Protected Information will be used:

RTI is providing staffing services of a Full Stack Developer to support The Division of Instructional and Information.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

The authorized employee/subcontractor will be bound to their own Non-Disclosure Agreement and will not collect, store, nor share any protected information.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

RTI does not have any plans to collect nor store Protected Information throughout the duration of this agreement (May 3, 2021-May 2, 2022) with the NYC DOE.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

RTI does not have any plans to collect nor store Protected Information throughout the duration of this agreement (May 3, 2021-May 2, 2022) with the NYC DOE.

How the data will be encrypted (described in such a manner as to protect data security):

RTI does not have any plans to collect nor store Protected Information throughout the duration of this agreement (May 3, 2021-May 2, 2022) with the NYC DOE.

Rally! Education, LLC

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. RALLY! Education® digital products use advanced encryption technology to protect online data. The purpose of each digital product is to help students understand and master the NY Next Generation Learning Standards and prepare for the spring NY State Tests. Our digital programs stand-alone on secured website servers. There is no need to access all student PII - we only require student, teacher, and admin email addresses and school-created passwords to set up the program - no other confidential information is needed or required. Our programs do not require All transmission of data other than diagnostic student, class, and grade reports using Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational student and teacher names are stored on RALLY! Education® secured servers and are encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access and is monitored daily. All transmission of data utilizes Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational and personal information stored on RALLY! Education® servers is encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access.
  4. Type of PII that the Entity will receive/access: Student PII. The vendor specifies that “NYC DOE is the sole owner of any student and teacher data. The only information that is needed is the student’s name and teacher email/or ID and any passwords that the site or DOE sets up. For example, teachers and students can use their assigned NYC DOE ID number as their passwords or create unique passwords”
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor specifies “RALLY! Education® is the sole source provider, and we do not contract with third-party providers.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. The vendor specifies that “All data is deleted on the RALLY! Education® servers. NYC DOE is the sole owner of all reports by student, class, and grade.”
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected 

Ramapo for Children, Inc.

  1. Type of Entity: Community Based Organization or Not-for-Profit 
  2. Contract / Agreement Term

Contract Start Date: December 2020
Contract End Date: June 2022

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Facilitation of a Youth Council for the Office of Community Schools.
  2. Type of PII that the Entity will receive/access: Student PII
  3. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  6. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Ramapo employees store and access data on a custom salesforce platform with restricted levels of access depending on the staff role. Salesforce is built with security to protect data and applications by limiting exposure of data to the users that act on it. Authentication protocols prevent unauthorized access to data by making sure each logged in user is who they say they are. Careful consideration is given to choosing the data set that each user or group of users can see, thereby limiting the risk of stolen or misused data. Specific objects (such as attendance lists or coaching notes) are only accessed by selected profiles.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Reading Plus LLC

1. The exclusive purposes for which Protected Information will be used: To set up and manage your subscription to use the Reading Plus application
 
To set up and maintain your individual use account
 
To administer and protect the Reading Plus application (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
 
To use data analytics to improve our Reading Plus application and customer relationships and experiences
 
For research purposes to better understand how we can develop and improve our Reading Plus application and/or create new products to help students become better silent readers and independent learners 
 
To send marketing communications to teachers and administrative users
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All Subcontractors sign binding NDAs that bind them to data protection agreements that Reading Plus LLC is part of. 
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Following expiration or termination of the agreement under which the Client purchased access to the Reading Plus web-based products or services, and upon receipt of written request from the Client, Reading Plus will destroy or, if agreed, return to the Client, the Student Records in its possession within a commercially reasonable period of time
 
[NYC DOE comment: The current agreement became effective starting on August 30, 2019 and terminates when all NYC DOE schools and/or offices cease using Reading Plus LLC’s products/services. The terms of the agreement remain effective through the period during which Reading Plus LLC possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:
 
Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. 
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):
 
Data is stored within the United States, encrypted in transit and at rest. We have put in place reasonable and appropriate security measures designed to prevent your personal data from being accidentally lost or used or accessed, altered or disclosed accidentally or in an unauthorized way. In addition, we have put in place policies and protocols designed to limit access to your personal data to those employees, agents, contractors and other third parties who have business need to know. 
 
6. How the data will be encrypted (described in such a manner as to protect data security):
 
Data is encrypted in transit with SHA-256 with RSA encryption.
 
Data is encrypted at rest with AES-256 encryption algorithm.

Really Great reading Company, LLC

  1. Type of Entity: Commercial Enterprise 
  2. Contract / Agreement Term

Contract Start Date: 7/1/2021
Contract End Date: 6/30/2026

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NYC BOE educators will receive access to Teacher Online Tools, Reading Playgrounds and Virtual Implementation Training Courses for Countdown, Blast and HD Word Curriculums. These curriculums are designed to help students learn to read.
  2. Type of PII that the Entity will receive/access: Student PII
  3. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  4. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
  5. Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  6. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. 
  7. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data in motion is secured with standard HTTPS protocol Transport Layer Security (TLS). Data stored at rest is encrypted, as are its automated backups, read replicas, and snapshots using Amazon AWS RDS encryption. Keys are managed with the AWS Key Management Service (KMS). All data is stored in a password protected database with strong password requirements, server based firewall limiting data access to those end-points necessary, and limits to development roles that have access to production data. Only business necessary PII will be stored. RGR applications are hosted in Amazon Web Services (AWS). More information about the physical security of AWS data centers may be found on AWS website. Access to PII and application data will be limited to only those employees who necessarily require access to data in the performance of their role with projects. Employees, who have access to PII, must complete Security Awareness Training (Coursera) and demonstrate awareness and discretion in their day-to-day practices related to security and handling of sensitive information. Employees must sign or acknowledge these policies as they relate to their role. Background checks are conducted on all employees. In the event of unauthorized access or data breach related to the client's application data, email notification will be made within three business days of discovery of this breach.
  8. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rediker Software, Inc.

  1. Type of Entity: Commercial Enterprise 
  2. Contract / Agreement Term

    Contract Start Date: 3/1/2022

    Contract End Date: 2/28/2025 

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To provide a Student information System to manage student related data as the system of record.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution; and we use Microsoft Azure to host our teacher, parent, and student products. Microsoft is not a subcontractor but a Cloud service provider which is a company that provides a cloud-based platform, infrastructure, application, or storage services, usually for a fee. We do not provide access or provide consent to any Microsoft Representative to work on our servers or databases that are provisioned to our customers. Access to customer data by Microsoft operations and support personnel is denied by default. Microsoft does not inspect, approve, or monitor applications that customers deploy to Azure. Moreover, Microsoft does not know what kind of data customers choose to store in Azure. Microsoft does not claim data ownership over the customer information that's entered in Azure.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Rediker Software Inc. has implemented security policies and standards that govern and protect customers’ data. Our policies and standards are periodically revised and updated to comply with laws and regulations such as FERPA, COPPA, GDPR, HIPPA, PCI-DSS, NYE DOE Standards, and more. Rediker Software Inc. is committed to safeguarding the confidentiality, integrity, and availability of customers’ data by adopting:

    • Secure Access Control
    • Data Segregation
    • Data Redundancy
    • Encryption
    • Data and Application Security

      All platforms are highly secure and are equipped with standardized measures to manage, monitor, and protect our customers’ data.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Remind101, Inc.

1. The exclusive purposes for which Protected Information will be used: Remind will process Personally Identifiable Student Information (PISI) as necessary to perform the Services pursuant to the Terms of Service (https://www.remind.com/terms-of-service), and as further instructed by relevant parties in its use of the Services.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Remind will use a vendor risk management process to evaluate new vendors and monitor existing vendors on an annual basis. The following review areas are considered for vendors with whom personal data is exchanged: Compliance Status, Compliance Report Details, if applicable, Contractual Terms (confidentiality and data protection), Data Retention, and Data Security Controls.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Remind will adhere to the obligations set forth in our Privacy Notice and other Terms and Policies published at: https://www.remind.com/terms-of-service
 
[NYC DOE comment: The current agreement became effective starting on April 10, 2020 and terminates when all NYC DOE schools and/or offices cease using Remind101, Inc.’s products/services. The terms of the agreement remain effective through the period during which Remind101, Inc. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Remind will store data in cloud-based data centers located in the United States.
 
6. How the data will be encrypted (described in such a manner as to protect data security): Data transmitted across untrusted networks will be protected in transit using TLS V1.2 and will be stored at rest in an encrypted state using AES-256 bit encryption.

Renaissance Learning, Inc.

1. The exclusive purposes for which Protected Information will be used: To fulfill the services requested by NYC DOE (eg to provide Renaissance educational products to NYC DOE school Customers).
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Contractual obligation and periodic vendor compliance review.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Effective upon execution and continues until expiration/termination of underlying service agreement. PISI is disposed of per Exhibit D.
 
[NYC DOE comment: The current agreement became effective starting on September 24, 2020 and terminates when all NYC DOE schools and/or offices cease using Renaissance Learning, Inc.’s products/services. The terms of the agreement remain effective through the period during which Renaissance Learning, Inc. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI is stored in the United States; PISI is encrypted at rest and hosted in the cloud by Amazon Web Services (AWS). PISI transferred on the Internet is over HTTPS. Backups are also handled by AWS and backups are also encrypted at rest.
 
6. How the data will be encrypted (described in such a manner as to protect data security): PISI is encrypted at rest (no less than AES128) and hosted in the cloud by Amazon Web Services (AWS). PISI transferred on the Internet is over HTTPS (TLS 1.2). Backups are also handled by AWS and backups are also encrypted at rest

Renzulli Learning, LLC

  1. Type of Entity: Commercial Enterprise 
  2. Contract / Agreement Term

Contract Start Date: 4/1/2021
Contract End Date: 6/30/2022

  1. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Renzulli Learning is an interactive online system that provides students with a personalized learning environment, allowing teachers to easily differentiate instruction to increase engagement and achieve higher academic performance. Renzulli Learning has resources that promote and enable ALL students to pursue their interests, providing equity, innovation and creativity for grades Pre-K through 12. Students are empowered by doing creative, imaginative projects that provide rigorous learning outcomes.

    The Renzulli Profiler quickly identifies student strengths, interests, learning and expression styles and then matches each student with thousands of personalized engaging Enrichment Activities. Renzulli Learning features robust student grouping which supports our revolutionary strength-based Project Based Learning (PBL) system. Research shows that Renzulli Learning Benefits All Students including:

    • Gifted and Talented Students
    • High Achieving Students
    • At Risk Students
    • Students with Special Needs
    • English Language Learners (ELL)

Renzulli Learning supports the development of 21st Century Learning Skills for all students, including: critical thinking, creative problem solving, creativity, time management, communication, teamwork, and global competency through our Global Collaboration module. The system has been used by millions of students across the globe, consistently increasing engagement which research demonstrates will lead to higher achievement. Renzulli Learning is available to all students throughout the school year, before, during, and after school, and all throughout the summer as well!

  1. Type of PII that the Entity will receive/access: Student PII.
  2. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  3. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
  4. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  5. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  6. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Renzulli Learning utilizes LightEdge Solutions, Inc. an ISO/IEC 2700:2013 certified company with Corporate Headquarters in Des Moines, Iowa. LightEdge uses several third-party systems to manage data. The systems reside within LightEdge’s internal network and utilizes a web-based application only accessible from the corporate network or through a cloud provider using single sign-on (SSO) to access data. Vulnerability assessments and penetration testing are performed on a monthly and annual basis to identify threats. Any identified security vulnerabilities are triaged by their security team and monitored through resolution. Policies are in place that prohibit the transmission of sensitive information over the internet unless it is encrypted. Risk mitigation activities include the identification, selection, and development of control activities that reduce the assessed risks. LightEdge maintains administrative, technical, and physical safeguards to protect confidential information including provisioning, controlling, and monitoring of physical access into the data centers and office facilities.
  7. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. 

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rosetta Stone Ltd

1. The exclusive purposes for which Protected Information will be used: The exclusive purposes for which “student data” or “teacher or principal data” (as those terms are defined in Education Law Section 2-d and collectively referred to as the “Confidential Data”) will be used by Rosetta Stone, Ltd. (the “Vendor”) are limited to the purposes authorized in the contract between the vendor and the NYC DOE (the “Contract”).
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Vendor will ensure that any subcontractors, or other authorized persons or entities to whom the Vendor will disclose the Confidential Data, if any, are contractually required to abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable state and federal laws and regulations (e.g., Family Educational Rights and Privacy Act (“FERPA”); Education Law §2-d; 8 NYCRR Part 121).
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Contract commences and expires on the dates set forth in the Contract, unless earlier terminated or renewed pursuant to the terms of the Contract. On or before the date the Contract expires, protected data may be exported by the School District in the client facing administrator tool and/or destroyed by the Vendor as directed by the School District.
 
[NYC DOE comment: The current agreement became effective starting on October 1, 2019 and terminates when all NYC DOE schools and/or offices cease using DreamBox Learning, Inc.’s products/services. The terms of the agreement remain effective through the period during which DreamBox Learning, Inc. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:
 
Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Confidential Data provided to Vendor by the School District will be stored in the United States and protected as per the Student Records Data Privacy Policy.
 
6. How the data will be encrypted (described in such a manner as to protect data security): The Vendor will apply encryption to the Confidential Data while in motion and at rest at least to the extent required by Education Law Section 2-d and other applicable law.

Saga Innovations, Inc. (dba Saga Education)

1. The exclusive purposes for which Protected Information will be used: Protected Information will be exclusively used for the educational purposes intended within the contracted services, to enable and enhance the tutoring experience of the participating NYC DOE students.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All subcontractors and other authorized persons will be subject to data protection and security policies and agreements that encompass, at a minimum, the requirements under the non-disclosure agreement with the NYC DOE.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Protected Information will be destroyed, or to the extent requested by NYC DOE and possible, returned to NYC DOE.
 
[NYC DOE comment: The current agreement became effective starting on April 15, 2020 and terminates when all NYC DOE schools and/or offices cease using Saga Education’s products/services. The terms of the agreement remain effective through the period during which Saga Education possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. 
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored in the US. Data storage, cloud servers and services are located in state-of-the-art Amazon Web Service (AWS) data centers, or comparable cloud-service provider data centers with many years of experience in designing, constructing, and operating large-scale data centers.
 
Our operations team is trained and experienced with respect to state-of-the-art security mechanisms and policies for cloud-based services. We employ engineers and managers who have worked in other domains with critical security and availability concerns including military systems, satellite communications systems, and the website operations of large multinational companies. 
 
We routinely audit our systems for security vulnerabilities, proactively monitor security-related websites and other outlets for information on new vulnerabilities and best practices, and make system updates as needed.
 
AWS data centers (and all of our production servers and services) are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. When a storage device has reached the end of its useful life, data center procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. 
 
Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network used by our systems. We use a wide variety of automated monitoring systems to provide a high level of service performance and availability. These monitoring systems are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. Our systems are extensively instrumented to monitor key operational metrics. Alarms are configured to automatically notify operations and management personnel when early-warning thresholds are crossed on these metrics. AWS security monitoring tools help identify several types of denial of service attacks, including distributed, flooding, and software/logic attacks. Woot Math and AWS have additional protections in place against common attack vectors including Distributed Denial Of Service Attacks, Man in the Middle Attacks, IP Spoofing, Port Scanning, Packet Sniffing, Injection Attacks, and Cross-Site Scripting Attacks.
 
Our systems are architected for high availability; its core systems are deployed in N+1 and N-to-N redundancy configurations; and the system is protected against single points of failure. Servers are maintained across multiple availability zones. Each availability zone are all redundantly connected to multiple tier-1 Internet providers. In addition to discrete uninterruptible power supply and onsite backup generation facilities, each is fed via different grids from independent electrical utilities. Because of this architecture, our services are resilient in the face of most failure modes, including natural disasters or system failures. 
 
We have, in addition, a comprehensive disaster recovery strategy. We have push-button automation to stand-up and tear-down of our entire production server and service environment, and we can quickly and easily build out our infrastructure as needed in new geographical regions. We routinely test our disaster recovery capabilities by standing up new server in a new data center and restoring all data from backup. Nightly backups of all customer data are securely stored in multiple geographic regions within the US. 
 
Changes to Woot Math systems are typically pushed into production in a phased deployment sequence, with careful monitoring and testing throughout the phases. Rollback procedures for production deployments are automated and documented.
 
6. How the data will be encrypted (described in such a manner as to protect data security): Protected Information in electronic form will be encrypted both in transit and when at rest in databases or similar electronic storage environments. All user data and communicated website data is sent over secure HTTPS and SSL protocols that are designed to protect against eavesdropping, tampering, and message forgery. Password credentials are securely encrypted using cryptographic hashes and protected with variable cryptographic salts. Non-reversible hashes of more sensitive information (email addresses, phone numbers) are used in place of the actual data within our systems to the greatest extent possible.

Savvas Learning Company LLC (f/k/a Pearson)

  1. The exclusive purposes for which Protected Information will be used: To facilitate the use of the enVisionmath 2.0 program by the NYC DOE’s students.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Savvas employees with access to customer data receive training regarding data privacy best practices and applicable legal requirements. Subcontractors are bound to process data only for the purpose for which it was provided and not to disclose such data without Savvas’ permission, and are required to implement industry standard procedures and safeguards for the protection of data.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: March 1, 2019 to June 30, 2024. If, within thirty days of termination of this Agreement, the BOE has not requested surrender or destruction of Confidential Information, Savvas shall request in writing that the BOE inform Savvas whether it should continue to hold Confidential Information, or whether it should surrender or destroy it. If the BOE has failed to reply with further instructions to Savvas’ written request within sixty days of it being sent, Savvas shall destroy all Confidential Information.
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be stored solely in the United States. Customer data will all be contained within the United States. The PISI is contained within an individual service, isolated from other mechanisms that make up the software. Those mechanisms refer back to the service using a unique identifier that minimizes the exposure of PISI. Furthermore, the PISI is encrypted at rest, encrypted in transmission, and firewall contained to specific systems that may require access to it, within our Virtual Private Cloud (VPC) in AWS. Access to this VPC is also restricted through a bastion system with strictly limited role based access and auditable. AWS uses FIPS 140-2 validated HSM's (Hardware Security Module). Separation of duties and rolebased access control limits AWS employees to only monitor, maintain the health and provide audit logs. AWS employees are not able to export or use our encryption keys. In addition, AWS complies with ISO 27018, a code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance about ISO 27002 controls that is applicable to personally identifiable information (PII) processed by public cloud service providers. For more information, please visit this link: https://aws.amazon.com/compliance/iso-27018-faqs/
  6. How the data will be encrypted (described in such a manner as to protect data security): Beginning with data at it's stored (rest) state, it is encrypted using database Transparent Data Encryption (TDE). The data is restricted to and accessed only by the dedicated service tasked with mapping relations from the unique identifier to an individual. All data in this transmission to and from the service is also secured.

Scholastic Inc.

 

The exclusive purposes for which Protected Information will be used:

Scholastic only uses personally identifiable student information to provide students and teachers with access to digital educational products to support NYC DOE’s educational goals and to benefit its students.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

Scholastic only shares personally identifiable student information with subcontractors who provide services Scholastic needs to deliver its digital educational products to its customers. Scholastic requires its subcontractors to agree contractually to protect personal information and to use it only as needed to provide services for Scholastic, not for their own commercial purposes. Scholastic reviews the technical capabilities of its subcontractors before engaging them and conducts ongoing oversight, periodic tests, scans and other assessments to ensure subcontractors are meeting Scholastic’s data privacy and security standard and commitments.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

Start date: May 4, 2021

End date: N/A. This questionnaire concerns a confidentiality/data security agreement that is meant to protect any student PII the NYC DOE discloses to the Entity currently and in the future, and helps ensure that PII will remain protected for as long as it is needed to render the covered products or services to the NYC DOE. Individual end dates may apply depending on the product, service, or the current or future contractual relationship.

The NDA starts on signing and remains in effect for as long as the agreement continues, but in any event the security and privacy terms of the agreement will remain in effect for so long as Scholastic has any personally identifiable student information of the NYC DOE in its control. Scholastic will delete or permanently de-identify personally identifiable student information at any time upon written request of the NYC DOE, when it is no longer needed for providing the services, but in any event no later than ninety days after the end of the agreement..

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Parents, eligible students, teachers or principals can contact studentprivacy@schools.nyc.gov to ask for copies of student data. Scholastic will direct any requests it gets from students or parents about student data to the NYC DOE at the same email address. Scholastic will cooperate with the NYC DOE in responding to any student or parent requests. Teachers and principals may have the ability to access data directly within Scholastic’s digital educational products. 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

Student data is stored in the United States in Amazon Web Services using appropriate administrative, physical and technical safeguards to protect it against unauthorized access, disclosure, alteration or use.

How the data will be encrypted (described in such a manner as to protect data security):

These safeguards include standards that align with the NIST cybersecurity framework. Protected data is encrypted in motion (currently with TLS 1.2 encryption) and at rest (currently with 128-bit AES encryption). Processor conducts periodic risk assessments and keeps audit trails and security logs to assess and remediate vulnerabilities and to protect data from deterioration or degradation. Additional measures include firewalls, anti-virus and intrusion detection, configuration control and automated backups. Data is classified by sensitivity, and access to data is rule- and role-based.

SchoolCNXT, Inc. 

 
1. The exclusive purposes for which Protected Information will be used: All PISI will be used to provide the SchoolCNXT family engagement services.
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: SchoolCNXT agrees that all subcontractors will be bound to and comply with the requirements set forth herein.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: SchoolCNXT will house and maintain the data until the NYC DoE requests in writing that the data be destroyed.  Insofar as there may be temporary lapses in the agreement from year to year, SchoolCNXT will abide by the most recent agreement in letter and spirit until a new one is executed.
 
[NYC DOE comment: The current agreement became effective starting on September 23, 2019 and terminates when all NYC DOE schools and/or offices cease using SchoolCNXT, Inc.’s products/services. The terms of the agreement remain effective through the period during which SchoolCNXT, Inc. possesses or otherwise is in control of covered protected information.]           
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All NYC DoE data is stored in the United States. 
 
6. How the data will be encrypted (described in such a manner as to protect data security): All data is encrypted both in transit via SSL and at rest at the database and disk levels utilizing encryption services provided by AWS.

Scoir, Inc

  1. Type of Entity: Commercial Enterprise 
  2. Contract / Agreement Term

    Contract Start Date: 3/1/2022

    Contract End Date: 2/28/2023 

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Scoir provides a software-as-a-service platform intended to guide high school students in their post-secondary pursuits (the “Services”). The Services enable students to search for and learn

    about collegiate, scholarship, and career opportunities; to engage with high school counselors and college admissions representatives during the college selection and admissions process; to solicit from high school faculty and administrators the creation and delivery of application-related documents; and to create, manage, and submit their applications for admission to institutions of higher education. The Services include a college guidance management system that enables high schools and their affiliated organizations to monitor and assist students in their post-secondary planning; to engage and collaborate with students, parents and guardians, and college admissions representatives; to manage the creation and delivery of application-related documents to colleges; and to collect, analyze, and report on student engagement, academic achievements, and application outcomes.

  4. Type of PII that the Entity will receive/access: Student PII, and at the discretion of BOE, Processor may also receive/access:
    • Names, title, and email addresses of schools teachers and/or administrators; and
    • Names, addresses, and email addresses of parents and guardians.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Scoir maintains an Information Security program to ensure that we are continuously monitoring and mitigating risk as a company. As part of that Scoir maintains several layers of security around the information we store and process. Scoir will provide security and privacy training for our employees to teach the importance of securing PII. Scoir follows the principle of least privilege for access to our data and systems, and this access is reviewed at least annually. Scoir uses several layers of technical controls such as industry standard encryption, system monitoring, code reviews, automated testing, etc… to protect our data, systems, networks, and other infrastructure. As part of our Information Security program Scoir will reassess risks to all of our systems at least annually and enhance controls as necessary.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Seesaw Learning, Inc.

1. The exclusive purposes for which Protected Information will be used: We only use this information to provide the Seesaw service.
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Our subprocessors have all signed a Data Protection Agreement with us, which stipulates that any data we share with them will be used exclusively to provide services to us and not for any other purposes. 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Students and their schools will always own the work added to seesaw. After the agreement expires, students and families will be provided the option to download student work and take ownership of their accounts. 
 
[NYC DOE additional information: The current agreement became effective starting on October 2, 2020 and terminates when all NYC DOE schools and/or offices cease using Seesaw’s products/services. The terms of the agreement remain effective through the period during which Seesaw possesses or otherwise is in control of covered protected information.]        
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. 
 

[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored in the United States. Seesaw takes protecting your security and privacy seriously and we’ve put a number of measures in place to protect the integrity of your information. 
  • All passwords are salted and hashed using [redacted].
  • Seesaw routinely conducts 3rd party security audits to verify the security and integrity of our systems and internal controls. 
  • Data is stored in access-controlled data centers operated by industry leading partners with years of experience in large-scale data centers with 24/7 monitoring.
  • All user information is stored redundantly and backed up in geographically distributed data centers. We utilize multiple distributed servers to ensure high levels of uptime and to ensure that we can restore availability and access to personal data in a timely manner. 
  • We have adopted an internal data access policy that restricts access to personally identifiable information to a limited number of employees with a specific business need (such as for technical support).
  • All employees undergo a background check before beginning employment at Seesaw, sign a nondisclosure agreement, and immediately lose access to all internal systems and data when terminated. No customer information is stored on individual employee computers. 
  • We routinely monitor our systems for security breaches and attempts at inappropriate access.
  • We use encrypted QR codes for family and student access to journal content. 
 

6. How the data will be encrypted (described in such a manner as to protect data security): 

  • Seesaw uses TLS 1.2 security at the network level to ensure all account information and journal content is transmitted securely. 
  • Journal Content (e.g., the photos, video, audio, and other content you add to your Seesaw journal) is encrypted at rest. 
 

Sparkler

  1. The exclusive purposes for which Protected Information will be used: To provide the service, directly and in coordination with the BOE. Aggregated non-identifiable data may also be used to improve the service.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Data protection and security requirements that meet or exceed these requirements are a part of Sparkler’s privacy policy and all employment and contracting agreements used by Sparkler.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The agreement starts on signing, and will extend no more than a year, or until terminated by either party. Protected information held by Sparkler will be deleted at any time at the instigation of either users or the DOE, and at any rate under Sparkler’s policies will be deleted no later than one year after the end of the agreement. [NYC DOE comment: The current agreement became effective starting on April 1, 2020 and terminates when all NYC DOE schools and/or offices cease using Sparkler’s products/services. The terms of the agreement remain effective through the period during which Sparkler possesses or otherwise is in control of covered protected information.] 
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US, using the commercially reasonable protections afforded by AWS. Further provisions are described in the Recipients Terms of Use and Privacy Policy.
  6. How the data will be encrypted (described in such a manner as to protect data security): Sparkler is using the industry standard AES-256 encryption algorithm to encrypt all data on the server. For encrypting network communications and establishing the identity of the app, Sparkler is using industry standard SSL/TLS protocols.

ST Math - MIND Research Institute

  1. The exclusive purposes for which Protected Information will be used: Personally Identifiable Student Information (PISI) will be used to enroll/roster students into the ST Math program as well as collect usage and performance data as related to the program (i.e. progression through the program, mastery of standard, time on the program). 
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: MIND Research Institute requires all employees that will handle PISI to agree to and sign our employee handbook which details requirements each employee must adhere to in order to ensure the security of user data. Additionally, MIND Research Institute provides scheduled training and refresher training on best practices in the handling of data and requires employees to participate. 
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI received from a LEA is de-identified or deleted in a reasonable period of time after the relationship between MIND Research Institute and the LEA has been terminated. [NYC DOE comment: The current agreement became effective starting on September 18, 2019 and terminates when all NYC DOE schools and/or offices cease using ST Math’s products/services. The terms of the agreement remain effective through the period during which ST Math possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): MIND Research Institute's infrastructure is hosted within the United States. We design and implement our systems to provide resiliency against server, segment, and geographic failure, through the implementation of a clustered redundant architecture that yields highly available service endpoints. which provide resiliency against server, segment, and geographic failure. We utilize service providers whose systems have been certified for compliance with security standards including ISO 27001. 
  6. How the data will be encrypted (described in such a manner as to protect data security): Unauthorized access of User data is a real risk facing the users of today's electronic information services. MIND Research Institute strives to keep informed of these risks, and we work diligently to combat them. One method of protecting User data is to utilize cryptography to prevent data visibility in the event of its unauthorized access. MIND Research Institute leverages cryptography to protect user data in the following two ways:
  • Data in Transit. Our services support Transport Layer Security (“TLS”) to encrypt User communications (TLS 1.0 or greater and only the strongest ciphers). Data transferred between our Site and its end Users (including credential submission, data uploads, and data downloads) are sent over TLS connections, which protect such data using strong encryption, so that data in transit is kept in a private channel between the intended User and our systems.
  • Data at Rest. User data that contains personally identifying information, when “at-rest” (i.e., when in storage) is encrypted using industry standard AES-256. There are two types of "at rest" storage:
  • Database. Database server disk storage is “volume” encrypted (i.e., encrypted at the level of the database).
  • User Files. User files are individually encrypted before being recorded on long-term, secondary storage systems.

STRIDES Via Transportation, Inc. 

 
1. The exclusive purposes for which Protected Information will be used: Scoping for the STRIDES project plan
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: N/A – only Via employees will have access to student, teacher or principal data
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Starts October 15, 2019 and ends upon execution of the Requirements Agreement by and between the Board of Education of the City School District and the City of New York and Via Transportation, Inc., at which point the confidentiality and information security provisions of that agreement will govern use of NYC DOE Confidential Information.
 
[NYC DOE comment: The current agreement became effective starting on October 15, 2019 and terminates when all NYC DOE schools and/or offices cease using Via Transportation, Inc.’s products/services. The terms of the agreement remain effective through the period during which Via Transportation, Inc. possesses or otherwise is in control of covered protected information.]
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 
[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
 
5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The PISI will be stored in the US. 
 
Via servers are hosted on AWS. Access to AWS and VIA’s operational tools is granted only through a 2-factor authentication mechanism to authorized personnel. Via requires an authorized account for all network logins, all users have their own credentials and a user in the multi factor Octa system. 
 
All network and security devices support Secure Shell (SSH) and / or HTTPS for administration of the devices. All of our services are running in secured VPC’s, with proper network segmentation and stateless firewalls.
 
6. How the data will be encrypted (described in such a manner as to protect data security): Via uses appropriate encryption technologies to protect data stored on its corporate and production servers based on the sensitivity of the data elements in question. To the extent that Via uses any third-party cloud servers or other storage assets to store sensitive information, the Via information technology and information security teams will configure use of such third-party servers to turn on/enable/use available authentication and encryption technologies. The following minimum encryption protocols will be implemented when creating or storing transmitting sensitive data: 
 
Via shall use 256-bit SSL when transmitting sensitive data over the internet. 
 
Wireless network transmissions will be encrypted.
 
Audit logs that contain sensitive data will be sanitized or removed from the logs. 
 
Via uses AWS Key Management Service as the main KMS. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect our keys. 
 
AWS KMS is integrated with AWS CloudTrail to provide audit logs of all key usage. 
 
All endpoints that connect to Via’s network are disk-encrypted using industry-standard encryption. Personal client information is never stored on the client-side device

Suntex International Inc. (First in Math)

  1. The exclusive purposes for which Protected Information will be used: We do not absorb, display or store any sensitive data in this process. As part of a typical data sync, the district will provide information regarding the school buildings, the classroom that exist, and the teachers that are assigned to those classrooms. Lastly, a list of students and what classes they belong to is provided. In the most common application, these files are transmitted nightly through Clever. The syncing process will automatically establish accounts, preserving the teacher/student relationship. As this relationship changes, and students move to a different classroom, or school building this change is reflected in vendor’s website. If student no longer appears in the data feed, the student will be held in a reset/deactivated status until they appear again. Teachers that are no longer teaching the classrooms associated with the program will be removed as indicated by the feed. There are some cases where the relationship is not correctly reflected in the SIS, or the student’s classroom assignment is ambiguous. In this case the teacher may use tools to find students that are deactivated or exist in an unassigned pool for that grade level using a drag and drop tool. The teacher may also examine a roster and determine that a student is either no longer in that classroom, or that they no longer exist within that school, or reset a password, though passwords are not relevant when an SSO sign in method is being used. A building level administrator may have additional tools to move students to different classrooms within the building.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:  Suntex does not use subcontractors. Company employees follow proper policy in handling data for initial import of district data, trouble-shooting, customer service. We take reasonable measures to protect the confidentiality of the Data as required by federal and state laws and regulations applicable. We establish technical and physical security measures to ensure the confidentiality, integrity and availability of the Data.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Traditionally, we retain the current school year and one-year prior of data. Before each school year we purge any older data. At the end of the contract period or upon request, information will be returned to a NYC DOE, or at such point that the Data are no longer needed for the purpose referenced in this Agreement, or, at the sole discretion of NYC DOE, securely destroyed, and all electronic Data purged from the network in a manner that does not permit retrieval of the data.
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored within the Atlanta Data Center of Aptum Technologies, 106 Jefferson Street, Suite 300, San Antonio TX 78205 (Formerly Cocego-Peer1), a top-tier and leading hosting provider. Multiple approaches to data security include physical security (CCTV, biometric access control, on-site guards), network and application protection, including DDoS protection, hardware fire, load balancer, and access through VPN only. The next layer of security includes alert logic monitoring and McAfee enterprise anti-virus. Web Site access is only allowed using SSL (2048-bit). The environment is kept clean, installing only the necessary applications and features, and is kept up-to-date with the latest security patches. 
  6. How the data will be encrypted (described in such a manner as to protect data security): All data in motion will be encrypted either via Secure HTTP (HTTPS), SFTP, or another approved encryption mechanism. In general, Email send and receive is protected by TLS in its transmission, but is not generally an acceptable means of passing confidential information.

TalkingPoints

  1. The exclusive purposes for which Protected Information will be used: To provide a two-way translated messaging platform between school & district administrators, teachers and parents.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: As described in Attachment B, TalkingPoints has implemented strict controls over physical, environmental, and software security for all employees and contractors.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: TalkingPoints will either delete or return, within a commercially reasonable period of time but not to exceed 45 days, all personally identifiable information upon the expiration of any agreement when requested to do so by notification from the contracting party; [NYC DOE comment: The current agreement became effective starting on May 29, 2020 and terminates when all NYC DOE schools and/or offices cease using Talking Points’ products/services. The terms of the agreement remain effective through the period during which Talking Points possesses or otherwise is in control of covered protected information.] 
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. Any parent, student, eligible student, teacher or principal may correct inaccurate student data or teacher or principal data that is collected. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored in the U.S. As described in Attachment B of the Agreement, TalkingPoints’s infrastructure is built on industry-tested technology and security practices.
    • TalkingPoints uses encryption, firewall, and network security software.
    • TalkingPoints uses single sign-on (SSO) and twofactor authentication (TFA).
    • Low-level auditing software is supported for all external providers (AWS, Atlas) to record potentially malicious actions that may take place.
    • TalkingPoints runs periodic penetration tests, then logs and resolves discovered issues.
    • All TalkingPoints clients use TLS/SSL when communicating with our servers.
    • TalkingPoints has a host-based intrusion detection system to detect unauthorized access to production hosts.
    • Audit logs are sent to a central location for storage and analysis. Access to production servers and interaction with production systems is audited and logged.
  6. How the data will be encrypted (described in such a manner as to protect data security): All student data or teacher or principal data is stored on cloud servers within the United States and protected with industry standard and best practices procedures, including AES256-CBC encryption when in transit and when stored at rest.

Tech4Learning, Inc.

1. The exclusive purposes for which Protected Information will be used: To access the Wixie online authoring tool.

2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: N/A - We will not share student data with subcontractors or other persons or entities.

3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At agreement start protected data will be uploaded by NYC DOE staff to Wixie. At agreement end protected data will be deleted unless return instructions are provided.

[NYC DOE additional information: The current agreement remains effective through the period during which Tech4Line, Inc. possesses or otherwise is in control of covered protected information.]

4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor. 

[NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected data is stored in our San Diego, CA-based data center. Data is protected via biometric, physical, and logical security.

6. How the data will be encrypted (described in such a manner as to protect data security): Data transmitted to Wixie and data at rest will be secured using industry best practices.

TestOut Corporation

The exclusive purposes for which Protected Information will be used:

To facilitate the student using our online courseware – LabSim. LabSim is TestOut’s learning platform. It delivers our certification and courses, including our best-of class IT simulations. It also provides tools for educators to manage and assess student learning. The LabSim courses keep students engaged and allow them to monitor their progress. LabSim is a flexible and cost-effective solution for IT education.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

Process does not utilize subcontractors which have access to Confidential Information.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

Upon expiration or termination of the Agreement, Processor will securely destroy all Confidential Information within 60 days. All data destruction will follow the NIST SP800-88 guidelines. If requested by DOE, Processor will provide Confidential information to DOE in an agreeable format prior to securely destroying all Confidential Information.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

Processer employees industry standard measures to protect Confidential Information from unauthorized access while the data is in transit or at rest which align with the NIST Cybersecurity Framework. Data in transit is encrypted with TLS 1.2 and data at rest is encrypted with AES-256. The servers are hosted in an environment using a firewall that is updated according to industry standards. Passwords are protected following the password guidelines in Article 4.3 of NIST 800-63-3. We only provide access to Confidential Information to employees that are performing the Services. All data stored is on serves located in the United States.

How the data will be encrypted (described in such a manner as to protect data security):

Data in transit is encrypted with TLS 1.2, and data at rest is encrypted with AES-256.

TPR Education LLC

The exclusive purposes for which Protected Information will be used:

To fulfill TPR’s obligations under its agreement with the DOE, including but not limited to test preparation and tutoring services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:

Subcontractors do not have access to confidential data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

For the term of the underlying agreement. At contract end, Protected Information will be deleted as provided in the underlying agreement between the DOE and TPR.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

All data resides in the United States. Systems are protected using industry standard security practices by using a combination of encryption, role/group-based permissions, firewalls, and passwords.

How the data will be encrypted (described in such a manner as to protect data security):

Data will be encrypted at rest using AES-256 at the disk level. SQL encryption on certain fields, and TLS 1.2 SSL for encryption in transit.

Vanguard Direct, Inc.

  1. The exclusive purposes for which Protected Information will be used: To communicate information to students and/or parents/guardians on behalf of different DOE divisions.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All subcontractors are required to sign an equivalent NDA with the Processor.
  3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All information used for the mailing will be purged from Processor’s system and a destruction certificate will be provided to the NYC DOE.
    • [NYC DOE additional information: The current agreement became effective starting on January 13, 2021 and remains effective through the period during which Vanguard Direct, Inc. possesses or otherwise is in control of covered protected information.]
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Stored only in the US.
  6. How the data will be encrypted (described in such a manner as to protect data security):
    • Data in transit will use either Secure Shell (SFTP) or TLS over FTP (FTPs).
    • Data at rest are encrypted using 256-bit SSL (Secure Sockets Layer)

Worked, Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term
    Contract Start Date: 5/16/2022
    Contract End Date: 5/27/2022
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. WorkED is creating a 20 hour Cybersecurity Externship which is a Work Based Learning Program for NYC DOE high school students to engage with Cyber careers.
  4. Type of PII that the Entity will receive/access: Student PII
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. 
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.
  8. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  9. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  10. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We collect the minimum amount of data required to successfully operate our programs. In the case where information is obtained from a student that is under the PII label, we only keep that sensitive within our lead teacher, leadership, and lead host team members. Everyone is trained on the right practices. All sensitive data collected in our service is encrypted and aligned with best practices and we have controls which support this collection and data use.
  11. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

WSD Digital LLC (dba ReFrame Solutions)

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term:

    Contract State Date: 7/19/2021

    Contract End Date: 7/19/2022

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

    The ReFrame system is housing student first name and last name. The ReFrame System is housing parent or guardian phone number only. The system receives updated student first name and last name from school Principal. Parent phone numbers are received from school Principal. This PII data is used for communication purposes only for the Bronx Technology and Engineering Academy.

  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ReFrame Engage is delivered on a SaaS (Software as a Service) basis, with Cloud hosting supplied by a secure, highly reliable, and redundant AWS Cloud (using geographically diverse data backup). The application is designed to provide access to data on a need-to-know basis, always protecting PII and privacy including the segregation or suppression of sensitive data where appropriate based on Role Permissions. All data is encrypted in transit and at rest. Employees undergo annual cybersecurity training as part of HR policy.
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Xello Inc

  1. Type of Entity: Commercial Enterprise
  2. Contract / Agreement Term: [NYCDOE Comment: Agreement with Xello Inc was signed on 11/3/2021]
  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Xello provides college & career readiness software that allows students to discover relevant college, university, trade, military and career options based on their personality, skills, and knowledge. Xello requires certain PII in order to provision accounts for teachers and students, and for teachers to be able to interact with their students.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
  8. Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Physical Controls:

    • Environmental control (constant temperature and humidity maintenance, particulates filtration), fire suppression systems, redundant power sources and UPS backup.
    • Round the clock physical security (card entry, video monitoring of the facilities).
    • Data center access logs (Azure).

    Administrative Controls:

    • Utilization of the principle of least privilege.
    • Vulnerability testing.
    • Security awareness training (including FERPA and COPPA).
    • Criminal background checks on all employees.
    • Employee NDAs.

    Technical Controls:Logging and auditing of network access.

    • Continuous monitoring (SIEM)
    • Firewall & endpoint protection.
    • Network segregation.
    • Encrypted data in transit through the use of TLS 1.2
  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Zearn, Inc.

  1. Type of Entity: Community Based Organization or Not-for-Profit
  2. Contract / Agreement Term:

    Contract State Date: Various

    Contract End Date: June 30, 2023

  3. Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Protected Information will be used only as necessary for Zearn to perform the services associated with Zearn School Accounts. The PII will be used to roster the students, deliver Zearn’s services, and provide in-app reporting on student progress to the LEA.
  4. Type of PII that the Entity will receive/access: Student PII.
  5. Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
  6. Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “PII will be securely destroyed within 30 days of expiration or termination of the applicable Services Contract.”
  7. Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.

    All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

  8. Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”
  9. Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

    Zearn will ensure that subcontractors and third-party service providers with whom Zearn shares Protected Information abide by all applicable data protection and security requirements by entering into written agreements whereby such parties will perform their obligations in a manner consistent with the data protection and security requirements outlined therein.

    Protected Information will be stored in a secure data center in the United States using monitoring of the access doors, fire and security monitoring, system health and intrusion monitoring, data backups and retentions.

    Data storage and access will comply with the Advanced Encryption Standard (AES) with minimum of 128- bit key encryption.

  10. Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.

Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Zoobean LLC

The exclusive purposes for which Protected Information will be used:

Students’ first and last name will be used to personalize the experience when logged into our application. Their email address or school district username will be used for authentication purposes in the instances where SSO [NYCDOE comment: single sign on] isn’t available. Their age and/or grade level will be used to place them into the appropriate reading challenges for their age group. Finally, their section enrollment will be used to allow their teachers access to their reading history and achievement data.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE

We do not share student data with subcontractors or anyone outside of full-time employees directly supporting our work with NYC DOE. All Zoobean emloyees are required to complete a background check including social security number trace, nationwide criminal database search, sex offender registry search, county criminal court search, and domestic watchlist search. Employees attend semiannual company training and performance reviews that may include, but or not limited to, abiding by all current data protection and security requirements.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement:

When the agreement expires and NYC DOE no longer wishes to utilize our application, all data related to their district will be fully deleted from the database and all stored backups. Once the data is fully destroyed, the application will disconnect from the preferred NYC DOE SSO & Rostering service and their sites fully decommissioned.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected:

Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov. We obtain our student/teacher data directly from 3rd party vendors like Clever and Classlink, or custom integrations. In all of those instances, we have the means to import the data so it matches the data found in those services.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security):

All information will be stored in the US.

How the data will be encrypted (described in such a manner as to protect data security):

The data in the database is encrypted at rest and all data is encrypted end-to-end while in transit via TLSv1.2.

Zoom

1. The exclusive purposes for which Protected Information will be used: To provide the Services as described on Attachment A.
The personal data transferred may be subject to the following basic processing activities:
 
• account configuration and maintenance;
• facilitating conferences and meetings between data subjects and third party participants;
• hosting and storing personal data arising from such conferences and meetings solely for the purposes of providing the services;
• customer/ client technical and operational support
 
 
2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Zoom shall ensure that each subcontractor is contractually bound by an agreement that includes confidentiality and data security obligations equivalent to, and no less protective than, those found in Zoom’s agreement with the NYC DOE.
 
3. When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Within thirty (30) days of contract termination, Customer may download any stored Protected Information. After that thirty (30) day window, Zoom will delete in accordance with its data deletion protocols.
 
[NYC DOE comment: The current agreement became effective starting on May 1, 2020 and terminates when all NYC DOE schools and/or offices cease using Zoom's products/services. The terms of the agreement remain effective through the period during which Zoom possesses or otherwise is in control of covered protected information.]
 
4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.
 

[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All content stored by Customer will be stored in the US via Amazon Web Services (“AWS”).
 
Zoom uses a network of co-located data centers to provide the real-time communications service to our customers. Customers/End Users are connected to the co-location that is nearest to their geographic location. At the customer request certain datacenters can be disabled on the account. Data does not permanently reside in the co-located datacenters. Zoom leverages AWS in the U.S. for persistent storage of Customer Content (i.e., cloud recordings, chat logs, meeting reports)
 
Zoom has data centers in the following locations:
New York
San Jose, California
Denver
Toronto
Amsterdam
Sydney
Melbourne
Frankfurt
Tokyo
Sao Paulo
Mumbai
Vancouver
China
 
Zoom follows the recommended security controls established by the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Zoom's security framework includes role based security access controls (RBAC) that enable or prevent access to client data based on the principle of "least privilege" necessary for an employee's job function. Additionally, technologies are in place to protect against outside threats, including controls such as network perimeter firewalls, security groups, intrusion detection systems/next-generation firewall (advanced threat protection), file integrity monitoring (FIM), security information and event management (SIEM), endpoint anti malware protections, and company-wide multi-factor authentication to Zoom IT resources, to mention a few.
 
Additionally, Zoom is working towards incorporating compliance with NIST 800-53 standards and leveraging these standards for the further development and maintenance of its overall, strategic security plan.
 
6. How the data will be encrypted (described in such a manner as to protect data security): For Zoom client (application):
By default, Zoom encrypts in-meeting and in-webinar presentation content at the application layer using TLS 1.2 with Advanced Encryption Standard (AES) 256-bit algorithm.
 
For dial-in participants joining by phone, the audio is encrypted until it leaves Zoom's data centers and is transferred to the participant's phone network.
 
Encryption can be required for H.323 and SIP devices joining Zoom meetings. This setting is configured at the account level, group, or user level. Once enabled, encryption will need to been abled on these devices when joining your Zoom meeting or they will receive an error and be unable to join.
 
Note: You can also enable or disable encryption for chat.
 
For more details, please refer to the article: https://support.zoom.us/hc/en-us/articles/201362723- Encryption-for-Meetings
 
Data at rest is protected leveraging Amazon Server Side Encryption (SSE) using 256-bit Advanced Encryption Standard (AES-256)
Back to Top