Vendors R-Z

R K Software

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This agreement is for our firm to provide Staffing Augmentation to the DOE for a range of services including Software Development, Network Engineering, Server Deployment and Management, Business Analysis, and Project Management. All of the staff we provide will work with NYC DOE equipment and within DOE systems. No PII will be received or stored by our firm or anyone other than the staff hired to work with the DOE. R K Software Inc.’s staff members, consultants, or subcontractors working with the DOE may need to access PII to troubleshoot issues, develop initiatives, provide adequate support, communicate with relevant parties or other similar reasons.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: R K Software Inc’s staff members, consultants, or subcontractors will only access PII, they will not store, host, or collect any PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below. We will not store, host or collect and PII.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. R K Software Inc.’s staff members, consultants, and subcontractors will be trained to handle Student PII information. They will follow the security practices and protocols described in our Education Security Policy, particularly those listed in Section II on confidential information and privacy.

• R K Software Inc.’s staff members, consultants, and subcontractors keep all confidential information private through many security measures in compliance with the NIST Cybersecurity Framework. All confidential information is kept in confidence and not disclosed to anyone or any third party, not used for the benefit of R K Software Inc. or another entity, or for any other purpose than that agreed upon with the New York City Department of Education.
• R K Software Inc.’s staff members, consultants, and subcontractors use commercially reasonable efforts to secure and defend any system housing confidential information against third parties who may seek to breach the security thereof, including but not limited to breaches by unauthorized access or making unauthorized modifications to the system.
• R K Software Inc.’s staff members, consultants, and subcontractors protect all confidential information when in transit and at rest. When in transit, information and data are encrypted. When at rest, information and data are protected by passwords, firewalls, and other measures. Scripts and queries cannot penetrate the encryption or protections.
• Confidential information may be in the original format or a copy. Both are equally protected.
• When R K Software Inc. and its staff members, consultants, and subcontractors no longer need to have confidential information, the information will either be returned (in a secure way) to the New York City Department of Education or destroyed so that the data are unusable and unrecoverable.
• Any reports or applications which contain confidential information will have prominent confidentiality notices in legible-sized fonts on each page.
• Web applications containing confidential information will be non-cacheable.
• Confidential information will not appear in URLs.
• In development, test, and QA environments test data that is NOT confidential will be used.
• R K Software Inc and its staff members, consultants, and subcontractors will review and comply with any additional requirements from the New York City Department of Education.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  No PII will be stored or hosted by Entity.

Raj Technologies (also called RTI) (for a Vaccine Tracker)

Type of Entity: Commercial Enterprise

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Contractor will be responsible for the provision of support services for the Vaccine Tracking Enhancements Project to provide information about Covid 19 and test results to ensure the safety of students, staff and communities. Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.

Type of PII that the Entity will receive/access: Student PII. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “The Contractor is prohibited under its agreement with the NYC DOE from accessing, storing, collecting or otherwise using PII on anything but DOE-owned or -controlled networks, data systems, devices or applications, and so there will be no PII in its custody or control for it to delete or destroy.”

Rally! Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. RALLY! Education® digital products use advanced encryption technology to protect online data. The purpose of each digital product is to help students understand and master the NY Next Generation Learning Standards and prepare for the spring NY State Tests. Our digital programs stand-alone on secured website servers. There is no need to access all student PII - we only require student, teacher, and admin email addresses and school-created passwords to set up the program - no other confidential information is needed or required. Our programs do not require All transmission of data other than diagnostic student, class, and grade reports using Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational student and teacher names are stored on RALLY! Education® secured servers and are encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access and is monitored daily. All transmission of data utilizes Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational and personal information stored on RALLY! Education® servers is encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access.

Type of PII that the Entity will receive/access: Student PII. The vendor specifies that “NYC DOE is the sole owner of any student and teacher data. The only information that is needed is the student’s name and teacher email/or ID and any passwords that the site or DOE sets up. For example, teachers and students can use their assigned NYC DOE ID number as their passwords or create unique passwords”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor specifies “RALLY! Education® is the sole source provider, and we do not contract with third-party providers.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. The vendor specifies that “All data is deleted on the RALLY! Education® servers. NYC DOE is the sole owner of all reports by student, class, and grade.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All class rosters provided to RALLY! Education® are the sole owner of NYC including the reporting data. Unless directed, there is no link between NYC DOE's website and our digital products. Depending on which products are purchased, each school receives access to a password protected URL unique to each school. We use password protected logins for all access on our secured servers. Administrators, teachers, and students also receive unique passwords to access the specific level of the product. (Administrators have access to all levels purchased, teachers have access only to the students in their class or classes, students can only access their grade level.) Diagnostic Reporting tools can be found within the Administration and Teacher portals. The reports can be downloaded and shared for meetings - no other private information is needed or required. During each semester, additional classes and students can be added or updated, and NYC is the sole owner. At the end of the agreement term, NYC will have copies of the data within the system for the school year. If NYC DOE prefers that RALLY! Education® set-up the school's passwords, we will do it within the confines of what the DOE requires. If NYC DOE uses Class Link®, we follow the secured protocols as stated by Class Link® for PII (although our products do not require complete PII access). In addition, RALLY! Education® uses advanced encryption technology to protect online data. All transmission of data utilizes Secure Sockets Layer (SSL) protocols to encrypt the data being transmitted. In addition, all educational and personal information stored on RALLY! Education® servers is encrypted. RALLY! Education® servers use the latest security software to detect and defend from attacks and unauthorized access and is monitored daily.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor specifies “RALLY! Education® encrypts all student and teacher data. All diagnostic reports are available through a unique login. No other confidential information is needed or shared. NYC DOE is the sole owner of any student and teacher data. The only information that is needed is the student’s name and teacher email/or ID and any passwords that the site or DOE sets up. For example, teachers and students can use their assigned NYC DOE ID number as their passwords or create unique passwords.”

Ramapo for Children

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 12/2020 – 6/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Facilitation of a Youth Council for the Office of Community Schools.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Ramapo employees store and access data on a custom salesforce platform with restricted levels of access depending on the staff role. Salesforce is built with security to protect data and applications by limiting exposure of data to the users that act on it. Authentication protocols prevent unauthorized access to data by making sure each logged in user is who they say they are. Careful consideration is given to choosing the data set that each user or group of users can see, thereby limiting the risk of stolen or misused data. Specific objects (such as attendance lists or coaching notes) are only accessed by selected profiles.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Reading Horizons

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Tech-enabled foundational reading instruction that helps all students reach reading proficiency.

PII: IP Addresses of users, Use of cookies, etc., Other application technology meta data, meta data on user interaction with application, standardized test scores, language information (native, or primary language spoken by student), student school enrollment, student grade level, specific curriculum programs, student scheduled courses, teacher names, English language learner information, Local (School district) ID number, Provider/App assigned student ID number, Student First and/or Last name, Program/application performance, Academic or extracurricular activities a student may belong to or participate in.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Azure, AWS, Google.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Reading Horizons enforces role-based access controls, maintain comprehensive data privacy policies, and conduct regular employee training. Technical controls includes encryption, robost network security, and vulnerability assessments.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Reading Plus

The exclusive purposes for which Protected Information will be used: To set up and manage your subscription to use the Reading Plus application. To set up and maintain your individual use account. To administer and protect the Reading Plus application (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). To use data analytics to improve our Reading Plus application and customer relationships and experiences. For research purposes to better understand how we can develop and improve our Reading Plus application and/or create new products to help students become better silent readers and independent learners. To send marketing communications to teachers and administrative users.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All Subcontractors sign binding NDAs that bind them to data protection agreements that Reading Plus LLC is part of. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Following expiration or termination of the agreement under which the Client purchased access to the Reading Plus web-based products or services, and upon receipt of written request from the Client, Reading Plus will destroy or, if agreed, return to the Client, the Student Records in its possession within a commercially reasonable period of time. 

[NYC DOE comment: The current agreement became effective starting on August 30, 2019 and terminates when all NYC DOE schools and/or offices cease using Reading Plus LLC’s products/services. The terms of the agreement remain effective through the period during which Reading Plus LLC possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored within the United States, encrypted in transit and at rest. We have put in place reasonable and appropriate security measures designed to prevent your personal data from being accidentally lost or used or accessed, altered or disclosed accidentally or in an unauthorized way. In addition, we have put in place policies and protocols designed to limit access to your personal data to those employees, agents, contractors and other third parties who have business need to know. 

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted in transit with SHA-256 with RSA encryption. Data is encrypted at rest with AES-256 encryption algorithm.

ReadWorks

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ReadWorks allows students to read our material and submit responses to questions and writing prompts as part of an online class. All data is stored exclusively for educational purposes, primarily to ensure the smooth functionality of the website itself. No student PII is utilized for commercial or marketing purposes, nor is retained after a student’s use of the site is discontinued by that student’s teacher.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ReadWorks stores and processes student data in accordance with industry best practices. This includes encryption and appropriate administrative, physical, and technical safeguards including firewalls to secure Student Data from unauthorized access, disclosure, and use. We conduct periodic risk assessments and remediate any identified security vulnerabilities in a timely manner. We regularly perform system audits and work to ensure all of our software has the latest security-related patches and updates.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Really Great Reading Company

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Really Great Reading’s Products are designed to provide foundational reading skill instruction for students in grades PK‐12 via Teacher Online Tools, Reading Playgrounds, and Virtual Implementation Training Courses for our Phonics Suite Programs. Really Great Reading receives and accesses PII for purposes of providing students with practice opportunities within Really Great Reading’s Reading Playground digital platform and facilitating the monitoring of student performance and progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data in motion is secured with standard HTTPS protocol Transport Layer Security (TLS). Data stored at rest is encrypted, as are its automated backups, read replicas, and snapshots using Amazon AWS RDS encryption. Keys are managed with the AWS Key Management Service (KMS). All data is stored in a password protected database with strong password requirements, server-based firewall limiting data access to those end‐points necessary, and limits to development roles that have access to production data. Only business‐necessary PII will be stored. RGR applications are hosted in Amazon Web Services (AWS). More information about the physical security of AWS data centers may be found on the AWS website. Access to PII and application data will be limited to only those employees who necessarily require access to data in the performance of their role with projects. Employees, who have access to PII must complete Security Awareness Training (Coursera) and demonstrate awareness and discretion in their day‐to‐day practices related to security and handling of sensitive information. Employees must sign or acknowledge these policies as they relate to their role. Background checks are conducted on all employees. In the event of unauthorized access or data breach related to the client's application data, RGR will provide requisite notification in accordance with Section 5(f) of this Agreement.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Red Circle Solutions (for School App Express)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. School App Express is a product that provides custom apps for schools, which schools can operate through a website. The app sends out push notifications, makes mass calls (when schools are closed, etc.), sends mass emails, and sends mass text messages as well. School App Express does not collect or store any data for students or parents that is not related to messaging and communication.

Type of PII that the Entity will receive/access: Student PII and Other: Staff PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is encrypted by Azure Transparent Data Encryption. Employees must use MFA to access cloud services.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rediker Software

Regents Booster

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We created an online learning program with a controlled environment where each student can advance at his or her own pace. The full high school curriculum on certain Science and history subjects is now being offered in digital format and allows for note-taking, highlighting, audio, bookmarking, encyclopedia lookup for further research, search options, and Translations helping students who have difficulty reading or for those students that English is their second language. The digital eBook copy can also be used together with the printed copy further enabling the retention of the materials taught in class.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, specifically “Amazon secure data centers using AWS and GCP technology.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have a Platform that has implemented industry best in class security, privacy, and compliance controls. Regent Boosters has a platform that is CCPR, GDPR, PCI DSS compliant, with a star level 1 certificate. Our Physical Infrastructure is hosted & managed by the Amazon Secure Data Centers and uses AWS and GCP Technology and is constantly managed for Risk and undergoes recurring assessments to ensure compliance to industry best standards. All student/ user data is hosted in the USA, Data is encrypted in transit (SSL/TLS) and at rest AES 256.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Remind101

The exclusive purposes for which Protected Information will be used: Remind will process Personally Identifiable Student Information (PISI) as necessary to perform the Services pursuant to the Terms of Service (https://www.remind.com/terms-of-service), and as further instructed by relevant parties in its use of the Services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Remind will use a vendor risk management process to evaluate new vendors and monitor existing vendors on an annual basis. The following review areas are considered for vendors with whom personal data is exchanged: Compliance Status, Compliance Report Details, if applicable, Contractual Terms (confidentiality and data protection), Data Retention, and Data Security Controls.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Remind will adhere to the obligations set forth in our Privacy Notice and other Terms and Policies published at https://www.remind.com/terms-of-service.

[NYC DOE comment: The current agreement became effective starting on April 10, 2020 and terminates when all NYC DOE schools and/or offices cease using Remind101, Inc.’s products/services. The terms of the agreement remain effective through the period during which Remind101, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Remind will store data in cloud-based data centers located in the United States.

How the data will be encrypted (described in such a manner as to protect data security): Data transmitted across untrusted networks will be protected in transit using TLS V1.2 and will be stored at rest in an encrypted state using AES-256 bit encryption.

Renaissance Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/1/2021 – 9//14/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To fulfill the services requested by NYC DOE (e.g. to provide Renaissance educational products to NYC DOE school Customers). [DOE comment: The educational products included are Renaissance Accelerated Reader, Freckle, myIGDIs for Preschool, myON, Renaissance Star Assessments, and Lalilo.]

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is stored in the United States for all Renaissance products except Lalilo. Lalilo PII is currently stored on servers located in France but we anticipate moving to US servers for our US Lalilo customers in the near future; PII is encrypted at rest and hosted in the cloud by Amazon Web Services (AWS). PII transferred on the Internet is over HTTPS. Backups are also handled by AWS and backups are also encrypted at rest.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Renzulli Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/1/2021 – 6/30/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Renzulli Learning is an interactive online system that provides students with a personalized learning environment, allowing teachers to easily differentiate instruction to increase engagement and achieve higher academic performance. Renzulli Learning has resources that promote and enable ALL students to pursue their interests, providing equity, innovation and creativity for grades Pre-K through 12. Students are empowered by doing creative, imaginative projects that provide rigorous learning outcomes.

The Renzulli Profiler quickly identifies student strengths, interests, learning and expression styles and then matches each student with thousands of personalized engaging Enrichment Activities. Renzulli Learning features robust student grouping which supports our revolutionary strength-based Project Based Learning (PBL) system.

Research shows that Renzulli Learning benefits all Students including:

• Gifted and Talented Students
• High Achieving Students
• At Risk Students
• Students with Special Needs
• English Language Learners (ELL)

Renzulli Learning supports the development of 21st Century Learning Skills for all students, including: critical thinking, creative problem solving, creativity, time management, communication, teamwork, and global competency through our Global Collaboration module. The system has been used by millions of students across the globe, consistently increasing engagement which research demonstrates will lead to higher achievement. Renzulli Learning is available to all students throughout the school year, before, during, and after school, and all throughout the summer as well!

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Renzulli Learning utilizes LightEdge Solutions, Inc. an ISO/IEC 2700:2013 certified company with Corporate Headquarters in Des Moines, Iowa. LightEdge uses several third-party systems to manage data. The systems reside within LightEdge’s internal network and utilizes a web-based application only accessible from the corporate network or through a cloud provider using single sign-on (SSO) to access data. Vulnerability assessments and penetration testing are performed on a monthly and annual basis to identify threats. Any identified security vulnerabilities are triaged by their security team and monitored through resolution. Policies are in place that prohibit the transmission of sensitive information over the internet unless it is encrypted. Risk mitigation activities include the identification, selection, and development of control activities that reduce the assessed risks. LightEdge maintains administrative, technical, and physical safeguards to protect confidential information including provisioning, controlling, and monitoring of physical access into the data centers and office facilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Replications

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/2021 – 1/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are providing Community School Support services that include parent outreach, attendance support, and after school programming. We use PII for the purposes of contacting family members so we can coordinate services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Device Security – EDR deployed on every laptop and workstation to provide security throughout the environment. MFA deployed on M365 accounts storing all relevant data within OneDrive & SharePoint. Document encryption capabilities when sharing sensitive data. Training was provided on best practices. BitLocker encryption enabled on all devices in case of loss or theft. Change Management – Access to additional information not previously approved must be approved by a director or manager prior to release.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rising Ground

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As part of City Council’s “Crisis Management Services” initiative, Rising Ground provides trauma-informed therapy and support to teens within two NYC public schools. Our Youth for Change programs offers individual and group counseling on topics such as consent, health relationships, self-image, coping skills, healthy masculinity, mediation, and offer socioemotional support. Additionally, we co-facilitate health classes and offer mediation sessions. We also train staff and administrators regarding strategies to integrate healthy relationships and communication skills.

Rising Ground staff do not have access to student records or school systems. As standard counseling practice, personal contact information is collected, from the students themselves, to remain in contact with students (i.e. should they miss a scheduled appointment). This enables a counselor to contact a student when they miss an appointment to ensure they are okay and reschedule. Information collection is NOT required to receive services, but rather to assist in student engagement. There is no access to educational records. Personal identifying information (such as names, phone numbers and/or email addresses) are solely used to engage students in the therapeutic services we provide. Information is kept on a securely-saved electronic spreadsheet and not shared with anyone outside of approved program staff.

All Rising Ground staff are required to be trained and attest to confidentiality protocols which are governed by federal, state and local laws. This includes, but not limited to, social service law, child welfare, educational (FERPA), health (HIPAA) laws and regulations.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor’s response: “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedure outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Cloud Service Provider – Expedient Cloud services solution; IaaS – Infrastructure as a Service (Servers -VMs), DRaaS – Disaster Recovery as a Service Backups for all servers and data.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Rising Ground fully appreciates the importance of sound record management and has strict policies and procedures which ensure that all records are maintained within local, state and federal laws and standards. All personnel, medical, client and financial files are maintained in accordance with our Confidentiality and Document Retention Policies. All records are filed and stored systematically, in fire-proof settings, and only employees in need of access to records are granted such access. Our Confidentiality Policy ensures that employees understand that any personally identifiable information regarding a person’s health, mental health, education, family or employment is considered confidential and that confidential information is protected by the law. Employees are strictly prohibited from inappropriate or unauthorized disclosure of

such information. To protect our software, hardware and the confidentiality of staff and client information, all internet access is filtered and monitored using antivirus, anti-spyware programs. Our Documentation Retention Policy ensures that necessary records and documents are adequately protected. Others are safely stored at a record storage facility. All employees are trained in our Confidentiality Policy, and relevant employees are trained in the Document Retention Policy. Both internal and external audits ensure that these standards are observed and that confidentiality is continually maintained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor checked the box “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Riverside Assessments (also called Riverside Insights)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Riverside Insights uses PII exclusively for the purposes of delivering and improving educational and clinical assessment services. Examples of such uses include rostering students/examinees, inputing assessment responses, scoring assessments, and providing customer service.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Administrative Safeguards: Riverside follows Role-Based Access Controls, granting access only to authorized individuals who have a need to access information as part of their work responsibilities. Personnel complete regular cybersecurity training, and Riverside conducts social engineering simulations throughout the course of the year, assigning additional training to individuals who fail the simulations.

Technical Safeguards: Riverside conducts quarterly vulnerability scans and annual penetration testing on the application. We are in the process of implementing an end point protection solution provided by SentinelOne and use the Rapid7 suite of products to detect potential incidents and threats. PII is encrypted both at rest and in transit. All data stored on Riverside’s systems is protected with file system, network share, claims, application, or database specific access control lists. Riverside uses email gateway products provided by Sophos to centrally manage spam protection mechanisms, including signature definitions, in order to reduce the introduction of malicious software to client systems.

Physical Safeguards: The application is hosted in SSAE16 SOC 2 Type 2 audited hosting centers. Our third-party managed hosting provider maintains facilities that designed from the ground up to minimize risk of power and climate control failure. Our hosting provider performs periodic testing and auditing of their facilities. All facilities have full battery and generator power, so in case of an outage, power is maintained indefinitely.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Roads to Success

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/07/2023 – 6/26/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Roads to Success is the lead partner at PS/MS 57, the James Weldon Johnson Academy, our only community school located in East Harlem, where we serve 527 students in grades 3K-8. PII is essential for implementing our programs, facilitating targeted interventions through case conferencing, advisement sessions, and data trend observation, ultimately contributing to students' academic success and well-being.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft OneDrive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Roads to Success Community School Contract at MS 57 employs a comprehensive approach to protect Personally Identifiable Information (PII) and mitigate data privacy and security risks. While the full details of our safeguards are sensitive and proprietary, we can provide an overview of our measures:

• Administrative Safeguards:
  • The executive team and our IT department are responsible for overseeing and implementing our data protection protocols.
  • Regular training programs are conducted for all personnel who handle PII, ensuring awareness of data privacy laws, security practices, and our internal policies.
  • Access to PII is strictly controlled and limited to authorized personnel on a need-to-know basis, with user roles and permissions carefully defined and monitored.
  • We conduct thorough background checks and reference screenings for all employees and contractors who handle PII.
• Technical Safeguards:
  • PII is stored in secure, encrypted databases with access controls and multi-factor authentication mechanisms in place to prevent unauthorized access.
  • Robust firewalls, intrusion detection systems, and advanced threat detection  technologies are deployed to safeguard against external threats.
  • Regular software updates and patch management ensure that security vulnerabilities are promptly addressed.
  • Data transmission is encrypted using industry-standard protocols to prevent interception and unauthorized access.
• Physical Safeguards:
  • Physical access to our data centers and server rooms is restricted to authorized personnel only, with strict access controls, surveillance, and security measures in place.
  • Facilities housing PII are equipped with environmental controls to ensure optimal conditions for data storage.
• Risk Mitigation:
  • We conduct regular risk assessments and vulnerability assessments to identify and address potential security gaps.
  • Incident response plans are developed and regularly tested to ensure swift and effective actions in case of data breaches or security incidents.
  • We maintain strong partnerships with cybersecurity experts and engage in ongoing threat intelligence monitoring.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Rockalingua

Type of Entity: Commercial Enterprise

Contract / Agreement Start Date: 2/2/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Rockalingua is an educational website for Spanish teachers and students. Through engaging content (videos, songs, interactive games, short stories and more) students will gain proficiency in the Spanish language. We offer two types of teacher subscriptions. The basic teacher subscription includes access to all of our resources and a generic student account so that students can access from their own devices. The Pro account gives teachers access to all of the resources and our learning management system where they can create classes, assign tasks and monitor student work. We have an integration with Google, Clever and Classlink.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Vercel.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our platform is NIST SP 800-53 certified, data is encrypted, and we are FERPA and COPPA complaint. Penetration test are regularly conducted to ensure the security of our system and all personal are trained annually.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Rosetta Stone

The exclusive purposes for which Protected Information will be used: The exclusive purposes for which “student data” or “teacher or principal data” (as those terms are defined in Education Law Section 2-d and collectively referred to as the “Confidential Data”) will be used by Rosetta Stone, Ltd. (the “Vendor”) are limited to the purposes authorized in the contract between the vendor and the NYC DOE (the “Contract”).

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Vendor will ensure that any subcontractors, or other authorized persons or entities to whom the Vendor will disclose the Confidential Data, if any, are contractually required to abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable state and federal laws and regulations (e.g., Family Educational Rights and Privacy Act (“FERPA”); Education Law §2-d; 8 NYCRR Part 121).

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The Contract commences and expires on the dates set forth in the Contract, unless earlier terminated or renewed pursuant to the terms of the Contract. On or before the date the Contract expires, protected data may be exported by the School District in the client facing administrator tool and/or destroyed by the Vendor as directed by the School District. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Confidential Data provided to Vendor by the School District will be stored in the United States and protected as per the Student Records Data Privacy Policy.

How the data will be encrypted (described in such a manner as to protect data security): The Vendor will apply encryption to the Confidential Data while in motion and at rest at least to the extent required by Education Law Section 2-d and other applicable law.

Saga Innovations (Saga Education)

Sam Labs

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SAM Labs software app “SAM Studio” is an educational coding platform for kindergarten - 8^th grade students to learn the basic foundations of coding, allowing students to pair with hardware blocks to bring the code to life. Our lessons range across different focus areas of STEAM and Computer Science, and can be used in specialist courses like STEM Specials, Computer Science Class, general education environments, and Makerspaces.

We are a subscription service. In order for students and teachers to access the platform, we only require an email address. Teachers are currently rostered by our Customer Success team once the subscription date is set. This includes the teacher name and email aligned to the school NCES ID. The teacher’s name can be any chosen username that will appear in their account profile. This does not need to be the teacher’s real name; it can be a chosen username or nickname if desired. Once rostered, then teachers and admin will have instant access.

Teachers can manually create classes and upload student rosters on their own. When rostering, the only PII required from students is a working email. SAM Labs will never send email to these student accounts; this is only to create a unique identifier for the student being rostered. The student’s name can be any chosen username that will appear in their account profile. This does not need to be the student’s real name; it can be a chosen username or nickname if desired as the teacher uploads the roster. Once the .csv is uploaded, the student can access the account with the same email address.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SAM Labs is like a superhero for your data! We understand that your information is precious, and we have a number of ways to keep it safe, just like a superhero protecting the city.

• Magic Shields (Encryption): We use a sort of magic shield called ‘encryption’ that scrambles your data into a secret code while it’s being sent or stored. Only the right ‘key’ can unscramble it, so it’s safe from bad guys trying to peek!
• Secret Passcodes (Access Controls & Authentication): Just like a secret superhero base, only people who really need to see your information can access it, and they need special passcodes. We also double-check everyone’s identity before letting them in!
• Super-Secure Fortresses (Physical Security Measures): We team up with Amazon Web Services (AWS), who provide us with super-secure fortresses (data centers) around the world to store  your information. These fortresses have top-notch security like fences, guards, cameras, and even environmental controls to protect against things like fire.
• Time Capsules (Data Backup and Retention): We regularly put copies of your data in a digital ‘time capsule’, just in case we need to go back in time and restore any lost information.
• Security Check-ups (Regular Security Assessments): Like regular health check-ups, our security experts regularly inspect our safety measures to ensure they’re still super strong. At SAM Labs, your data’s safety is our mission. If you have any questions about how we keep your information safe or want to report any issues, feel free to contact us at privacy@samlabs.com. We’re here to help!

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Samuel Field YM & YWHA

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Samuel Field YM & YWHA has worked to identify key PII, as defined in 34 CFR § 99.3, that it must receive to provide contracted services to youth and families. Services provided will include counseling and interventions with key personnel including social workers, to develop and implement afterschool activities, special community events, family engagement and referral to community resources and linkages. The collection of key PII will allow for us to appropriately record and track enrollment, attendance data and facilitate counseling. Where appropriate, PII data collection will be collected through the program’s informed consent application, which include parent consent to disclose student and family names; addresses; and student information including DOB, race/ethnicity gender, disability status, English Language Learners status. The collection of this key PII will allow for the program to efficiently report on key cohort characteristics and to make certain that recruitment and service delivery effectively target/address the populations targeted for this proposal submission. The purpose of the collection of student and family names will be used to ensure record attendance and safe sign-outs of the program daily. This data is essential to ensure that our program provides a safe and secure environment for all students that we serve. Key staff will utilize this data to make sure that students are appropriately accounted for at all times while scheduled to be in programming. It is imperative that attendance data is collected as it directly informs the culmination of key program outcomes, including the number of students that participate in services for the target hours of service as well as attendance performance indicators for specific categories. Due to the nature of the service, it is possible that counseling notes will include PII as defined as “Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.” These notes are necessary to ensure continued, effective mental health support for those receiving the services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Exponent Partners/Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• A child’s PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with state and federal law.
• A centralized staff person is responsible for supervision and monitoring appropriate safeguards, policies, and practices in place to protect the data.
• Staff will participate in mandatory 2-part training about applicable laws, policies, and safeguards associated with industry standards and best practices; consistent with NYC DOE’s data security and privacy policy.
• Encryption, firewalls and password protection will be mandatory for all emails and cloud usage to electronically transmit sensitive PII information.
• Samuel Field YM & YWHA, Inc. will not maintain copies of participant’s PII once PII is no longer needed for the educational purpose/ for which the DOE has disclosed PII.

Samuel Field YM&YWHA Inc. invested in a highly secure system, Exponent Partners. Exponent Partners is a system that requires unique usernames and passwords that must be changed frequently for protection. Access to programs and permission settings will be determined by staff and administrative usage; staff will only receive access to PII as needed to perform their job responsibilities. All data is naturally encrypted while being stored in a user access system via secure HTTPS connection. In addition, there is regular security code scanning to assess if there are any susceptibilities in the system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Savvas Learning Company

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Savvas provides K-12 instructional materials and related services to the DOE, some of which require PII such as student and teacher names in order to facilitate instruction and to track students’ performance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Savvas will store PII on servers in a secured facility in the United States operated by a world-class hosting provider. Savvas will maintain an information security program of policies, procedures and controls governing the processing, storage, transmission and security of data (the “Security Program”). The Security Program includes industry-standard practices designed to protect data from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. Savvas regularly tests, assesses and evaluates the effectiveness of the Security Program and may periodically update the Security Program to address new and evolving security threats, technology and practices. No such update will materially reduce the commitments, protections and overall level of security provided to customers.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SCAN-Harbor

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SCAN-Harbor provides services under the Community Schools strategy demonstrating the an integrated focus on academics, health and mental health services, social services, expanded learning opportunities (afterschool and summer enrichment activities), positive youth development, and family and community partnership, is critical to improving student achievement and bolstering equitable outcomes for all students, including vulnerable populations.

PII is being accessed to assess need and to track service outcomes. Data is used to identify students with low and chronic attendance, to provide food, clothes and toiletries to those students that live in temporary housing and services to the students in need of mental health counseling.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365 OneDrive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Some physical files used are maintained by SCAN-Harbor, and others are owned by the New York City Department of Education. Physical files managed by SCAN-Harbor are housed in a locked file cabinet in the Program Office. Digital data is stored electronically via a secured cloud-based program whose encryption at rest and in communication uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. This policy only applies to those in SCAN-Harbor's exclusive possession. At the end of the retention period determined by the contract or upon request, SCAN-Harbor will return and securely delete or destroy PII. All information will be returned to the NYC DOE after the agreed retention period, or at such point that the data is no longer needed for the purpose referenced in this agreement, or, at the sole discretion of DOE, securely destroyed. All electronic data purged from the network in a manner that does not permit retrieval of the data following these procedures.

Secure Deletion: Electronic data is securely erased using industry-standard data destruction methods. This may involve overwriting data multiple times or using specialized software to ensure data cannot be recovered.

Deletion Timeline: Once a file in One Drive has been marked for deletion, it is placed in a recycling bin as a means of recovery for accidental deletion. After 30 days the file is securely deleted and cannot be recovered even by IT administrators.

All paper files will be shredded using SCAN-Harbor's secure data shredding system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Scholastic Inc (for digital curriculum)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII.

• BookFlix: Pairs animated stories from Weston Woods with best-selling nonfiction ebooks from Scholastic to build real-world knowledge and early literacy skills.
• FreedomFlix: Offers a range of text types and media on more than 70 key social studies topics spanning ten areas of core-curriculum study.
• LitCamp Powered by Literacy Pro: Combines reading and writing lessons (K-8) with a fully digital summer school approach to accelerate learning. Children are immersed in personalized learning experiences while building their social-emotional skills, knowledge and vocabulary necessary for reading comprehension success.
• PreK On My Way: A new comprehensive program that welcomes every child into the classroom, celebrating their strengths as they take the next step on their learning adventure!
• Rising Voices Libraries: Provide students with high interest, culturally relevant texts that give context to today’s world while celebrating the stories of the historically underrepresented. These books, paired with innovative teaching materials aligned to the CASEL framework, build a classroom community that broadens the world for students from all backgrounds and enables deep discussions on inclusivity, social justice, and empathy for others. Each Rising Voices collection includes a digital resource website featuring mentor videos, continued-learning resources, discussion guides, standard correlations, and more to help teachers implement the program.
• Scholastic F.I.R.S.T.: Foundations In Reading, Sounds & Text, is a highly adaptive, foundational reading program for Grades PreK–2. Through explicit phonemic awareness training and systematic phonics instruction, F.I.R.S.T.’s research-based pedagogy trains the brain to master “speed of listening.” Students become automatic in their decoding skills, preparing them to read fluently and increase their reading comprehension.
• Scholastic GO!: Offers credible, accurate, reliable content on every core-curriculum topic in a clean, easy to navigate interface.
• Scholastic Literacy: A unique blended learning approach to standards informed comprehensive literacy instruction with a focus on balancing the rigor and flexibility that educators need to meet today’s high expectations. With unparalleled access to authentic and culturally relevant texts in every area of the literacy block, Scholastic Literacy is designed to engage readers, support social-emotional development, and help students become lifelong independent thinkers, readers, and writers.
• Scholastic Literacy Pro: A blended solution for Grades K–8 that empowers teachers to ensure effective reading for all students—in and out of school. It provides students with a single resource to read ebooks and track reading progress on both print and digital titles, while giving teachers real-time, actionable data about reading levels, activities, and comprehension.
• Scholastic Magazines+: A blended, subscription-based solutions that ignites student engagement through relevant, high-interest stories and powerful digital teaching tools. Magazines in print and digital are available for grades PreK-12.
• Scholastic RISE: A short-term intervention that provides targeted, small-group instruction in reading comprehension, word study and phonics, and guided writing. Based on Jan Richardson’s The Next Step Forward in Guided Reading, the RISE framework offers daily instruction for students who are reading six to 36 months below grade-level benchmarks. With RISE Online, instructors can assign students texts, monitor student progress, and access videos and other resources to easily facilitate remote instruction. Students can access assigned texts for extra reading practice on any device.
• Scholastic W.O.R.D.: Supercharges vocabulary acquisition and strengthens reading comprehension in a new and engaging way. With a thematic approach, W.O.R.D. prepares students to think critically and creatively about the world around them. By providing deep background knowledge, W.O.R.D. presents vocabulary as a tool for building meaning across all areas of learning—reinforcing students’ retention of skills learned throughout the school year.
• ScienceFlix: Integrates age-appropriate scientific content, interactive features and intuitive navigation to build knowledge and a lasting interest in scientific discovery.
• Short Reads Digital: Engages classrooms with access to fiction and nonfiction short texts at every guided reading level, and extends learning with teacher materials to accompany each text.
• The Scholastic Leveled Bookroom 5.0: A whole-school (K-6), small-group instructional system with over 6,000 books, 780 short reads, 24/7 access to instructional resources with the digital Accelerator, and professional books and services.
• TrueFlix: Provides thousands of resources to strengthen both educator instruction and student learning of science and social studies content-area knowledge.
• Watch & Learn Library: Builds learning excitement while providing the background knowledge and vocabulary necessary for reading comprehension success.
• LitLeague: LitLeague is an exciting new program that provides a joyous and interactive literacy experience for students in an engaging social- emotional literacy learning environment where children participate in book-related activities including read-alouds, group discussions, independent reading, writing activities, games, and songs. Tailored for expanded-learning times, after-school, extended day, English language learners, and more.
• Next Step Guided Reading: The Next Step Guided Reading Assessment uses proven Assess- Decide-Guide teaching system to determine students’ reading levels and target instructional next steps. From the key text features in the assessment texts to the evidence- based comprehension questions, the Next Step Guided Reading Assessment provides teachers with a way to assess students and teach them the skills to meet higher standards.
• Scholastic Edge: Using engaging, authentic text, EDGE connects striving readers to relevant and essential content needed for future academic success.
• Scholastic REAL: REAL (Read, Excel, Achieve, Lead) is a new program devoted to giving school districts the tools needed to recruit, encourage, and equip mentors to inspire students and build literacy skills.

Scholastic collects PII to provide students and teachers with access to its digital education technology products to support the BOE’s educational goals, to benefit its students, and to support product users. More specifically, PII is used, subject to applicable law and any contractual requirements:

• To support instruction and adaptive, personalized learning o By enabling administrators and educators to tailor and optimize use of the products to the needs of a particular school, classroom or student
  • By permitting educators to review student work and monitor student performance and progress, to facilitate lesson planning
  • By providing reporting capabilities at the district, school or class level (depending on the product), including in some cases cross-product performance data
  • By enabling students to access information shared by their teachers (assignments, content), track their progress, maintain files of their work, create book collections and play educational games
  • By suggesting other content or activities to students (but not for purchase or in the form of advertising)
• To authenticate users, maintain user sessions and facilitate return access
• To communicate with Scholastic’s education customers (teachers/BOE personnel only, not students)
• To ensure products run properly and support optimal user experience
• To diagnose problems, troubleshoot issues, and provide maintenance and support
• To detect and investigate unlawful activity and protect the security of Scholastic’s products, systems and customers
• To calculate royalties

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law. The Entity also states that “In some circumstances, with permission of the education customer, student PII may be retained to facilitate rostering in a subsequent period and/or resumption of product use. Teacher/BOE staff PII may be retained as part of the parties’ business relationship and/or in connection with separate accounts such persons may have with Scholastic. Note, data deletion/destruction may take the form of permanent, irreversible overwriting or de- identification to the extent permitted by law.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. These safeguards include standards that align with the NIST cybersecurity framework. Protected data is encrypted in motion (currently with TLS 1.2 encryption) and at rest (currently with 128-bit AES encryption). Processor conducts periodic risk assessments and keeps audit trails and security logs to assess and remediate vulnerabilities and to protect data from deterioration or degradation. Additional measures include firewalls, anti-virus and intrusion detection, configuration control and automated backups. Data is classified by sensitivity, and access to data is rule- and role-based.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

School Data Corp

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. School Data Corp. helps schools see how well students are performing over the course or the school year. We track how well they are reading, writing, or performing on the tests they take. We put this information in a teacher‐friendly format so teachers and principals can see which students are doing well, and which students need additional help or support. I need to PII so that I can identify individual students by their ID number to generate reports and assign them to their subgroups.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “School Data Corp. uses Dropbox, but the information within Dropbox is encrypted and cannot be accessed or read by anyone at Dropbox. There is no sharing of unencrypted PII.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Dropbox.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All emails are encrypted. All data stored is encrypted. Our network is protected by a firewall. No paper records are maintained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

School Specialty, LLC (for Coach Digital and Catch Up with Coach)

The exclusive purposes for which Protected Information will be used: Coach Digital Platform allows students to access tests and workbook pages online for instruction, practice, or assessments. Teachers will assign content to students and use this data for progress monitoring, assessment reporting, and targeting educational gaps.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: School Specialty maintains the necessary administrative and technical requirements to safeguard the security and privacy. Our teams work on company devices or virtual desktop environments within a secure VPN and two-factor authentication. Only Platform Developers and Support Admin roles can access PII to support customers. School Specialty staff participate in an annual code of ethics certification for protecting company information and data. All data on the platform is either protected via SSH or SSL connections for intraplatform communication and via HTTPS for web communication. School Specialty staff must sign Non-Disclosure Agreements, pass a background check, and participate in a companywide Security Awareness certification annually. All contractors must adhere to company Master Service Agreements and SOWs.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: [DOE comment: School Specialty’s agreement with the DOE is dated March 8, 2021]. Data is encrypted and deleted at the request of school or school district. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: School Specialty, LLC will use Clever Rostering for student and teacher data. Data in Clever is shared at the discretion of NYC DOE. Data shared from NYC DOE SIS. School Specialty, LLC will work with the NYC DOE in processing challenges to the accuracy of student data.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The Coach Digital Platform is hosted on a domestic Amazon Web Service Environment. The Amazon VPC Environment has Enterprise Level Support and 24/7 Managed Services for Security VPC, VPN, Firewall, and endpoint Management.

How the data will be encrypted (described in such a manner as to protect data security): The data in motion is encrypted with TLS 1.2.The Coach Digital Platform collects minimal data and will utilize Clever Secure Sync and SSO [Single Sign On]:

• Teachers and Administrators: First and Last Name and Clever ID
• Students: First and Last Name, and Clever ID.

The Coach Digital Platform utilizes AWS SSL and the VPC ELBs have Security Groups with least privileges enabled. Connectria LLC is in the process of finalizing a proposal to be fully compliant with this requirement.

School Specialty (for ThinkLink)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/5/2023 – 10/4/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ThinkLink is an online learning management system in which students use to access content specific to their learning. PII is used to track student performance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administratively, we have robust policies and procedures that are overseen by a team of security professionals, ensuring stringent management and monitoring of access to PII.

Technologically, we utilize state-of-the-art encryption methods and firewalls. We also employ physical measures to secure our premises and data centers, ensuring that only authorized personnel have access.

Additionally, we employ proactive strategies such as intrusion detection systems and vulnerability scans to identify and address potential security risks before they escalate.

Periodic reviews and audits are conducted to ensure that our security measures meet or exceed industry standards and regulatory requirements.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Schoolbinder (also called TeachBoost)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 10/1/2022 – 9/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TeachBoost is a performance management and educator development platform for K-12 schools. We work with NYCDOE schools and organizations to help them completely manage the evaluation, feedback, coaching, and development process for their staff, educators, and other support personnel. TeachBoost also works alongside the NYCDOE’s ADVANCE reporting system, handling the compliance requirements for DOE administrators.

We request, store, and process DOE employee PII for the sole purpose of providing these performance management and operational services. For instance, we request and store staff rosters and employee names and email addresses for employee user accounts, and we request store and process employee evaluation ratings as entered by DOE staff and administrators.

Type of PII that the Entity will receive/access: APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon AWS and Linode.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We protect PII in number of ways, summarized on our Data Security commitment at https://teachboost.com/terms/data-security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SchoolCNXT 

SchoolMint (also called SchoolRunner)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Schoolrunner is a comprehensive data management system that simplifies day-to-day operations with straightforward, powerful and actionable data. Schoolrunner makes it easy to track attendance, student behavior, grades, and more. School administrators can easily see where students or teachers are struggling and can provide the support they need. Parents can see how their kids are doing via a real-time feed in the mobile app and can even get notifications when attendance or grades drop below certain thresholds.

The system allows for greater ease of use than current systems and also offers more flexibility so that schools can use data to achieve their goals. For example, some schools want to move to a mastery-based grading system which Schoolrunner supports. Schoolrunner also offers parents communication with built-in automated language translation to any of over 100 languages.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Users and employees are permissioned to access the information they need based on their role in the system while restricting them from accessing information not needed for their role. Data and backups are encrypted in transit and at rest. Access to key infrastructure services are limited to a small number of engineering leaders and are protected by multi-factor authentication. Monitoring, logging, and alerting systems provide additional layers of security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SCO Family of Services (Learning to Work)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SCO’s LTW program is designed to complement the academic component of each transfer high school. The program aims to provide support to over-aged and under-credited students, helping them complete their academic requirements to earn a high school diploma. Our LTW program assists students in acquiring the tools and competencies needed to succeed in their pursuit of postsecondary education, training, and career development. PII is essential for coordinating educational efforts, offering internship opportunities, and monitoring attendance and academic progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SCO has implemented the following safeguards to protect the security of PII:

• Administrative Safeguards:
  • A designated Security Officer and Privacy Officer responsible for the development and implementation of privacy and security policies and procedures that outline how PII is collected, used, stored, and shared.     
  • Access to PII is limited to authorized individuals on a need-to-know basis and only as permitted under the law.
  • All SCO employees and contractors who access PII receive training on SCO’s policies and procedures and Federal and State laws governing privacy and security of PII.
• Physical Safeguards:
  • Established rules for authorizing and restricting access to SCO’s computers, network, applications, workstations, mobile devices, and areas where PII is accessible.
  • Policies and procedures to ensure that PII stored or transported on storage devices and removable media is appropriately controlled and managed. 
  • SCO requires the use of keycards to access locations where data is stored.
• Technical Safeguards:
  • SCO utilizes internal and external systems that are inaccessibly by unauthorized individuals, including assigned User ID and passwords, firewalls, anti-virus protection and multi-factor authentication.  

SCO uses encryption of data in transit and storage, access controls, and implementing regular and encrypted backups.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Scoir

Seesaw Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• General Description: Seesaw is the most intuitive, robust and easy to use cloud-based K-5 digital portfolio in the education space. Seesaw Lessons are Standards-Aligned, Ready-to-Teach & Flexible supplementary curriculum resources that are design for PK-5th grade classrooms. Lessons adapt to whole class, centers, and independent learning in any setting.
• Account Information: When teachers, parents, family members, or school administrators create an account on Seesaw we collect their name, email address, password, and profile picture. Seesaw may also collect an adult user phone number if its entered into their Account Settings. Teachers using Seesaw to communicate with Families may add a family member’s email or phone number to Seesaw in order to send messages or updates about school work to the appropriate parent or family member. Students cannot create an account by themselves, but must be invited to a Seesaw class by a teacher or school administrator. Where students have permission to use Seesaw, Seesaw collects personally identifiable information about them including their names, email addresses, and profile picture. This information may be entered by a teacher or the student or populated from the student’s account with a third party sign-in service, such as their Google account.
• Journal Content: Seesaw collects content that is added to a class or student journal. This content may be photos, drawings, files, notes, hyperlinks, and other ways of documenting student learning. Seesaw regularly add types of information that can be uploaded to a Journal, and these are all covered by this Policy. Comments on posts in a class journal are also collected. These comments may be text, or if Seesaw is allowed to access the microphone on the device, voice recordings. Journal Content that is uploaded by a student or teacher may be considered a student education record as defined by FERPA.
• Messages: Seesaw collects messages that are sent and received in Seesaw by teachers, family members, and students.
• Activities: Teachers may use Seesaw to create activities to use with their students. Activities may include text or voice instructions for how to complete the activity, an example of a correct response or a template for students to edit.
• Activity Author Profiles: Teachers who choose to publish activities to the Community Activity Library or the Activity Library managed by their school or district can also create an Activity Author Profile. This includes the name and profile picture they choose to publish on their Author Profile, as well as their school name and location.
• Communications: Seesaw collects any information sent to us directly, such as email communications. Information from a users Google Account or other Third-Party Sign-in Service: Seesaw allows teachers, parents, family members, and students (after being invited by a teacher) to sign up for and log into our service using a Google or Clever Account. Teachers can also create student accounts on behalf of students in their class. When Seesaw creates an account using one of these Third-Party Services, we use the name, profile picture, and email address (if available) provided by these services.
• Log Data: When using Seesaw, log data is received such as IP address, browser type, operating system, device information, and mobile carrier. In addition, information such as the referring web page, referring search terms, and pages visited may be received or collected. If Seesaw is being used by a teacher, parent, or administrator, Seesaw may use that IP address to determine the approximate location for the purposes of sending customized marketing and other information about our products.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Seesaw routinely conducts 3rd party security audits to verify the security and integrity of our systems and internal controls. Data is stored in access-controlled data centers operated by industry leading partners with years of experience in large-scale data centers with 24/7 monitoring. We routinely monitor our systems for security breaches and attempts at inappropriate access. Journal content (e.g. photos, video, audio, and other content added to a Seesaw journal) is encrypted in transit and at rest. Seesaw uses TLS 1.3 security at the network level to ensure account information and journal content is transmitted securely. We have also adopted an internal data access policy that restricts access to personally identifiable information to a limited number of employees with a specific business need (such as for technical support). Data is also accessible to our sub-processors, who are required to sign a Data Processing Agreement that limits their ability to access and use data.  

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Shutterfly Lifetouch

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Shutterfly Lifetouch, LLC ("Lifetouch" or "Entity") is a trusted provider of school photography services throughout North America since 1936. In preparation for Picture Day, Lifetouch collects certain roster data from the school or district, to be used solely as follows:

• To produce and deliver to schools the products and services as described in the Photography Services Agreement (the "School Deliverables");
• To deliver Picture Day notices on behalf of the school and provide parents of students photographed opportunities to purchase student and class pictures and yearbooks;
• To verify parent authorization to order student photographs; and
• As otherwise specified by the Agreement.

For the avoidance of doubt, this Agreement does not apply to (a) information collected from customers who opt to purchase products directly from Lifetouch and/or establish a Lifetouch family account; or (b) Lifetouch photographs, except as incorporated into the School Deliverables.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Lifetouch has implemented a variety of physical, technical, and organizational security measures to help protect School Data from unauthorized access and use.

• Facilities. Lifetouch produces portraits and School Service Items within its own U.S.-based photo labs. Lifetouch data, including School Data, is maintained in cloud-based storage or in on-premises data centers that meet or exceed industry standards for cybersecurity. All facilities and systems are protected by strong physical security controls such as restricted role-based access, ID cards, entry logs and video monitoring. We have a secure backup process and utilize high availability systems and equipment to maintain availability.
• Networks. Devices storing or providing access to School Data are protected with the same multi-layered security strategies that we use to protect Lifetouch's sensitive and confidential business records. Image databases supporting our photo processing labs and websites are separated from associated data files containing identifiable information, and all databases are protected by firewalls, monitoring, vulnerability scanning and authentication procedures. We apply intrusion prevention methods and perform regular network penetration testing and code scanning on a periodic basis using both internal and authorized third party testing services and. Our systems enable secure transmission of School Data from and to the Lifetouch network with encryption technologies. School Data is segregated from other databases in our systems and is securely disposed of when no longer needed. Devices or media containing or accessing School Data are password-protected and encrypted and stored in secure, locked areas when not in use. Laptops and tablets used by our field are also protected by software that, in the event of theft, notifies Lifetouch immediately if the device is connected to any network and allows Lifetouch to remotely erase the device.
• Personnel. Lifetouch's policy is to collect, use, and disclose personal information only in ways that are consistent with our respect for an individual's privacy. We require Lifetouch employees to sign confidentiality agreements as a condition of employment, and we provide training on the appropriate use and handling of School Data. Access to School Data is limited to those who need it to perform their jobs, and when our employees are instructed to only access School Data secure channels (like the Lifetouch Portal). We also take appropriate measures to enforce these policies.
• Enterprise. A comprehensive set of IT policies based on ISO 27001/2, PCI-DSS, OWASP and/or NIST frameworks and standards, as applicable, governs information systems practices and procedures throughout the Lifetouch enterprise. Additionally, Lifetouch partners with secure payment processing platforms like PayPal to handle payment card data when the families we serve make their portrait purchases. Additionally, the Lifetouch Portal is designed and maintained to exceed the standards of the Software & Information Industry Association's Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Signal Vine, Inc.

The exclusive purposes for which Protected Information will be used: Segment contacts, personalize and trigger outgoing text messages to students and/or parents. [NYC DOE Comment: Signal Vine is a tool used to engage and communicate with students, families, and staff.]

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: No subcontractors have access to NYC DOE personal data. Signal Vine staff access is limited to the team supporting your account. All access is logged.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Protected Information is removed from the platform within 30 days of the expiration of the agreement, and cycles out of backups 14 days later.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored within the United States. All data is stored on Amazon Web Services and conforms to SOC 2, ISO 27001 and DoD standards.

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest via Amazon’s TDE service and in transit via TLS 1.2+

SimTutor

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SIMTICS is a cloud-based service with simulations and other supporting media, designed for learning how to perform clinical and medical imaging procedures. The Service is provided by SimTutor Inc (SimTutor). Each SIMTICS module covers one procedure, skill or topic. In most cases a module contains the following media: Video demonstration of the procedure; Explanatory text; Anatomy images related to the procedure, in 2D and 3D format; A multi-choice quiz; Simulation scenarios for the user to learn and practice the procedure interactively and test their skill.

The school provides us with student first/last names and a DOE-issued email address, so students have a unique username and their in-app activity can be tracked individually and kept separate from other students’ data. The SIMTICS system tracks the user’s activity in the app (study time, and scores in simulations and quizzes). Each learner’s activity data is recorded in their personal SIMTICS logbook and can be accessed only by that named user and by teachers and administrative users with the necessary privilege.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SimTutor is SOC 2 certified and has robust systems, system architecture, and procedures in place to ensure student data is protected. SOC 2 is a compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. SOC 2 certification is the result of a detailed annual audit by a qualified third party auditor. SimTutor has been SOC 2 certified for three years.

Our information security procedures to protect PII cover the following areas:

• Data classification – at SimTutor, school/student data is classified at the highest level of confidentiality, above our own company data
• Selection, documentation, and implementation of security controls
• Daily security checks of our systems and infrastructure
• Annual assessments of security controls and updates as necessary
• Careful authorization, changes to, and termination of information system access
• Maintenance of restricted access to system configurations, user functionality, master passwords, powerful utilities, and security devices
• Management of user access and roles – only employees with a job requirement (i.e. customer and technical support) are given access to PII
• Security training is part of employee onboarding and Maintenance and support of the security system and necessary backup and offline storage
• An incident response system, tested at least annually, to ensure rapid action in the event of an issue occurring.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Smartest EDU (also called Formative)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: Starting 10/3/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Normal operation and use of Formative’s platform, including reporting on student performance. Formative receives data such as student names, logins, emails, and work generated within the platform. We use this data to allow teachers to assign assessments within the Formative platform, create performance reports, and ensure that rostering within Formative aligns with rostering in Clever, Classlink, or other systems.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Formative’s IT Security and Data Privacy strategy prioritizes detection, analysis, and response to known, anticipated, or unexpected threats; this strategy also emphasizes the effective management of risks as well as resilience against data incidents. Formative continuously strives to meet or exceed the industry’s information-security best practices and apply controls to protect our clients and the organization. Formative reviews of its systems against applicable state, federal, and internal regulations as well as against controls associated with NIST CSF, SOC2, ISO, GDPR, FERPA, CCPA, CPRA, CPA, VCDPA, and UCPA. Formative maintains an Information Security and Privacy Program which, along with security personnel embedded in each of our business units, consists of a centralized group that establishes information security mandates, evaluates adherence to these mandates, and detects & responds to incidents. Formative frequently adjusts this program to ensure ongoing suitability. The Information Security and Privacy Program regularly assesses the sufficiency of Formative’s controls.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

SOLVED Consultancy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. SOLVED helps school administrators and teachers analyze student data so that they can make better instructional decisions based on this data. Schools have multiple data sources from different assessments administered throughout the year. In order to use data efficiently and effectively to inform instructional practices and the use of resources and to analyze student data, SOLVED developed the Assessment Dashboard, which is a platform built within the NYCDOE servers using Google Data Studio (which is part of the Google Workspace Cloud where all NYCDOE accounts and information live). This platform helps Principals, Assistant Principals, and Teachers to look at all their students’ assessment information in one centralized location. Only staff belonging to individual schools are authorized to access their platform, and never parents, guardians, or students.

SOLVED needs to have access to this PII to build this platform for schools. SOLVED displays the PII received in the Assessment Dashboard and this PII does not leave the NYCDOE servers as it is uploaded to the NYCDOE Google Cloud and SOLVED uses Google Data Studio to display PII to Principals, Assistant Principals, and Teachers who are authorized to log in with their @schools.nyc.gov accounts (which are Google accounts).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “SOLVED uses the NYCDOE’s Google Workspace Cloud to store PII, which are part of the NYCDOE servers. Google Workspace Cloud is a subcontractor for the NYCDOE. The PII does not leave the NYCDOE servers.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “None of the PII that SOLVED is given leaves the NYCDOE servers as it is stored in the Google Workspace Cloud of the NYCDOE. Hence, there is no data return because the data does not leave the NYCDOE servers.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “SOLVED uses the NYCDOE’s Google Workspace Cloud to store PII which are part of the NYCDOE servers. Google Workspace Cloud is a subcontractor for the NYCDOE. The PII does not leave the NYCDOE servers.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The PII is stored in the NYCDOE’s Google Workspace Cloud and the NYCDOE servers. Hence, many of the technical (i.e. data encryption) and physical (i.e. physical servers) safeguards to keep this data safe is controlled by the NYCDOE.

SOLVED as multiple administrative and operational safeguards to ensure the highest rigor of data protection. These are:

• For all roles within SOLVED, the hiring process ensures the candidate has the necessary competence to perform the role and can be trusted to take on the role, especially for roles related to the use, management, or protection of data or PII. Data protection responsibilities are communicated to employees as part of the on-boarding process.
• Background checks are required prior to employing SOLVED employees, regardless of if a competitive recruitment process is used.
• All SOLVED employees are required to sign a Non-Disclosure Agreement before being granted access to any data. Upon termination of employment, staff are reminded of confidentiality and non-disclosure agreements.
• All new staff must complete an approved Security Awareness training prior to, or within 30 days of, being granted access to any data. In this training, all new staff are provided with relevant data policies and protocols to allow them to properly protect data. All new staff then must acknowledge they have received and agree to adhere to the SOLVED data policies and protocols before being granted access to any data.
• All staff must complete an annual security awareness training.
• SOLVED provides all employees an anonymous process for reporting violations of information security policies or procedures.
• Staff found to have violated SOLVED’s data policy or protocols may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

South Asian Youth Action (SAYA)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As part of SAYA’s Community School programming at Richmond Hill High School, our team monitors program quality and effectiveness in three areas: school attendance, college access support, and social and emotional impact. In order to track data and measure the effectiveness of our offerings, our staff secure student PII and make use of the Department of Education databases, as well as Apricot - Social Solutions, which is a customized database used by SAYA across all of our sites. These databases house and track a number of metrics, including attendance and college enrollment. SAYA staff gather PII data points from our participants, teachers, and other school administrators to measure and gauge youth improvement within these metrics. Through data gathered, our Community School Director and team continually determine how SAYA programming and intervention can best benefit our students and improve their performances.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Workspace, Apricot - Social Solutions.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access control methods to be used shall include:

• Auditing of attempts to log on to any device on the company network
• Automatic updates implemented on all systems
• Server access rights
  • Active file and email intrusion detection (implemented with Google Workspace for Non-Profits)
  • Active Network Intrusion detection and automatic emails to IT team to inform of the situations.
• Firewall permissions
• Web authentication rights
• Database access rights
• Encryption at rest and in flight
• Network segregation
• Yearly user training concerning the handling of sensitive information and PII will be provided. Additionally, this data security policy will be available to any SAYA staff member or contractor. This also applies to contractors and third party vendors who for whatever unforeseen circumstance would need access to sensitive information.

Access control applies to all networks, servers, workstations, laptops, mobile devices, web applications, websites, cloud storages, cloud databases, and any other form of cloud service that contain sensitive or PII data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Sparkler

The exclusive purposes for which Protected Information will be used: To provide the service, directly and in coordination with the BOE. Aggregated non-identifiable data may also be used to improve the service.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Data protection and security requirements that meet or exceed these requirements are a part of Sparkler’s privacy policy and all employment and contracting agreements used by Sparkler.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The agreement starts on signing, and will extend no more than a year, or until terminated by either party. Protected information held by Sparkler will be deleted at any time at the instigation of either users or the DOE, and at any rate under Sparkler’s policies will be deleted no later than one year after the end of the agreement.

[NYC DOE comment: The current agreement became effective starting on April 1, 2020 and terminates when all NYC DOE schools and/or offices cease using Sparkler’s products/services. The terms of the agreement remain effective through the period during which Sparkler possesses or otherwise is in control of covered protected information.] 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US, using the commercially reasonable protections afforded by AWS. Further provisions are described in the Recipients Terms of Use and Privacy Policy.

How the data will be encrypted (described in such a manner as to protect data security): Sparkler is using the industry standard AES-256 encryption algorithm to encrypt all data on the server. For encrypting network communications and establishing the identity of the app, Sparkler is using industry standard SSL/TLS protocols.

Speak Agent

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 11/15/2023 – 11/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Speak Agent, Inc. receives PII for the sole purpose of delivering supplemental instruction. "Speak Agent" is an instructional software platform that includes "Math+Language" and "Science+Language" programs for grades K to 12, providing digital lessons and activities that run on its cloud-based platform. These programs supplement the school district's math and science curriculum. Specifically, PII is needed in order to (1) provide secure login through single sign-on; (2) connect students with the correct class sections, teachers, and grade-appropriate instructional materials; and (3) provide students with expressive language opportunities (writing, speaking, and representing) and individualized feedback.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and/or Heroku.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII data are securely stored using cloud hosting facilities that meet ISO 27001 and PCI Level 1 requirements. PII may be viewed only by authorized district and Processor users. Processor secures and manages usernames, passwords, and other means of gaining access to PII at levels recommended by NIST SP800-171 (password complexity, encryption, and re-use).

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Sphero (for Sphero EDU)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Use of Sphero’s Sphero EDU application available at edu.sphero.com, and all related client applications, with which students learn, code, and play with Sphero robots. Depending on if and what type of user accounts are created, PII can contain first name, last initial, email address, and date or birth. Name and email information is used solely for the purpose of creating user accounts. Date of birth is used for the purpose of checking age of consent of the user.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Sphero ensures that data is encrypted both in motion and at rest. The Sphero Edu platform runs in an Amazon Web Services (AWS) facility (please see full details here: https://aws.amazon.com/security/). Personnel are only given access to data on an as-needed basis. AWS provides extensive protection in the form of secure physical facilities, permissions and identity policies, rapid patching and updating of systems, firewalls, network threat detection and response, and scalability to respond to denial of service attacks. PII data is always password protected in addition to being encrypted.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Spruce Technology (for GAMA)

Type of Entity: Commercial Enterprise

Contract / Agreement Terms: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. Email studentprivacy@schools.nyc.gov with questions about contract dates for specific projects.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Spruce teams will be working with DOE stakeholders in developing a Grades, Attendance, and Messaging application (GAMA) Gradebook Project which will support the grading feature for school-based users. As part of this project, team members will access data from multiple systems that store Location Data, Student Data, Class Roster, Schedules, Teacher data. All of these data sets are necessary to drive the grading functionality. There will be no data migration performed as part of this project. All access to systems and data will be within DOE’s network.

Type of PII that the Entity will receive/access: Student PII. Spruce team members using DOE provisioned VDI may access Location Data, Student Data, Class Roster, Schedules and Teacher data as part of the solution development process.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or to a successor contractor at the NYCDOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. “All DOE data that is considered private, sensitive, or higher classification will only be accessed by Spruce team within DOE environment using DOE issued equipment such VDI/Servers etc.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All DOE data that is considered private, sensitive, or higher classification will only be accessed by Spruce team within DOE environment using DOE issued equipment such VDI / Servers etc. Plus the technical design of the GAMA Gradebook ensures that the design and architecture conforms with all citywide security standards and will get all necessary approvals from DOE Security team prior to go live in production.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Spruce Technology (for Return to School)

Type of Entity: Commercial Enterprise

Contract / Agreement Terms: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. Email studentprivacy@schools.nyc.gov with questions about contract dates for specific projects.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Return To School (RTS) is COVID-19 case tracking and reporting solution for NYC DOE students and staff. Cases are reported to the Situation Room by phone, online portal, or surveillance test results. Case processing include access to student personally identifiable information such as student name, date of birth, and OSIS ID.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or to a successor contractor at the NYCDOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Microsoft Azure Government Community Cloud (GCC).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. There are several levels of protecting the system integrity and data privacy:

• Infrastructure Level:
  • Microsoft Government Community Cloud (GCC) FedRAMP High
  • Azure Active Directory as central Identity Provider
  • OAuth2 Encryption Flow
• System Level:
  • Mandatory Authentication
    • Pre-approved user name and account
    • Password with a required complexity level
    • Multi-factor Authentication (MFA)
  • Mandatory Authorization
    • Role-based security
    • Object-based security
    • Field-level security

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Spruce Technology (for Special Education applications)

Type of Entity: Commercial Enterprise

Contract / Agreement Terms: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. Email studentprivacy@schools.nyc.gov with questions about contract datesfor specific projects.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Spruce teams will be working with DOE stakeholders in developing and enhancing an existing solution that the DOE already has for Special Education use cases. Many of the enhancements will be related to provider assignment and impartial hearing related application. As part of this project, team members will need access to integrated systems that store Special Education data today. All access to systems and data will be within DOE’s network.

Type of PII that the Entity will receive/access: Student PII and Spruce teams will need access to the following systems: SESIS, PA, HIS and related Data Warehouses to collaborate with DOE stakeholders on the enhancements for Special Education applications.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII will be stored.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In order to protect the information entrusted to Spruce, Spruce is committed to uphold its administrative, operational and technical safeguards and practices which are a part of its standard professional services approach. Those safeguards include:

• A 4-step Security Management Process
  • Risk Analysis – identifying potential security risks, and determining probability of occurrence and magnitude
  • Risk Management – implementing measures to reduce risk to acceptable levels
  • A Sanction Policy – requiring employees to sign a statement of adherence, and implementing appropriate actions against Spruce team members who fail to comply with the security policies and procedures required
  • An Information Systems Activity Review – Spruce regularly reviews of records of information systems activity when available and applicable, such as VPN logs, access reports, or security incident tracking reports
• Assigned Security Responsibilities – Individuals in the Spruce’s Professional Services Cyber Security team, along with the CTO office, are responsible for the operational responsibilities and for development and implementation of policies and procedures.
• Workforce Security – Spruce has processes in place to identify and control which members of its team need to, and can access secure information, as well as an authorization and clearance processes. Individuals of the project will be specifically named and cleared to access the student information by NYC DOE authorized personnel. Computer systems to be utilized will be Spruce-owned and secured equipment that will be assigned to each team member as needed. This equipment will only be used to connect to DOE environment and all activities related to student data will be done on DOE equipment within DOE network either via VDI, Server, Database etc. If additional team members need to access information, an authorization and clearance process will be in place with identified supervisors for approvals. Spruce also has proper termination procedures in place to remove access to information and systems in the event and employee or contractor leaves the organization voluntarily or involuntarily.
• Information Access Management – Spruce operates under need-to-access rules, restricting by default access to information and systems to only those people with a need for access. Only those employees or contractors with explicit needs for this project will be granted access, and only the type of access they need in order to perform their job will be granted. This minimizes the risk on inappropriate disclosure, alteration or destruction. In addition, the student data is never retrieved outside of DOE environment (both on-premise and cloud tenant) thus reducing the risk further.
• Security Awareness and Training – Spruce has an internal training program for new and existing employees, including security reminders, training on phishing and malicious software, and password management.
• Security Incident Procedures – Spruce team members are trained to respond to security incidents, including preserving evidence, mitigating the situation when possible, documenting the incident and outcome, and evaluating incidents as a normal part of ongoing risk management.
• Contingency Planning – Contingency planning establishes strategies for recovering access to data should the organization experience an emergency or other occurrence, such as a power outage and/or disruption of critical business operations. In the “Special Ed App Support Project”, Spruce will be enhancing a solution that is already hosted within DOE’s infrastructure (on-premise and cloud tenant) which will host the data. External hosting or cloud hosting is not part of the considered enhancements including any work related to disaster recovery etc. Current capabilities DOE already has may apply for contingency planning purposes since this project is not related to creating a new solution.
• Evaluation – Spruce conducts regular evaluations to establish that an appropriate level of security is being maintained during project execution. These periodic evaluations are usually every 1 or 2 years. We recommend that DOE also follow similar practices as part of the operating model for our solution.
• Facility Access Controls – In the event of physical access needed, Spruce will work with DOE to obtain appropriate access and follow existing security guidelines for its personnel, including proper access control validation procedures and maintenance records.
• Workstation Use & Workstation Security – Equipment issued by Spruce is for the sole use of Spruce projects, and workstations are encrypted and password protected. Spruce will use NYC DOE issued virtualized environment for accessing student data so that all the data remains within DOE’s network and equipment.
• Device and Media Controls – Spruce trains its team on how to properly handle disposal, reuse and backup of media and devices.
• Access Control – Spruce follows access control best practices, including identifying and naming the unique users that will need access to data, encrypting data on all its laptops, and configuring sessions to automatically log off after a period in inactivity.
• Person or Entity Authentication – Spruce has stringent authentication controls in place to ensure individuals are who they claimed, including in-person interviews, multiple forms of state-issued identification reviewed upon hire, and background checks.
• Transmission Security – Spruce will be leveraging DOE’s VPN for connectivity to DOE network and accessing student data, assumption is that the entire channel is encrypted, and anticipates data will stay within the confines of the DOE environment (on premise and cloud tenant).

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Spruce Technology (for Special Education Data Hub)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/15/2023 – 9/14/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Spruce team member which may comprise of both employees and contractors will be working very closely with DOE stakeholders in developing the necessary features and solutions to achieve the project goal. Overall objective is to support Special Education Data Team with developing and creating reports to support their daily operations. We require access to PII to develop reports and provide support.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: PII is only being accessed, not stored or collected.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The work performed by Spruce for this project does not require that Spruce perform work outside of the NYC DOE environment/infrastructure. Spruce will operate access, store, and manage all data within NYC DOE environment, which will help in keeping it safe and secure. Spruce team will use DOE credentialed account for access and will follow all processes and practiced by NYC DOE’s security team. In the unlikely event that such information is downloaded from the NYC DOE server, however, Spruce will ensure that potential security risks are fully identified and evaluated and will implement measures to reduce such risk to acceptable levels. Spruce will further require all employees with access to sign a statement confirming adherence to applicable policies and stating that violating parties will be subject to sanctions. Finally, all personnel whether employees or contractors, will be required to sign non-disclosure agreements. The foregoing practices are standard practices for Spruce on all projects, whether or not for the NYC DOE, when and to the extent applicable.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

St. John’s University's School of Education (for Project RAISE)

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: 1/31/2022 – 1/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Resilience, Access, and Imagination for Success in Education (henceforth Project RAISE), consists of the following components:

• Supplemental Instruction
• Counseling Services
• Tutoring Services
• Mentoring Services
• Parent Engagement Services
• Professional Development; and
• Extended Year Program

St. John’s University’s Project RAISE is a program designed to provide Title I supplemental instructional services and related services under the Every Student Succeeds Act (ESSA) for Title I eligible students, parents, and teachers at nonpublic schools in New York City. To this end, all students from Pre Kindergarten through grade 12, as well as their parents and teachers who are eligible for Title I assistance, will benefit from Project RAISE. Pre-Kindergarten to grade-12 students from families in poverty grapple with numerous challenges in terms of their emotional, physical, social, and cognitive development. These challenges adversely affect their academic success. The primary goal of Project RAISE—which is intended to provide Title I nonpublic schools supplemental instructional services—is to afford students from Pre Kindergarten through grade 12 with the opportunity to receive supplemental instruction in the areas of English! language arts/reading, mathematics, English as a Second Language (ESL), social studies, and technology, as well as Pre-Kindergarten services to help them succeed in these subjects. The primary location for services will be in New York City nonpublic schools serving students from pre-kindergarten to twelfth grade, and that select St. John’s University as their service provider

Data collected will be for the purpose of invoicing/billing the participating non-public schools in the City of New York. The data will include the following: Student ID Number; Grade Level; and School Name.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. This correspondence articulates elements of the St. John’s University cyber security and privacy infrastructure as it relates to the academic research infrastructure for the New York State Department of Education grant award supported by faculty in the St. John’s University School of Education.

St. John’s University has taken a risk-based approach to cyber and information security by ensuring the confidentiality, integrity, and availability of its information assets. The University has a viable program that balances the people, processes and technologies and focuses on the management of the security program, user awareness, research platform, and operations. The details are as follows:

Security Program: Our Security Program is comprised of several strategies that include, but are not limited to:

• A viable IT Governance model and reporting structure
• University-wide and department-specific Information Technology (IT) and Security policies and standards
• A Vulnerability and Patch Management (VPM) program (policies, standards, processes, and procedures) to proactively address potential vulnerable and unpatched systems and applications of critical and non-critical information assets.
• Multi-factor authentication to minimize authentication threats
• An IT risk management framework based on the NIST Cyber Security framework to manage IT risks consistently and continuously.
• Adequate security awareness and training of faculty and staff, including staff that handles personally identifiable information (PII)
• Processes and techniques to address the end-user computing threats
• Data maps for PII that is transmitted, processed, and stored within the University.
• Records/data that are classified into three groups
• Active records that are stored in a primary storage medium
• Data is retained for a regulated specified period according to the University’s retention schedule

The subcontractor is held to the same standards described above.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

St. Nicks Alliance Corp (Community Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. St. Nicks Alliance (SNA) is a community-based organization contracted by the NYCDOE to provide services at:

• The Williamsburg High School of Art and Technology, Brooklyn, NY 11206: These services provide integrated student support, expanded and enriched learning time and extended learning time opportunities, active family and community engagement, and collaborative leadership and practices. These supports and programs help to ensure consistent attendance, academic recovery, relationship building and leadership inside and outside the school community.
• John Ericsson Middle School 126, Brooklyn, NY 11222. These services provide integrated student support, expanded and enriched learning time and extended learning time opportunities, active family and community engagement, and collaborative leadership and practices. These supports and programs help to ensure consistent attendance, academic recovery, relationship building and leadership inside and outside the school community.
• PS 150 Christopher, Brooklyn, NY 11212. These services provide integrated student support, expanded and enriched learning time and extended learning time opportunities, active family and community engagement, and collaborative leadership and practices. These supports and programs help to ensure consistent attendance, academic recovery, relationship building, and leadership inside and outside the school community.

Protected Information may be collected or accessed by authorized SNA representatives to support students with attendance and credit accumulation. We may examine academic data (i.e. grades on assignments, courses, or exams); daily attendance statistics, demographic and disciplinary history, contact information, survey responses, and/or Other Protected Information. This data is used to track student progress toward attendance and credit accumulation and to tailor services to each student.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data storage can be in electronic or non-electronic formats (such as paper surveys), including data files and databases. Non-Electronic data is stored in the United States in locked cabinets in SNA main office (located at 2 Kingsland Avenue, Brooklyn, NY 11211} or Bushwick Community High School at 231 Palmetto St., Brooklyn, NY 11221)), as required by regulatory agencies (ie. NYS Department of Health). The lock's key or combination is exclusively shared with authorized staff.

For electronic data storage, SNA uses password-protected computers. The password is changed every 60-180 days and is only accessible to SNA staff members responsible for analyzing the data. Data storage requirements are thoroughly discussed with SNA staff both during onboarding of new staff and ongoing during training on Federal and State laws governing confidentiality to any officers, employees, or assignees who have access to student data or teacher or principal data to ensure compliance with our regulations and SNA internal data storage plan that protects confidentiality and safety of PII. Do not use educational records for any other purpose than those explicitly authorized in the contract.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

St. Nicks Alliance Corp (Learning to Work)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/01/2015 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. St. Nicks Alliance (SNA) is the community-based organization contracted by the NYCDOE to provide the Learning-To-Work program at Bushwick Community High School, Brooklyn, NY. These services assist students with attendance improvement and dropout prevention through individual and group counseling, case management, and post-secondary planning, among other evidence-based strategies.

Protected Information may be collected or accessed by authorized SNA representatives to support students with attendance and credit accumulation. We may examine academic data (i.e. grades on assignments, courses, or exams); daily attendance statistics, demographic and disciplinary history, contact information, survey responses, and/or Other Protected Information. This data is used to track student progress toward attendance and credit accumulation and to tailor services to each student.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data storage can be in electronic or non-electronic formats (such as paper surveys), including data files and databases. Non-Electronic data is stored in the United States in locked cabinets in SNA main office (located at 2 Kingsland Avenue, Brooklyn, NY 11211} or Bushwick Community High School at 231 Palmetto St., Brooklyn, NY 11221)), as required by regulatory agencies (ie. NYS Department of Health). The lock's key or combination is exclusively shared with authorized staff.

For electronic data storage, SNA uses password-protected computers. The password is changed every 60-180 days and is only accessible to SNA staff members responsible for analyzing the data. Data storage requirements are thoroughly discussed with SNA staff both during onboarding of new staff and ongoing during training on Federal and State laws governing confidentiality to any officers, employees, or assignees who have access to student data or teacher or principal data to ensure compliance with our regulations and SNA internal data storage plan that protects confidentiality and safety of PII. Do not use educational records for any other purpose than those explicitly authorized in the contract.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ST Math - MIND Research Institute

The exclusive purposes for which Protected Information will be used: Personally Identifiable Student Information (PISI) will be used to enroll/roster students into the ST Math program as well as collect usage and performance data as related to the program (i.e. progression through the program, mastery of standard, time on the program). 

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: MIND Research Institute requires all employees that will handle PISI to agree to and sign our employee handbook which details requirements each employee must adhere to in order to ensure the security of user data. Additionally, MIND Research Institute provides scheduled training and refresher training on best practices in the handling of data and requires employees to participate. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: PISI received from a LEA is de-identified or deleted in a reasonable period of time after the relationship between MIND Research Institute and the LEA has been terminated.

[NYC DOE comment: The current agreement became effective starting on September 18, 2019 and terminates when all NYC DOE schools and/or offices cease using ST Math’s products/services. The terms of the agreement remain effective through the period during which ST Math possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): MIND Research Institute's infrastructure is hosted within the United States. We design and implement our systems to provide resiliency against server, segment, and geographic failure, through the implementation of a clustered redundant architecture that yields highly available service endpoints. which provide resiliency against server, segment, and geographic failure. We utilize service providers whose systems have been certified for compliance with security standards including ISO 27001. 

How the data will be encrypted (described in such a manner as to protect data security): Unauthorized access of User data is a real risk facing the users of today's electronic information services. MIND Research Institute strives to keep informed of these risks, and we work diligently to combat them. One method of protecting User data is to utilize cryptography to prevent data visibility in the event of its unauthorized access. MIND Research Institute leverages cryptography to protect user data in the following two ways:

• Data in Transit. Our services support Transport Layer Security (“TLS”) to encrypt User communications (TLS 1.0 or greater and only the strongest ciphers). Data transferred between our Site and its end Users (including credential submission, data uploads, and data downloads) are sent over TLS connections, which protect such data using strong encryption, so that data in transit is kept in a private channel between the intended User and our systems.
• Data at Rest. User data that contains personally identifying information, when “at-rest” (i.e., when in storage) is encrypted using industry standard AES-256. There are two types of "at rest" storage:
• Database. Database server disk storage is “volume” encrypted (i.e., encrypted at the level of the database).
• User Files. User files are individually encrypted before being recorded on long-term, secondary storage systems.

Strategic Inquiry Consulting

Type of Entity: LLC

Contract / Agreement Term: 3/1/2022 – 2/28/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Coaching support for teachers and school leaders in developing student writing skills. PII is received in the form of electronic student work files (showing progress toward skill mastery, which contain student names and handwriting).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google Workspace.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. SIC will maintain reasonable technical, administrative and physical safeguards to protect PII including storing in an online portal that provides data encryption and has built-in security designed to detect and block threats like spam, phishing and malware.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

STRIDES Via Transportation 

• Via shall use 256-bit SSL when transmitting sensitive data over the internet.
• Wireless network transmissions will be encrypted. 
• Audit logs that contain sensitive data will be sanitized or removed from the logs.
• Via uses AWS Key Management Service as the main KMS. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect our keys.
• AWS KMS is integrated with AWS CloudTrail to provide audit logs of all key usage.
• All endpoints that connect to Via’s network are disk-encrypted using industry-standard encryption. Personal client information is never stored on the client-side device

Study.com

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Identifying students, communicating assignments, composing classrooms, recording and reporting grades, and tracking progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access to Protected Data is limited only to trained System Administrators within Study.com. Key FOBs are required to enter the facility and servers are locked in a keyed cage. All AWS servers are on a restricted Virtual Private Network. We log any unauthorized attempts to access this network or the Protected Data contained on the network. All analytics, features, and data processing are done internally on physical Study.com owned servers racked in a secure facility.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Sunnyside Community Services

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Community Schools provides programs/services related to attendance, health and wellness, expanded learning time, and family engagement. Some of these programs/services include attendance support check-ins, tutoring, in-class Math support, time management groups, and wellness lunchtime events. PII will be used to:

• Create student and parent records in Salesforce
• Log student and parent activity hours and outreach efforts
• Distribute interest surveys and needs assessments to students and parents
• Use sign in sheets for events, activities, and incentives.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Only authorized users of the Salesforce system have access to PII, which is protected by Multifactor authentication.

SCS will have full Hard Disk Encryption on Laptops/Desktops implemented with Win 10 Pro Bit-locker. PII

Data sent over email will be encrypted with 0365. Automated Security & Windows patches with anti-virus are updated on a scheduled basis. We hold written policies to ensure the treatment, use, and security controls for data, as well as enforcement to ensure security. This covers access to and storage of data, among other relevant issues. In line with DOE expectations and our own security policy, SCS shall only disclose PII to Contractor's employees and Subcontractors who need to know the PII in order to provide the Services and the disclosure of PII shall be limited to the extent necessary to provide such Services. SCS will ensure that all student data and PII information is secured and will not be shared with any subcontractors without written/approved agreement. SCS will also comply with all regulatory requirements in collection, retention, and destruction of student data and PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Suntex International (also called First in Math)

The exclusive purposes for which Protected Information will be used: We do not absorb, display or store any sensitive data in this process. As part of a typical data sync, the district will provide information regarding the school buildings, the classroom that exist, and the teachers that are assigned to those classrooms. Lastly, a list of students and what classes they belong to is provided. In the most common application, these files are transmitted nightly through Clever. The syncing process will automatically establish accounts, preserving the teacher/student relationship. As this relationship changes, and students move to a different classroom, or school building this change is reflected in vendor’s website. If student no longer appears in the data feed, the student will be held in a reset/deactivated status until they appear again. Teachers that are no longer teaching the classrooms associated with the program will be removed as indicated by the feed. There are some cases where the relationship is not correctly reflected in the SIS, or the student’s classroom assignment is ambiguous. In this case the teacher may use tools to find students that are deactivated or exist in an unassigned pool for that grade level using a drag and drop tool. The teacher may also examine a roster and determine that a student is either no longer in that classroom, or that they no longer exist within that school, or reset a password, though passwords are not relevant when an SSO sign in method is being used. A building level administrator may have additional tools to move students to different classrooms within the building.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE:  Suntex does not use subcontractors. Company employees follow proper policy in handling data for initial import of district data, trouble-shooting, customer service. We take reasonable measures to protect the confidentiality of the Data as required by federal and state laws and regulations applicable. We establish technical and physical security measures to ensure the confidentiality, integrity and availability of the Data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Traditionally, we retain the current school year and one-year prior of data. Before each school year we purge any older data. At the end of the contract period or upon request, information will be returned to a NYC DOE, or at such point that the Data are no longer needed for the purpose referenced in this Agreement, or, at the sole discretion of NYC DOE, securely destroyed, and all electronic Data purged from the network in a manner that does not permit retrieval of the data.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov. ]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored within the Atlanta Data Center of Aptum Technologies, 106 Jefferson Street, Suite 300, San Antonio TX 78205 (Formerly Cocego-Peer1), a top-tier and leading hosting provider. Multiple approaches to data security include physical security (CCTV, biometric access control, on-site guards), network and application protection, including DDoS protection, hardware fire, load balancer, and access through VPN only. The next layer of security includes alert logic monitoring and McAfee enterprise anti-virus. Web Site access is only allowed using SSL (2048-bit). The environment is kept clean, installing only the necessary applications and features, and is kept up-to-date with the latest security patches. 

How the data will be encrypted (described in such a manner as to protect data security): All data in motion will be encrypted either via Secure HTTP (HTTPS), SFTP, or another approved encryption mechanism. In general, Email send and receive is protected by TLS in its transmission, but is not generally an acceptable means of passing confidential information.

Sussman Education Company, Inc. for Lightswitch Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Sussman Education Company, Inc., for Lightswitch Learning offers FAMIS e-catalog approved culturally responsive/social emotional, and parent engagement offerings in print and digital format through their textbook contract. 80% of the offerings feature minority authors and subjects. Sussman is applying for a software contract so schools can order site-based one-year subscriptions for their eBook content. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Type of PII that the Entity will receive/access: Entity will not receive or access PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Challenges to Data Accuracy. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Sussman Education Company, Inc., for Lightswitch Learning does not collect PII.

SVAM International (for DOE’s Compliance Systems Modernization Project)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2023 – 7/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Compliance Systems Modernization Project focuses on implementing any modifications and enhancements to support any updated business policies/processes and relevant Federal, State and City mandates.

Type of PII that the Entity will receive/access: Student PII. “Under High Level Enhancements for the OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data. However, SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Under High Level Enhancements for the OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data. However, SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity. “Under High Level Enhancements for the OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data. However, SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Please note that SVAM will not store or host PII data on any SVAM storage systems or applications. SVAM team will work directly on DOE infrastructure and will not download/share any PII data onto the SVAM infrastructure. Under High Level Enhancements for OSI’s system for parent notification and integration with NYCSA, SVAM Project team will access DOE applications that store Student PII data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Swivl (also called Satarii)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Reflectivity cloud based software service is for teachers’ and administrators’ collaborative work and professional development. In order to properly authenticate educators in the service, we collect some PII, such as name, email, job title. Student PII may be captured in the videos of teachers providing instruction, which shall be uploaded and reviewed by instructional coaches as part of the professional development process.

Type of PII that the Entity will receive/access: Student PII, and teacher name, email, and job title.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Swivl software is hosted on SOC2 compliant data centers provided through Amazon AWS and require multiple factors of authentication to gain access to the data. Swivl uses AES-256 encryption for data storage and TLS 1.2 for data transport). All infrastructure is behind industry leading firewall solutions and require VPN access with secure keys. We restrict access to customer data to a small set of security and operations specialists who need to have access as part of fulfilling their job duties. We have a continuous process of testing our security processes and services and mitigating any issues, if found. We have a dedicated security team which monitors and tests our system continuously using leading software tools.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

TalkingPoints

The exclusive purposes for which Protected Information will be used: To provide a two-way translated messaging platform between school & district administrators, teachers and parents.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: TalkingPoints has implemented strict controls over physical, environmental, and software security for all employees and contractors.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: TalkingPoints will either delete or return, within a commercially reasonable period of time but not to exceed 45 days, all personally identifiable information upon the expiration of any agreement when requested to do so by notification from the contracting party; [NYC DOE comment: The current agreement became effective starting on May 29, 2020 and terminates when all NYC DOE schools and/or offices cease using Talking Points’ products/services. The terms of the agreement remain effective through the period during which Talking Points possesses or otherwise is in control of covered protected information.] 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. Any parent, student, eligible student, teacher or principal may correct inaccurate student data or teacher or principal data that is collected. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will be stored in the U.S. As described in Attachment B of the Agreement, TalkingPoints’s infrastructure is built on industry-tested technology and security practices.

• TalkingPoints uses encryption, firewall, and network security software.
• TalkingPoints uses single sign-on (SSO) and twofactor authentication (TFA).
• Low-level auditing software is supported for all external providers (AWS, Atlas) to record potentially malicious actions that may take place.
• TalkingPoints runs periodic penetration tests, then logs and resolves discovered issues.
• All TalkingPoints clients use TLS/SSL when communicating with our servers.
• TalkingPoints has a host-based intrusion detection system to detect unauthorized access to production hosts.
• Audit logs are sent to a central location for storage and analysis. Access to production servers and interaction with production systems is audited and logged.

How the data will be encrypted (described in such a manner as to protect data security): All student data or teacher or principal data is stored on cloud servers within the United States and protected with industry standard and best practices procedures, including AES256-CBC encryption when in transit and when stored at rest.

Teachercentric (also called Satchel Pulse)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The products we offer are as follows:

Climate Tool. This is an online platform designed to help school and District Leaders make data driven decisions based on direct feedback given by staff, students, & parents. Built specifically for the education market, Pulse takes feedback and converts it into measurable data and leading indicators, enabling District Leaders to make focused, proactive decisions. Data is delivered in real me and shows information relating to staff, student and family engagement, school culture and improvement across me at a group, school and district level. Using Pulse to monitor feelings and opinions enables School and District Leaders to understand exactly where they need to focus their efforts for improvement. Actions can be created to target issue areas and Pulse used to track the trends in feelings and opinions, highlighting the impact of those actions. Our system uses student information to help track and filter the results of the Climate survey.

Skills Tool. Supports each student by helping them build important social and emotional skills that give them the confidence they need to grow. With Satchel Pulse's SEL Solution, you can efficiently and accurately measure students’ and teachers’ perceptions of SEL skills, identify school-wide, group, and students SEL skill development needs, develop plans for improvement, and monitor progress.

We need to receive/access the staff/students PII information so they can be identified in the application in order to have access to their account and a way to identify who responded to the survey and where to keep their results. Other uses are for grouping or searching for students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services – RDS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is encrypted at rest and in transit. You can find full information on our Information Security Policy that’s been shared.

• Administrative Safeguards:
  • Data Access Management: We employ a role-based access control system that ensures only authorized personnel with a legitimate business need can access PII.
  • Training and Awareness: We provide regular training and awareness programs to our employees to ensure they are well-informed about the latest data protection practices and understand their roles in protecting PII. The employees receive a yearly training via Zoom to review and discuss the training and awareness around data security.
  • Policies and Procedures: We have comprehensive policies and procedures that outline how PII should be handled and protected, including incident response plans.
• Technical Safeguards:
  • Data Encryption: We utilize strong encryption standards for data both in transit and at rest to ensure that PII is unreadable to unauthorized users.
  • Network Security: We employ various network security controls including firewalls, and secure configurations to protect our network infrastructure.
  • Regular Security Assessments: Our systems undergo regular security assessments, including penetration testing and vulnerability scanning, to identify and remediate any security vulnerabilities.
  • Disaster Recovery: We have disaster recovery plans in place to ensure data can be recovered in the event of a physical disaster (data is stored in AWS).
• Mitigating Data Privacy and Security Risks:
  • Continuous Monitoring: We continuously monitor our systems for signs of security incidents or data breaches and have incident response plans to ensure swift action.
  • Data Minimization: We practice data minimization to ensure that only the necessary amount of PII is collected and stored, reducing the potential impact of a data breach.
  • Regular Review of Practices: Our security practices are regularly reviewed and updated to align with emerging threats and best practices in data security and privacy.

Please note that, in the interest of security, this description is intentionally high-level. We take the security of PII very seriously and employ a robust set of safeguards to protect this data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Teachers College, Columbia University (for the Reading and Writing Project)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 12/1/2021 – 11/30/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Teachers College Reading and Writing Project may review and use student protected information as part of professional development in literacy in schools. Reviewing this information is necessary in order to systematically check to see if and when students have internalized key literacy skills, and to assure that instruction is differentiated in response to student needs. TCRWP staff developers also regularly lead study groups with teachers in order to provide teachers with opportunities to examine student writing, to study patterns in data, and to co-author methods and curricula. Studying student work together in this way enables teachers to thoughtfully plan next steps based on what students are actually doing. This shared work is vital to deepening teachers understanding of conducting formative assessments, and of norming across a school so as to ensure a consistent vision of excellence.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TCRWP Staff Developers may have access to student work as part of leading professional development in literacy in schools. In the event remote work is required, the Teachers College Google Drive instance will be utilized to transfer and store student writing documents. Within Google Drive, a Shared Drive will be created and appropriate access (read-only, edit, or content manager) will be assigned. Those assigned read-only access will not be able to download or share content. Additionally all subcontractors accessing PII data are required to sign a NDA. TC employees are educated and reminded of how to treat PII data and employees with access to PII data are required to sign confidentiality agreements. A copy of the NDA and confidentiality agreements are attached.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Teachers First (for Toddle)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Toddle is a one-stop web-based platform that streamlines the teaching and learning for by educators, students, and family members. It is used for, among other things, curriculum planning, lesson planning, assessments, student portfolios, family communication and progress reports. It is also licensed by the IB.

We receive and access PII for the following purposes:

• Rostering: PII is essential for the operation of Toddle and for account rostering. All classes and grades have to be setup and we need PII for that purpose.
• Communication: PII is also essential for teachers to uniquely identify and communicate with students and parents. It is also required for 1:1 communication, class discussions etc.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All Toddle employees and sub-contractors undergo extensive trainings and background checks at the time of onboarding.
• We follow the Principle of Least Privilege to restrict access to data and only the account manager and any personnel or sub-contractors considered essential for operation are given access.
• We have a comprehensive exit policy to ensure access to any and all forms of data is revoked and deleted specifically, redactions are not acceptable as per policy
• We use the highest standard of encryption and anonymization techniques to ensure deidentification of PII
• We use industry-standard AES-256 encryption.
• All data is encrypted at rest and in-transit and hosted on AWS servers in USA
• We regularly conduct vulnerability and penetration testing
• We are subject to regular and surprise audits by independent third-party auditors and the access to the audit report can be shared on request.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TeachFX

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/29/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. As a general overview: TeachFX provides a software-as-a-service application and reporting tools, powered by artificial intelligence, designed to provide measurements of student engagement and other pedagogical indicators, to educators with respect to dialogue that is occurring in instructional settings. TeacherFX also has a partner success team that designs and implements professional learning experiences for educators to improve their instruction and student engagement. The TeachFX classroom implementation does not collect or store student PII. However, where a teacher opts to use the TeachFX virtual instruction option via Zoom, student names and virtual platform unique identifiers will be collected.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud Platform.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We have multiple safeguards in place to protect all sensitive student data, including PII.

• Authentication: We authenticate users before they can use the application. Email verification is required to access the features of the app.
• Access control: We use object-level permissions to monitor user access to data.
• Secure communication and encryption: All our communications happen through HTTPS, secured by strong ciphers. User data is maintained in encrypted storage at rest.

We have multiple monitoring systems in place to mitigate risks, including systems used for codebase scanning, artifact scanning, and monitoring vulnerabilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Teaching Strategies

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Teaching Strategies GOLD® Enhanced supports effective teaching and assessment while providing educators with more time to spend with the children in their program. Student Data is used to set up and maintain user accounts and student portfolios and to grant other Authorized Users the right to access, update, view, and/or modify such portfolios. Portfolio Data can be used to identify and recommend appropriate activities and customize student plans.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS, Google Cloud Platform and Ntirety.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TS implements background checks on all employees, security and privacy training, admin user training, secure development training, NIST policy and procedure alignment, weekly vulnerability scanning, IDS/IPS, file integrity monitoring, central logging and monitoring, secure cloud storage, annual risk assessments, annual 3rd party penetration testing, and annual SOC2 Type II compliance audits by an AICPA accredited organization.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TEAM FIRST, Inc NYGEAR UP Program

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/13/2023 – 9/30/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TEAMFIRST, Inc. NYGEAR UP will provide academic and social support to a cohort of 710 students in Districts 7, 8, and 29 that will increase high school graduation and college enrollment rate. We collect student data (i.e., demographic information, attendance, LEP, and/or IEP designation, grades, standardize test scores, promotion status, grade) to be reported to the US Department of Education to measure student outcomes as required by the federal GEAR UP Program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Measurement Inc. and the Google iCloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data provided will be confidential in nature and will only be reported to the US Department of Education as required by our Annual Performance Report. Access to Personally Identifiable Information (PII) will be limited to the Evaluator and Director of Programming solely as required for reporting purposes. All information will be collected and secured in a locked file cabinet and will be used solely for reporting to New York State Education Department. Passwords will be changed on a regular basis and protocols for deletion and/or destruction of PII will be carried out and written certification will be provided to NYCDOE.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Tech4Learning, Inc.

The exclusive purposes for which Protected Information will be used: To access the Wixie online authoring tool.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: N/A - We will not share student data with subcontractors or other persons or entities.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At agreement start protected data will be uploaded by NYC DOE staff to Wixie. At agreement end protected data will be deleted unless return instructions are provided. [NYC DOE additional information: The current agreement remains effective through the period during which Tech4Line, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected data is stored in our San Diego, CA-based data center. Data is protected via biometric, physical, and logical security.

How the data will be encrypted (described in such a manner as to protect data security): Data transmitted to Wixie and data at rest will be secured using industry best practices.

TestOut Corporation (LabSim)

Texthelp Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2023 – 3/1/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Read&Write, Equatio, Snap&Read, Co:Writer are Assistive Technology Literacy toolbars for students to scaffold learning and to help them access the general education curriculum. uPAR is a reading accommodation decision making tool to help teachers determine accommodations. OrbitNote is an accessible PDF tool. Again this helps make the curriculum accessible to students with typical PDF tools but also accessibility tools to read text aloud. EquatIO is an Assistive Technology Math toolbar and a math space for students to enter math and solve math problems digitally. Again it is a critical support for students with disabilities to access the general curriculum.

Data minimization is at the core of the design of the company’s products and we only collect the necessary data to provide access and usability of our tools to our users. The core of PII is the student’s email. The student’s email is used for the student to log in to the tools and manage their preferences. In addition we collect usage data and other accommodation data for staff to make decisions about future needs of students in using these tools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS and Google.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Texthelp adhere to the principle of Privacy by Design/Default. Our software solutions are designed to use a minimal amount of PII. Texthelp are a Processor for the purposes of Processing Customer Personal Data; and we are a Controller in relation to any Processing described in our privacy and cookie policies located at www.texthelp.com. 

All personally identifiable information is used and held in accordance with our privacy and security policies.

Security controls are in place to keep Texthelp systems and data separate from other client’s data.

Policies and procedures exist to satisfy all of the 114 controls contained within Annex A of the ISO 27001 standard. These include, but are not limited to:

• ISMS 1.2 Information Security Policy
• ISMS 1.3 Product Analytics Policy
• ISMS 1.4 Access Request Policy
• ISMS 1.5 Roles/Responsibilities/Authorisations Register
• ISMS 1.6 Audit Logging Policy
• ISMS 1.7 Backup Policy
• ISMS 1.8 Encryption & Cryptographic Policy
• ISMS 1.9 Access Control Policy
• ISMS 1.11 Network Security Policy
• ISMS 1.12 Privacy Notice for Employees & Job Applicants
• ISMS 1.13 Record Retention Policy
• ISMS 1.14 Security Patching Policy
• ISMS 1.15 Infrastructure Hardening Policy
• ISMS 1.16 Vulnerability Management Policy
• ISMS 1.18 Privacy Policy for Texthelp Products
• ISMS 1.19 Security Incident Response Policy
• ISMS 1.20 Acceptable Use, Mobile & Teleworking Policy
• ISMS 1.21 Information Classification & Labelling Policy
• ISMS 1.22 Password Policy
• ISMS 1.23 Statement of Applicability
• ISMS 1.24 Risk Treatment Plan
• ISMS 1.25 Asset owner Policy
• ISMS 1.26 Secure Development Policy
• ISMS 1.27 Social Media Policy
• ISMS 1.28 Texthelp Web Properties Cookie Policy
• ISMS 1.29 Data Subject Access Request Policy
• ISMS 1.30 Texthelp Web Properties Privacy Policy
• ISMS 1.32 User Removal Policy
• ISMS 1.34 Security Disclosure Policy
• ISMS 1.36 AWS Asset Tagging Policy
• ISMS 1.38 Data Transfers Risk Assessment
• ISMS 1.40 Finance Data Handling Procedures

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thinking Maps Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our application provides both virtual resources for teachers and a virtual environment for students and teachers to create and share Thinking Maps within their school or classroom. Student First/Last Name and Login ID are the only PII required, and are used to created their accounts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Within 60 days following termination of a school’s license, the PII associated with that school shall be automatically deleted, unless otherwise directed by the school or district at that time.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is protected through standardized encryption and security in compliance with NIST guidelines. Student information is only available to users with appropriate roles and/or privileges within the system. All employees with access to such data are provided with security and privacy training, as well as being required to sign a privacy agreement with Thinking Maps Inc.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thinking Nation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/1/2023 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor will provide students and teachers of the 6th-12th grades of the NYCDOE with its specialized, proprietary history curriculum, assessments, and other related resources. Processor evaluates and grades all assessments and essays of participating students and provides them and their teachers with normed data collected from these assessments and essays. Processor will use classroom rosters provided by NYCDOE to properly aggregate and share the data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All employees have distinct logins so there is a record of all actions and edits when using PII.
• The least privileged authority is enforced to ensure that PII is used only when necessary.
• When there is an inactivity during a user's session, the platform automatically logs out the user.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thinkingmap (also called Vocabulary.com)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/8/2023 – 3/8/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Vocabulary.com provides personalized, systematic vocabulary instruction for students from 5^th grade through high school, and beyond. Beyond its core purpose of building academic vocabulary knowledge, the platform improves literacy skills in the areas of reading, writing, listening, and speaking. Since 2008, Vocabulary.com has served more than 5.1 billion questions to learners all over the world. Today the platform is used by 3.7 million students in 56,000 schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS (a cloud hosting and data analytics provider), Century Link (used for telecommunications), Google G Suite (a cloud computing, productivity, and collaboration tool) and Salesforce Inc (a Customer Relationship Management (CRM) solution); and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Vocabulary.com has implemented a variety of physical, administrative and technological safeguards designed to preserve the integrity and security of the personal information we collect and to protect against unauthorized access to data. These include internal reviews of our data collection, storage, and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data. We restrict access to personal information to IXL employees, contractors, and agents who need to know that information in order to operate, develop, or improve our services. Vocabulary.com provides encryption for customer data as follows:

• Network connections to Vocabulary’s production environment utilize Transport Layer Security (TLS) or Secure Shell (SSH);
• All data stored in Vocabulary ’s production environment is encrypted at rest using AES-256 bit encryption; and
• All data stored on Vocabulary -owned laptops is encrypted at rest. Vocabulary employs automated log collection and audit trails for production systems.
• Connections originating from untrusted networks segments will be governed by firewall rules and other security safeguards that grant the minimal access required to access the intended service provided by the company.
• System passwords and access keys are stored in a privileged location accessible only to Vocabulary security administrators, and all credentials are changed from factory default settings.
• Production systems receive regular maintenance to apply security patches; and
• Physical access to systems requires security RFID badges and biometric authentication, and is limited to IT staff performing physical maintenance.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Third Space Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Third Space Learning Inc provide high-impact, high-dosage math tutoring to schools to accelerate math achievement and increase the number of students working at grade level. To do this, Third Space Learning use Littera’s Academic Support Platform. Littera’s Academic Support Platform is designed to enable schools and districts to design, deliver, and monitor tutoring programs that are customized to address the needs of their students.

PII is used to create and manage online accounts, communicate with teachers and students, and ensure that students identified by the school are receiving assistance through the program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Littera Education Inc, Salesforce, Xero.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Third Space Learning Inc use Littera Education Inc’s academic support platform (approved by NYCDoE under ERMA-N2B52030) where PII is protected and stored on US servers. Littera Education and Third Space Learning both place the utmost importance on privacy, safety, and security. All transmission of files or data to organization roster systems is done securely via HTTPS, using industry standards. When files are uploaded, they are stored in encrypted, non-publicly accessible databases. Littera and Third Space Learning uses Amazon Web Services (AWS) as its cloud hosting provider. The database along with all the cloud. infrastructure is hosted inside a private virtual cloud (AWS VPC). Only a limited number of personnel have access to this VPC.

Third Space Learning utilize two-factor authentication on all services (where available). Access will be granted based on the principle of least privilege, and access is removed immediately when no longer required.

Additional safeguards that Third Space Learning has in place include:

• Third Space Learning carry out extensive checks on our tutors including criminal record checks, checks on proof of id and address, at least two references and face to face interviews;
• Third Space Learning carry out safeguarding specific training, data privacy, and security training for all staff (including all tutors);
• Third Space Learning have safeguarding policies and procedures that are reviewed regularly and strengthened by 3 complementary policies: a Whistleblowing Policy, a Safer Recruitment Policy and a Code of Behavior for working with children;
• Third Space Learning have a designated safeguarding officer (DSO), a deputy DSO and a board level champion for safeguarding; as well as a Data Protection Officer (DPO).

In addition to these measures, Third Space Learning has additional built-in safeguards compared to most organizations that work with children:

• Tutors never physically meet up with the children: our tutors are based remotely;
• The only interaction is through Littera's tutoring platform which means the tutor and student can only connect at the predetermined time scheduled by the school using our secure platform;
• Tutoring is overseen by a member of school staff, or during periods of school closure, by a parent or guardian.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Thomson Reuters

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/1/2023 – 12/31/2027.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Thomson Reuters HighQ provides centralized case tracking and management to the Office. HighQ provides storage and access functions that include contact management, document assembly, document and electronic file management along with configurable records management, discovery management, and case status tracking. Out-of-the-box, HighQ secure cloud follows NIST SP800-63b guidelines, is IS)27001 certified, delivers highly available 99.9% uptime, offers banking grade encryption, and is monitored by TR personnel 24/7. With a complete audit trail and workflow stage configurable privacy settings, HighQ delivers enterprise-grade security standards.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity states “As a data processor, Thomson Reuters cannot access DOE’s data and will pass on any request relating to access or correction to the DOE. The HighQ platform is designed to allow the DOE to fulfill these requests without assistance from Thomas Reuters.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The HighQ platform is fully audited and accredited to meet information security standards. HighQ is ISO27001 certified, which ensures the controls and processes are in place to protect customer data. HighQ uses robust security measures including advanced AES 256 encryption, data back-up and a fully redundant infrastructure to guarantee uptime. HighQ is built around single-tenancy hosting, single jurisdiction hosting and we perform independent penetration tests on the platform. The HighQ platform provides a variety of tools and features that you can use to keep your information safe from unauthorized use. This includes credentials for access control, HTTP endpoints for encrypted data transmission, the creation of separate IAM user accounts using 2FA, and user activity logging for security monitoring.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TinyIvy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TinyIvy’s program provides instruction, materials and support to enable students in grades K-2 to learn to read at grade level, and for the teachers in the classroom to manage curriculum and leverage resources related to that instruction.

TinyIvy’s Explorer product includes the ability to place students into Reading Groups, to support the teachers as they manage instruction for those students. In addition, TinyIvy has resources for the Parents to use at home with their children, as well as apps that can be used in the classroom by the students. In order to sync the information provided to the student with what is happening in class, PII is collected as part of the account setup process and used to manage the student’s identity across these platforms.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud, Hubspot (for teacher contact information).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TinyIvy’s leverages world class PaaS providers that provide integrated services on secure architecture, minimizing weak links in our security profile through such actions. The systems have been designed for high scalability and maintainability, which includes security maintenance. Our specific safeguards and processes are described in our policies and procedures.

All information is encrypted in our platform both in-transit and at rest in the database, with all website delivering traffic over secure HTTPS protocols. Access is controlled via administrative roles and accounts require a NYC DOE secure email to access any system data.

Operationally, the TinyIvy team receives annual security training as well as briefings on key security changes to the application, and on additional requirements that are added to our security profile based on new school relationships we develop.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Tools for Schools

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/13/2023 – 7/13/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Book Creator is online software for the creation and publication of eBooks. We use student/teacher/principal data to:

• Provide Book Creator and make sure you can use it properly and effectively;
• Manage and administer your account and the books that you create;
• Respond to any questions, requests, or complaints we receive from you;
• Communicate with you about Book Creator if we need to;
• Investigate potential illegal activities on Book Creator;
• Analyze use of Book Creator.

We will never use your information to target advertising at you based on your behavior. We will not build a personal profile of you other than for supporting authorized educational or school purposes, or as authorized by you (or by a parent or guardian if necessary). We also won’t use your information for any purposes except those above without letting you know and getting your permission if necessary.

Tools for Schools collects: full name; email address; school name (optional); grade level (option); any PII that is uploaded as book content (optional).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud Platform.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All employees are vetting for working with student data.
• Continuous security compliance audit conducted by Drata. This includes user review access, information security policy adherence and both static and dynamic application security scans. We are aiming for SOC2 Type II certification by the end of 2023.
• Regular penetration tests conducted (at least annually).
• Data is encrypted at-rest and in-transit using industry standard mechanisms.
• Access to systems that store, process, or transmit data is controlled by a role-based access system. Users are authenticated by this system using a strong password and two-factor authentication (not SMS-based).
• Regular employee training (internally and by iKeepSafe) to ensure awareness of, and compliance with, COPPA, FERPA< GDPR, NY Education Law 2-d.
• All data stored in Google-owned datacenters in the continental US.
• All data in flight sent using SSL/TLS.
• Encryption at rest is AES 128/256 provided by Google Cloud.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

TPR Education

The exclusive purposes for which Protected Information will be used:To fulfill TPR’s obligations under its agreement with the DOE, including but not limited to test preparation and tutoring services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Subcontractors do not have access to confidential data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: For the term of the underlying agreement. At contract end, Protected Information will be deleted as provided in the underlying agreement between the DOE and TPR.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All data resides in the United States. Systems are protected using industry standard security practices by using a combination of encryption, role/group-based permissions, firewalls, and passwords.

How the data will be encrypted (described in such a manner as to protect data security): Data will be encrypted at rest using AES-256 at the disk level. SQL encryption on certain fields, and TLS 1.2 SSL for encryption in transit.

Transcend Inc

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Transcend offers a survey called the Leaps Student Experience Survey which assesses student experiences. One feature of the survey is being able to disaggregate the results by student identifiers, such as race or ethnicity. This is critical so that schools can understand and design models of learning which work for all young people and do not reinforce patterns of inequity. Transcend needs to collect student data (including PII) to associate the individual student responses with their demographics. No student PII is reported in a non-aggregated and de-identified manner to anyone, including the schools.

Transcend will partner with the Imagine NYC Schools Design Lab in a planning phase to co-design the approach and curriculum for a Design Journey, a new offering from Imagine NYC Schools to support schools to reimagine school by designing or redesigning their whole school model. This will be done through sharing of Transcend resources, professional developments, and giving participants in the project access to tools like the Leaps Student Experience Survey so that they can use it in their own design work with NYC schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure and Google Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data is secured in cloud based infrastructure that is accessible only by qualified staff using a 2FA system.

All staff is additionally trained on handling student PII and the training is reviewed annually. Staff must complete an annual competency review to ensure continued adherence to our data security policy and safeguards.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

TRIAD Consulting Strategies

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/01/2021 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TRIAD Consulting Strategies provides critical wrap around Community School services and student supports intended to serve the whole child. Services focus on the four pillars: Collaborative Leadership & Practice, Family & Community Engagement, Expanded Learning Time, and Wellness & Integrated Support through programs including leadership development and civil engagement, professional development workshops, mentoring, and college and career readiness.

It is necessary for the Entity to receive or access PII, to conduct the services in order to effectively communicate with all relevant stakeholders (in the mode most conducive to them), track, document and update improvement metrics, and drive tangible outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google and/or Microsoft Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. TRIAD Consulting Strategies and any subcontractors and/ or affiliates will (at all times during the Term) use encryption to protect personally identifiable information in its custody while at motion or at rest and implement appropriate safeguards to protect the Personal Information that are no less rigorous than accepted industry practices (such as ISO 27002, ITIL or COBIT or other industry standards of information security), and will ensure that all such safeguards, including how Personal Information is processed, comply with applicable data protection and privacy law and comply with the terms of the contract.

TRIAD Consulting Strategies shall implement and maintain a written information security program, including appropriate policies and procedures that are reviewed for new risk assessments at least annually. Such obligation shall continue throughout the contract term.

At a minimum, TRIAD Consulting Strategies’ information safeguards shall include: (a) secure business facilities, data centers, paper files, servers, back-up systems and computing equipment including, but not limited to, all mobile devices and other equipment with information storage capability; (b) network, device application, database and platform security; (c) secure transmission, storage and disposal; (d) authentication and access controls within media, applications, operating systems and equipment; (e) encryption of Personal Information; (f) encryption of Personal Information when transmitted over public or wireless networks; (g) access controls, including logging of all access and exfiltration, and retention of such access control logs for a period of no less than one (1) year; (h) conducting external and internal penetration testing and vulnerability scans and promptly implementing a corrective action plan to correct the issues that are reported as a result of the testing; and (i) limiting access of Personal Information, and providing privacy and information security training to staff.

TRIAD Consulting Strategies and its employees will adopt the following measures:

• Employees will not at any time during or after affiliation TRIAD Consulting Strategies (TRIAD) disclose TRIAD Confidential Information to which they have or had access in any form (i.e., electronic media, paper, verbal etc.) to any unauthorized individuals.
• Employees will not access any record(s) they are not authorized to, including but not limited to the student or family records of any program member or co-worker.
• Employees will utilize and access only the minimum amount of information necessary for the performance of their duties.
• Employees will not access or request data on students for whom they have no professional relationship and/or legitimate TRIAD related purpose. If a given employee has reason to believe that the confidentiality of his/ her user log-in has been compromised, he/she will immediately ensure that the password is changed.
• Employees will respect the confidentiality of any reports and handle, store and dispose of these reports when necessary.
• Employees will not install or operate any non-licensed software on any TRIAD computer.
• Employees understand it is against TRIAD policy to electronically communicate student information to others outside of the CC/ school network.
• Employees are responsible for all e-mail messages generated from their e-mail accounts.
• Employees understand that the use of e-mail is for business purposes, however limited personal use is acceptable.
• Employees understand that the e-mail administrator may monitor TRIAD e-mail if noncompliance with the electronic messaging policies is suspected.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Tutteo Inc (also called Flat for Education)

The exclusive purposes for which Protected Information will be used: We use data solely to deliver the service Flat for Education.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All subcontractors or employees that will access personal data have agreed in writing to protect the confidentiality and security of Customer Personal Data. They also receives regular personal trainings. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: We will delete all the data that we and our sub-processors hold. NYC DOE can reach out to us in writing to ask us to return all data by secure transfer in such a format as notified by you to us.

[NYC DOE additional information: The current agreement became effective starting on December 17, 2020 and remains effective through the period during which Tutteo, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): When stored all the data is encrypted (see point below). We also ensure that all our sub-processors abide by the same level of security and best practice we commit to.

How the data will be encrypted (described in such a manner as to protect data security): All Flat for Education's platform services encrypt the data while communicating with other services, whether internal or external. The data in motion is always encrypted using either HTTPS or TLS, whether between our microservices, databases and caches services, and between the different regions of our cloud infrastructure.

Flat for Education uses cloud disk storage and object storage that are encrypted at rest using 256-bit Advanced Encryption Standard (AES-256). This includes encryption at rest of our all backups.

U Startups Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. University Startups will provide access to our digital Career and College Counseling Courses via the Canvas learning management system to the High School for Economics & Finance at City of New York and other NYC Public Schools. Specific courses and programs to be provided include (1) Social Entrepreneurship, (2) College Counseling, and (3) Workforce Development. Additionally, students will have access to the Impact Internship program. University Startups will publish the courses, provide training to facilitators, and provide support as needed. PII is used to make user accounts and to track student progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Canvas.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Any PII in the possession of University Startups that has been collected via its programs will be deleted within 30 days of the course completion. We will also conduct annual scans of our internal software tools to ensure PII is not saved (Google Workspace and Canvas LMS).

• Limited Transfer of Data
• Regular Security Audits
• Employee Training on Data handling
• Vulnerability scans
• Administrative Safeguards:
  • Limiting access to a minimal number of authorized personnel who have a legitimate need for such access. We anticipate this to be between 1 and 4 employees.
  • University Startups requires confidentiality agreements for any personnel with access
• Technical Safeguards:
  • University Startups uses Google Workspace and Canvas LMS to administer it’s courses and internship readiness program. Both programs offer encryption of data in transit and at rest, access controls, and implement regular backups.
• Operational Safeguards:
  • University Startups implements 2FA and MFA on critical systems such as Google Workspace.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Universal Technologies

Type of Entity: Commercial Enterprise

Contract / Agreement Term: “Bid #R1653 mentions expected start date and end date as “ASAP – up to 24 months.”

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Troubleshooting applications containing PII - Sr. Technical Business Analyst. Technical Business Analyst will be working on the Universal Pre-Kindergarten Program (UPK). There is a student enrollment module which has student name, DOB, gender and address but this module is not a part of day to day activities for the Analyst. Access would only come into play if there are any technical troubleshooting/ application enhancements to this module which the Analyst may need to be a part of.

Type of PII that the Entity will receive/access: Student PII; APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Universal will not store PII and will only have access as long as we have access to DOE's systems (during the agreement).”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Processor has established a comprehensive set of administrative, operational, and technical safeguards and practices to protect the Protected Information received under the contract. These safeguards include:

• Administrative Safeguards:
  • Appointment of a Data Protection Officer responsible for overseeing data privacy and security. Regular internal audits and risk assessments to identify vulnerabilities and weaknesses.
  • Development and maintenance of data breach response and incident management plans.
• Operational Safeguards:
  • Access control mechanisms to restrict access to Protected Information based on job roles and responsibilities.
  • Regular employee training and awareness programs on data security and privacy. Documented policies and procedures for secure data handling and disposal.
• Technical Safeguards:
  • Encryption of data at rest and in transit.
  • Firewalls, intrusion detection systems, and antivirus solutions to protect against unauthorized access and cyber threats.
  • Regular software updates and patch management to address known vulnerabilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Urban Arts Partnership

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Urban Arts Partnership will provide Community School services to The Facing History School through the end of the contract date of June 30, 2024. Community Schools are centers of opportunity with a shared leadership model so that academics, social services and supports are integrated into the fabric of schools. Urban Arts will provide high quality arts and technology based education as well as leverage strategic partnerships to support the following Community School pillars: 1) Rigorous academic programs with strong supports to prepare all students for college, careers, and post-secondary success; 2) School-based and school-linked programs and services that, based on a needs assessment of the community, address the comprehensive needs of students and their families; and 3) partnership cultivation that demonstrates collaboration with the local community, including by engaging families and other community stakeholders. Through the Community School model, Urban Arts seeks to support the whole community through collaborative leadership, family engagement, expanding learning time and wellness support.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Google Workspace with assistance from our IT vendor, Altourage.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.  Urban Arts Partnership (UAP) and its subcontractors will collect various kinds of PII data, including students' names, emails and grade levels. Electronic PII data will be stored on our custom-built CRM Platform and each authorized employee will have access through a two-step authentication password system. The data will also be stored on our drive and accessible via a secure password and two-step authentication as well. Data that is recorded on paper will be stored in our records closet, which is locked at all times with entry restricted to the Chief Operating Officer, Operations Manager, and the Director of Programs. Our records closet lives within a building that has extensive security measures - i.e. security in the lobby, no unauthorized entry by non-UAP personnel via the elevator and floor without a unique key access card that each UAP employee is assigned. Subcontractors will be expected to adopt similarly rigorous protocols and demonstrate to UAP's satisfaction that proper protocols are in place.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, the Entity agrees that PII will be encrypted using industry-standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

The Urban Assembly

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The UA’s Program Services & Supports derive from our mission, priorities, goals and guiding principles as detailed in our workplan, and some of these services utilize student PII for monitoring and analysis, to provide customized supports for each school. The UA model serves to meet and/or exceed the NYC DOE’s program goals and respond to state and city accountability frameworks in order to drive student success at UA schools and beyond.

Support areas include Algebra Success, Social-Emotional Learning, Data Exploration and Monitoring support, Early Career and College Awareness, Alumni Success, and Leadership development. These programs focus on customized program implementation in the real and varied settings of our partner schools, which requires visibility into the actual population of classrooms and rosters. This to allow for specific, targeted, and intensive coaching and support as well as monitoring of outcomes on student-level metrics identified for each program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. “As of May 2022, UA is putting this practice in place and expects it to be fully realized by July 2022: The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Vendor selected “Other: UA will safely maintain data until such time that the partnership with the NYC DOE is concluded. In that event, UA will destroy PII on a mutually agreed upon date to ensure that the data collected for this partnership is protected from unauthorized individuals.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. UA considers security of PII to be vitally important. As such, there are a range of administrative, technical, and physical safeguards in place, as described in further depth in our security policy. Safeguards include but are not limited to: endpoint protection, regular security training, encryption of organizational data, and limiting access to confidential information based on role and caseload.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

USA Scheduler

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Master scheduling solution for the schools, Google integration, School Administration Solutions. To build the master schedule, we need the school rostering information for the course, teacher and their section, students and their courses requests or selections. Google integration is optional and not crucial.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.” The vendor stated “Google can be used as SSO (Single Sign On) to make login more secure. Google will popup and the school needs to authenticate with Google. Only then can data be shared with the schools knowledge and permission.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Server login restricted
• Backups are encode
• SSL encryption
• Sensitive databased encode
• Database is restricted
• Two Factor Authentication

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Vanguard Direct

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. DOE data will be used for communication services for NYC Charter Schools. Data will not be sent to NYC Charter Schools.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Information Classification and Handling–All information in the system will be suitably classified and role based security will be implemented to restrict access to classified information only to authorized roles.
• Account Management and Access Control–All user logins will be associated with authentication tokens that will be set to expire when certain conditions are met, for instance a specified period of inactivity. All access privileges in the system will be role-based and will be granted based on the job function of the user accessing the system.
• Encryption Standards–All confidential data will be encrypted in the system, at rest and in transit, using mutually agreed encryption standards and protocols.
• Secure Configuration–All system configuration will be securely stored and will not be accessible over the network. This information can only be accessed through physical access to the servers, which will also be controlled based on job function.
• Security Logging–All system and transactions will be securely logged to an audit log and will contain identifiable user information to establish a trail of events when needed.
• Vulnerability protection–Penetration testing will be performed with the help of security experts, where needed, to ensure the system is protected from known and potential threats.
• Patch management–System hardware and software components will be regularly patched when such patches are released by their respective vendors. Latest upgrade and security patches ensure the system is secure from all known vulnerabilities.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Variety Boys & Girls Club of Queens

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/2021 – 6/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We collect student and parent names and phone number for the community schools program. We provide support through promoting attendance, mental health services, homework help and more to the community of PS 112Q, the youth and families.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Hard copy documents containing student and parent name and phone number are locked in a cabinet in the CSD’s office.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Only authorized administrators have access to confidential data. PII is stored in hard copy in private offices away from public access and on cloud storage on ASAP Connected, the online registration system that Variety Boys & Girls Club of Queens uses. All staff will receive comprehensive training in Data Privacy and Confidentiality of PII through NYSED including training on data privacy policies and procedures, prohibiting electronic sharing of confidential staff or participant data, keeping data stored in hard copy in a private office. Staff must demonstrate understanding of data privacy policies before handling PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Visionaryz

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Visionaryz Inc. will provide the DOE with Staff Augmentation and Project-based work models for various programs. Visionaryz provides IT Project Management, Business Analysis, Software Development, UI/UX Design, IT Infrastructure and Network Operations, and Quality Assurance services. Access to PII is necessary to troubleshoot issues, provide adequate support, and develop initiatives.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Other: No PII will be stored or hosted by Visionaryz Inc. (the entity). Visionaryz Inc. is only providing a staff augmentation resource.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Visionaryz Inc. has policies for access to confidential restricted information, policies for Client Data Security Policies and Protocols, and training procedures on Visionaryz Data Security and Privacy Policy, and training to reduce the risk of authorized disclosure. Additional safeguards include policies limiting data access, sharing data, and accessing confidential and restricted information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Other: Visionaryz Inc. will not receive, store, access, or host PII. Visionaryz Inc. is only providing a staff augmentation resource.”

Vista Higher Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Vista Higher Learning creates and delivers high-quality, integrated print and digital solutions that meet the needs of all language learners—those learning a new language, improving a second language, or perfecting their native language.

Specifically, the digital solutions provide teachers with learning content, assessments, and course management tools built exclusively for language learning. Additionally, VHL solutions support common educational single sign-on (SSO), rostering, and learning management system (LMS integration standards.

VHL receives or access PII for the following purposes:

• To facilitate and enable the registration, access, and operation of VHL Digital Products;
• To respond to teacher requests for product support or customer service;
• To personalize the use of and experience with VHL Digital Products; and
• To monitor and improve the overall performance and quality of VHL Digital Products

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.  

• VHL shall only collect PII in an amount that is reasonable to accomplish legitimate business purposes or necessary to comply with other state and federal regulations;
• VHL shall limit access to PII to those persons who need it to accomplish a legitimate business purpose or otherwise comply with other state or federal regulations;
• VHL shall undergo an annual SOC 2 Type 2 Security audit by an external, professional auditing firm.
• All VHL employees, vendors and independent contractors with access to PII shall agree to confidentiality terms and undergo appropriate security training.
• VHL shall maintain and operate appropriate incident response and investigation processes and procedures in the event of unauthorized access or use of PII. These include prompt steps to mitigate the access, evaluate and respond to the events, notify users affected by the access, and engage appropriate auditors or examiners in connection with the access.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Votenet Solutions, Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/1/2022 - 5/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Votenet Solutions provides the software deployed for the nomination and election of Community and Citywide Education Councils. The nomination process involves the completion of an application which has and requires PII as it relates to the parent being nominated and the student relationship to be considered and vetted by the DOE. Once the application process concludes, the DOE who is in-charge of vetting each application, confirms the qualification and consideration of the candidate for the election. Without the PII in the application, the DOE cannot complete their vetting process. As for the voting process, we need PII in order to conduct the verification of the voter accessing the election to ensure they are voting in the council they are eligible and qualified to vote on.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The below details how the Policy establishes the Access controls among the various entities accessing its IT Systems.

• THIRD-PARTY/ VENDOR COORDINATION
  • The InfoSec Center of Excellence (InfoSec CoE) at eBallot coordinates with vendors/ third-parties to implement and maintain security controls, to safeguard eBallot information assets from unauthorized access by individuals or devices. Active Directory accounts are established through Help Desk ticket requests.
  • Vendors/ third-parties work with their eBallot development managers, account managers, and the InfoSec CoE to determine how access is managed and who, under what circumstances, may access eBallot's information assets.
  • Application Development managers serve as owners for the eBallot application systems that their teams support. Requests for application access go through the application development managers which are then further approved by both the eBallot Account Manager and the InfoSec CoE.
  • Access to specific parts of the network for administrative work is approved by the information asset owners (in most cases this is the Account Manager unless otherwise mentioned). 
• COMPLIANCE DEVIATION PENALTIES
  • For eBallot employees, failure to comply with the procedures identified in this policy may result in progressive discipline up to and including termination of employment.
  • For eBallot vendors/ third-parties/ non-eBallot personnel, failure to comply may result in removal of the individual’s ability to access and use eBallot data and systems. Employers of non-eBallot personnel will be notified of any violations and respective disciplinary action would need to be undertaken as stated on the contractual agreement with the specific vendor/ third-party.
  • All personnel employees/ vendors/ third-parties are also subject to any applicable penalties for statutory requirements compliance violations. Depending on the requirement and the nature of the violation, penalties could include fines and/or criminal charges. In addition section 4.5 speaks to the Access Management policy for Users and the strict implementation of the policy for Least Privilege Access which ensures that at no point, do any resources have unauthorized access to Votenet’s business or client data. See below.
• LEAST PRIVILEGE ACCESS
  • Both the InfoSec CoE and eBallot IT must ensure that the principle of least privilege is employed for eBallot Information Assets to ensure that users (or processes acting on behalf of users) are allowed only authorized access necessary to accomplish assigned tasks, in accordance with job duties, consistent with/ applicable Executive Orders, directives, policies, regulations, standards, and guidance.
  • For the Information Assets that it supports, eBallot IT employs the principle of least privilege, which allows only authorized accesses for users (or processes acting on behalf of users) necessary to accomplish assigned tasks in accordance with job duties
    • eBallot IT explicitly authorizes access to system utilities, by requiring that they only be made available to those with a legitimate business case.
    • eBallot IT requires that system administration accounts (e.g., root access) be limited to as small a group as possible and based on the principle of least privilege.
    • eBallot IT requires that any administrators first login as themselves (ordinary user) before escalating privileges to that of an administrator.
    • eBallot IT implements safeguards to prevent non-privileged users of Information Assets from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
    • eBallot IT restricts privileged accounts on the Information Asset to defined personnel or roles (defined in the applicable security plan).
    • eBallot IT audits the execution of privileged functions.
    • All eBallot IT-supported Information Assets prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/ countermeasures.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Waitwhile

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/13/2023 – 4/12/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Waitwhile is a cloud-based Virtual Queue Management solution that is used to eliminate physical lines, improve waiting experience for customers and reduce wait times overall. Our customers can configure what contact information to collect, how to manage a virtual queue or customers and send text or email notifications. The system will also allow end users to use basic UI to manage a self-serve experience for customers to enter themselves into a virtual queue. The system provides basic store capacity counting with data to show how long wait times are.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our organization is dedicated to preserving the privacy and security of your data. We have established a comprehensive privacy policy, robust data management procedures, and a fortified infrastructure. Access to sensitive information is stringently controlled, and we consistently monitor and evaluate our systems for potential vulnerabilities. Our employees undergo background checks, receive security training, and adhere to confidentiality agreements. Furthermore, we employ sophisticated encryption measures and conduct annual penetration testing to ensure the utmost security of our products. If you have any inquiries or concerns, please do not hesitate to reach out to us.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Walsworth Publishing Company

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 9/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII data collected is used for the publication of the yearbook. We collect students’ names, images, and grade levels, which are then printed in the final product. We collect parents’ names and addresses when they order yearbooks online, and we use their address if they have requested home delivery.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data privacy is crucial for everyone, and to ensure its protection, we rely on three key aspects: administrative, technical, and physical safeguards. Administrative safeguards involve creating policies, procedures, and guidelines to control who can access sensitive information. Technical safeguards make use of tools and technologies, such as firewalls, encryption, and passwords, to protect data from being accessed by unauthorized users. Physical safeguards are the tangible measures, like keeping files in locked cabinets or secure rooms, to prevent unauthorized access to data storage locations. These three aspects work hand‐in‐hand to maintain the privacy of our valuable personal information and keep it safe from misuse.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Wayside Publishing

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/23/2022 – 8/23/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Wayside Publishing’s® mission is to empower the next generation of global learners. Our Learning Site® provides engaging and equitable online tools and resources that foster active learning, allows for innovation and personalization, builds a global community, and creates an online ecosystem that depicts what users can do with languages. Through our content, activity types, and technology, students are given choices, have flexibility, make connections, set goals, and collaborate amongst classroom communities to apply learning to real world challenges.

We collect, maintain, use and share Student Education Records only for an authorized educational purpose in connection with the Services, or as directed by the School, the Student User and/or the student’s parent or legal guardian (a “Parent”). The following types of student PII (as defined in FERPA) that Wayside Publishing will receive or access are as follows:

• Activity Task Answers
• Audio & Video Recordings (associated with Activities/Tasks or Forums)
• City
• Email
• First Name
• Gender
• Last Name
• Password
• Proficiency Self-Assessment Results (Cando's)
• Profile photo
• Rostering/Integration ID Number
• School NCES ID
• SIS ID Number
• State
• Survey Responses
• User ID Number (Wayside identifier)
• User Type (Teacher vs Student)
• Username
• Vocabulary Grades
• Vocabulary Performance Reflection
• Zip Code

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services (AWS), Google Analytics, Nualang, Quickbooks, Salesforce, Sentry, and Shopify.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Wayside Publishing performs regular internal network penetration testing, external network penetration testing, and web application testing using a third-party cybersecurity vendor. Wayside Publishing also engages with a third-party cybersecurity vendor to perform regular application security scans of the Learning Site. A NIST  cybersecurity framework maturity assessment was also performed by a third-party cybersecurity vendor with an objective of identifying optimal changes that can be implemented to ensure Wayside's security program is relevant and sustainable.

Wayside Publishing's Learning Site follows OWASP requirements and data is stored using Amazon Web Services (AWS) and encrypted at rest using no less than 256-bit AES. District passwords and data transmitted through web browsers are encrypted in transit using TLS 1.2 protocol when requested, by default we use TLS 1.3. Wayside Publishing is constantly working to reduce the likelihood and data security impact of security issues.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Westhab Inc

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Westhab’s services include academic support, enrichment activities, social-emotional learning, and mental health support during school hours and out-of-school hours, holiday breaks, and summer. As the lead CBO, we will assist the school administration and school community in assessing and addressing the needs identified for the school. Westhab Inc. receives or accesses PII to gauge attendance rates during the school day and the rate of participation of students in the afterschool program. In addition, the data is used to contact parents to address attendance issues or assist the school administration in addressing chronic absenteeism.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All physical data is kept in a locked file cabinet and only certain staff have access. Westhab employees with access to the files are instructed to not remove them from the Department of Education site or to make copies of them without authorization. After school staff will have access to a dedicated Chromebook device provided by Westhab that is on the school’s network and meets their safety and security standards. Westhab Inc. will use dedicated web-based computers with no local storage to track student attendance in our after-school program. Electronic student is only accessible by a limited number to Westhab Staff. All Westhab staff conduct annual training on email and data privacy and security that includes identifying phishing and scams.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Wheelchairs Against Guns

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We will be privy to student PII for programing purposes only, will include to keep track of program attendance and grades if need be. The purpose of the PII will be to keep track of student who are apart of the program. WAG will conduct workshops that will include conflict resolution strategies, critical thinking techniques, self-esteem building, and financial literacy. Theses workshops will be conducted during school hours from 12pm-2:25pm Mon, Weds, And Fri for the duration of FY 22-23. There will be 2 assigned facilitators that will present the workshops to a selected body of student. The purpose of the PII will be to keep track of student who are a part of the program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Apple iCloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All staff must pass a thorough training course on the importance of storing and securing students PII to a 128 encrypted software and iCloud as our subcontracted entity. All info is wiped clean from all former employees assigned iCloud as all hardware and software is returned to WAG.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

William H. Sadlier, Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/1/2017 – 1/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. William H. Sadlier Inc., an existing contracted vendor for Educational Software with the New York City Department of Education, provides schools with programs identified within the contract on Sadlier Connect.

Sadlier Connect is a single sign-on learning platform that supports schools with content in the areas of K–12 English Language Arts, Grammar, Vocabulary, Reading, and Mathematics and supports administrators and teachers by providing easy access to high quality programs and the ability to create assignments, generate detailed reports, and identify recommended resources to lead students toward meeting the expectations of grade-level standards.

Sadlier Connect also supports learning inside and outside of NYC classrooms, students and families have access to free engaging, program-specific games and digital resources in a variety of formats (audio, video, and interactive) that can be accessed anytime, anywhere, on most Internet-accessible devices.

We will use the Personal Information that we collect from students solely for the use and benefit of the NYC DOE, including providing the Site's educational services to its registered accounts. We do not use the Personal Information that we collect from students for commercial purposes not related to the provision of the services requested by the NYC DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

“For subscriptions to Sadlier Connect, NYC DOE data will be destroyed/returned following the earliest of the following events: a written request from NYC DOE for destruction or return of data; or the date when the data is no longer needed to provide the services, or the date of the expiration or termination of the agreement.” In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Sadlier Connect uses Amazon Web Services (AWS) Key Management Service (KMS).
• All data is transferred to/from Sadlier Connect using HTTPS/TLS.
• Data is encrypted in transmission using the current SSL and TLS standards and at rest at no less than 256-bit level encryption.
• The development team primarily develops on lower tiers, and when they work in our production environment, they use scrubbed or synthetic data (i.e., email addresses and passwords are altered.)
• Vulnerabilities are triaged and repaired according to scope and severity.
• Intrusions are prevented by a defense-in-depth strategy including software and virtualized hardware firewalls and strict limitations on the personnel who are authorized to access our infrastructure. We continue to evaluate improvements to security protections. All job applicants who have accepted a job offer are required to go through a background check through an external vendor. Additionally, HR conducts reference checks for all potential employees prior to their starting with Sadlier.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Wilson Language Training Corporation

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2023 – 6/30/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII will be used in connection with the provision of FUN HUB, a teacher tool that provides downloadable PDFs and videos to aid in teachers instruction and professional learning.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Wilson Language Training Corporation (“WLT”) collects student name, School, grade, Fundations® Level, and Fundations assessment scores for students. With respect to educator data, WLT Corporation receives the following information: first and last name, school name, school district, school email address, and other information about the Educator’s School. WLT provides for administrative, operational, and technical safeguards, including encryption, firewalls and password protection. These safeguards meet in the requirements of applicable law, industry standards, and best practices. Safeguards include:

• User Access. Use of an account and a password is required to access our Digital Products. We do not offer Users, including Students, any way to login to our Digital Products through social media tools.
• Employee Access. Access to Customer Data is limited (through user/password credentials and two factor authentication) to those employees who require it to perform their job functions. Our employees with access to Customer Data will receive training on data privacy (including on FERPA and New York Education Law 2d) prior to receiving access and on an annual basis thereafter. All employees must sign a confidentiality agreement before they join the company, and background checks are conducted as part of the onboarding process. We conduct phishing and social-engineering awareness testing and education for our employees.
• Storage and processing. Student Data is stored in the United States. We maintain strict administrative, technical, and physical procedures to protect Customer Data stored in our servers, which are located across Tier 1 data centers that are logically and physically separated locations. Our hosting provider implements security measures in accordance with industry standards.
• Encryption. We use industry-standard TLS 1.2 encryption technology to safeguard the account registration process and sign-up information. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to building and files. Data is encrypted during transmission and at rest.
• Device Controls. We encrypt all of our employee laptops, and those devices are centrally managed and covered by anti-virus protections which are updated periodically. Laptops are password protected.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Wonder Workshop

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement has an End Date: 08/10/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We use student names (profiles) to save and progress through our curriculum and save their programs to the cloud.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the Entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Backups are encrypted. User data is only available in secured databases on the cloud. Test environments do not use production user data. Test environments use the same security controls as the production environment, with separate security keys. Data in transit encrypted via TLS. Data storage and backups encrypted with AES 256.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Worked, Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 5/16/2022 – 5/27/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Worked, Inc. is creating a 20 hour Cybersecurity Externship which is a Work Based Learning Program for NYC DOE high school students to engage with Cyber careers.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We collect the minimum amount of data required to successfully operate our programs. In the case where information is obtained from a student that is under the PII label, we only keep that sensitive within our lead teacher, leadership, and lead host team members. Everyone is trained on the right practices. All sensitive data collected in our service is encrypted and aligned with best practices and we have controls which support this collection and data use.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Writable

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Writable scaffolds student learning and builds lifelong writing and reading skills for students in grades 3-12, while saving teachers time on daily instruction and feedback. Working with 16,000 schools and districts, Writable provides formative assessment and feedback tools for teachers and district leaders to assign, grade, and monitor writing growth.

Writable needs to collect student PII in order to identify students in the system and for teachers to manage writing assignments to students in their classes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., (US regions only) using RDS, ElastiCache, OpenSearch, and S3.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Writable hosts its networks and services in US regions of Amazon Web Services (AWS) in accordance with the Shared Responsibility model. AWS is widely recognized as a security leader with multiple certifications for SOC 2, ISO 27001, FedRAMP, and many other compliance programs. Attestments for these certifications can be supplied upon request.

Role-based access controls and system-level policies limit access to all user data. Authentication cookies automatically expire after a period of disuse and only one device can be logged into Writable as a given user at a time. Passwords are secured using a one-way salted hash.

Writable provides federated login allowing Controllers to own and manage the user accounts, only authorizing Writable for permissions requested and only when they are needed.

All network transmissions are encrypted using TLS including browser connections and server-to-server. Encryption at rest utilizes strong AES-256-CGM symmetric encryption with securely managed rotating keys. Encryption at rest utilizes TLS 1.2 or better with no weak ciphers (those based on RC4, MD5, DES, 3DES, or anything with a key length less than 128 bits).

Product environments run in dedicated software defined networks logically separated from any other environment. Access to the network requires VPN connection secured by strong passwords and multi-factor authentication. Network access control lists rules prevent unauthorized connections to all APIs and databases. Access to public web interfaces pass through a web application firewall (WAF) to detect malicious access attempts.

Subcontractors are not granted access to PII. Production data made available to subcontractors is either aggregated or otherwise de-identified prior to transmission.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

WSD Digital (also called ReFrame Solutions)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/19/2021 – 7/19/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The ReFrame system is housing student first name and last name. The ReFrame System is housing parent or guardian phone number only. The system receives updated student first name and last name from school Principal. Parent phone numbers are received from school Principal. This PII data is used for communication purposes only for the Bronx Technology and Engineering Academy.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ReFrame Engage is delivered on a SaaS (Software as a Service) basis, with Cloud hosting supplied by a secure, highly reliable, and redundant AWS Cloud (using geographically diverse data backup). The application is designed to provide access to data on a need-to-know basis, always protecting PII and privacy including the segregation or suppression of sensitive data where appropriate based on Role Permissions. All data is encrypted in transit and at rest. Employees undergo annual cybersecurity training as part of HR policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Xello Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: Starting on 11/3/2021

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Xello provides college & career readiness software that allows students to discover relevant college, university, trade, military and career options based on their personality, skills, and knowledge. Xello requires certain PII in order to provision accounts for teachers and students, and for teachers to be able to interact with their students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Physical Controls:

• Environmental control (constant temperature and humidity maintenance, particulates filtration), fire suppression systems, redundant power sources and UPS backup.
• Round the clock physical security (card entry, video monitoring of the facilities).
• Data center access logs (Azure).

Technical Controls:

• Logging and auditing of network access.
• Continuous monitoring (SIEM)
• Firewall & endpoint protection.
• Network segregation.
• Encrypted data in transit through the use of TLS 1.2

Administrative Controls:

• Utilization of the principle of least privilege.
• Vulnerability testing.
• Security awareness training (including FERPA and COPPA).
• Criminal background checks on all employees.
• Employee NDAs.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Yegros Educational (for Conjuguemos)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 4/1/2023 – 4/1/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Entity provides a service called Conjuguemos. It’s a website for foreign language practice. Students log in and practice verb conjugations on the site, and the site keeps track of student progress and shows that progress to the student’s teacher. We collect PII so that students can create accounts and do school work on our site. This work is done with accounts so that teachers can then track student progress by looking at these student accounts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Please refer to our privacy policy (Https://conjuguemos.com/privacy) for a description of how Conjuguemos safeguards PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

YMCA of Greater New York

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide many services including, YMCA Afterschool and/or other extended learning time (ELT) programming and Family engagement and schoolwide events.

As a contracted community school and afterschool provider, the YMCA may require access to PII to monitor attendance in programs and contact families.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The YMCA will hold all confidential information it processes in compliance with all applicable provisions of federal, state and local law, including:

• Administrative safeguards
  • The YMCA limits access to a minimal number of authorized personnel who have a legitimate need for such access.
• Operational safeguards:
  • All documents must be stored securely. Access to storage is limited to only staff who must have access.
  • YMCA Staff manuals and trainings outline comprehensive policies for preventing and reporting security incidents.
• Technical safeguards
  • The YMCA will limit use and storage of sensitive data
  • YMCA will maintain best security practices configuration guidelines for all systems and update system at least 2x per year, if needed

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Young Audiences – New York Inc (YANY)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Young Audiences-New York Inc (YANY) provides innovative, interactive opportunities in the visual arts, music, dance, theater, and digital art to inspire young people and expand their learning. The organization engages children in a 5-step art-making process, which is aimed at expanding social networks, increasing self-awareness, and developing critical life skills. It connects educators, professional artists, and communities to foster creativity, self-expression, and cultural understanding among young people through arts learning experiences.

PII is needed to complete enrollment and registration, and ensure attendance. PII is also needed to communicate with families.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft SharePoint.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Administrative / Physical Safeguards:
  • Device Management: Company issued computing devices and phones are meant to be used only by the assigned employee.
  • Authorized Tools: All software, print or electric information will not attempt to be utilized by unlicensed software.
  • Proprietary Data:
    • All programs used by YANY or company property and protected under contract no data should be copied or given to anyone outside the organization.
    • Confidential data in storage destruction YANY takes preventative measures to ensure all confidential, protected or restricted data is safeguarded.
    • Copies of documents containing confidential data must be removed immediately from office equipment after printing, copying or faxing. Documents should not be left unattended for indefinite periods of time.
    • Paper documents with confidential, protected or restricted data that no longer need to be retained by the company shall be destroyed by a paper shredder.
    • Under no circumstances shall records potentially subject to known or reasonable anticipated investigation by a government agency or relevant in pending litigation involving YANY be destroyed.
    • Notification of Policy to Staff: Copy of the notice sent to Staff detailing organizational policies to safeguard data.
• Technical Safeguards:
  • Encryption: SharePoint encrypts all data stored in YANY’s storage solution􀍘
  • Access controls: Multi factor authentication (MFA) is enabled on company devices to protect user accounts from being accessed by unauthorized personnel. YANY’s SharePoint site has permissions implemented to stop unauthorized staff members from accessing sensitive data outside their assigned scope of work.
    • Please note: All access controls are set up during onboarding.
  • Network Security: Employ firewalls, intrusion detection and prevention systems, and regular security updates to protect against unauthorized access, malware, and other cyber threats. Network maintenance is performed on a quarterly basis.
  • Regular Data Backups: SharePoint backs up data in real time.
  • System Monitoring and Logging: RMM implemented monitoring and logging systems to detect and respond to any suspicious activities or unauthorized access attempts.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Young People’s Chorus of New York City (YPC)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. YPC will be partnering with the New York City Public Schools to provide choral music education instruction to students at participating students. Student PII is used to administer this choral music education program, including to take attendance and to create nametags for the students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. YPC maintains reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of Student PII in its custody; such safeguards shall include:

• Logical access controls designed to manage access to data based on authority levels and job functions.
• Physical and environmental security of facilities and other areas containing Student PII designed to protect information for unauthorized physical access or damage.
• Organizational management and dedicated staff responsible for the development, implementation, and maintenance of YPC’s information security program.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Zearn

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Zearn’s services are our Zearn Math School Account which includes access to Zearn Math. Zearn Math is the top-rated K-8 comprehensive math learning program for the full school year. Zearn’s instructional materials are designed to fit a range of instructional needs, including use as a digital conceptual math supplement. Zearn Math is the only EdReports top-rated math resource that connects daily core instruction, intervention, and learning acceleration in one comprehensive math program to ensure all students can be successful with grade-level math. In addition to the full Zearn Math curriculum, School Accounts offer schools and districts dedicated customer support and implementation, administrator reporting on student progress, and rostering support. Protected Information will be used only as necessary for Zearn to perform the services associated with Zearn School Accounts. The personally identifiable information will be used to roster the students, deliver Zearn’s services, and provide in-app reporting on student progress to the subscribing school district, school, or classroom.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. Entity states “PII will be securely destroyed within 30 days of expiration or termination of the applicable Services Contract. We enable this 30-day period to allow the Zearn School Account Holders time to transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option, and to ensure that if the account needs reactivated in that limited time, you retain continuity of your classroom progress. During the 30 days that your account is inactive, we do not access your account data.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services (a cloud hosting database), Heroku Enterprise (a cloud hosting application and database).

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Zearn shall maintain the confidentiality of the shared student data or teacher or administrator data in accordance with federal and state law and the educational agency's policy on data security and privacy. Zearn has the following administrative, operational, and technical safeguards and practices in place to protect personally identifiable information. Zearn shall: limit internal access to personally identifiable information to only those employees or subcontractors that need access to provide the contracted services; encrypt data in transit and at rest at 128-bit encryption or better; utilize two-factor authentication prior to access to personally identifiable information; utilize antivirus and malware software on computers access personally identifiable information; conduct regular software security updates; implement additional network and physical security measures consistent with commercially reasonable security standards used to help safeguard pupil records; monitor hosted and collected data for unauthorized intrusions using network-based and host- based intrusion detection mechanisms through its cloud hosting provider; use access control and redundancy to ensure the resilience of the data collected and stored, through its third-party cloud hosting provider; destroy personal data according to internal policy and external commitments; and require Zearn staff members undergo annual privacy and security training.

Zearn will ensure that subcontractors and third-party service providers with whom Zearn shares Protected Information abide by all applicable data protection and security requirements by entering into written agreements whereby such parties will perform their obligations in a manner consistent with the data protection and security requirements outlined therein.

Protected Information will be stored in a secure data center in the United States using monitoring of the access doors, fire and security monitoring, system health and intrusion monitoring, data backups and retentions. Data storage and access will comply with the Advanced Encryption Standard (AES) with minimum of 128-bit key encryption.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Zenphi

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2023 – 7/1/2024 (subject to renewal)

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Zenphi is a business process automation platform. Our customers automate their business processes using Zenphi with a few drag and drops. At Zenphi we do not store any known PIIs from clients other than the email address of the user accessing Zenphi portal. This is used for authentication, authorization and internal communication purposes only. Any other information ingested in Zenphi workflow engine as part of the workflow execution is unknown to Zenphi and is double encrypted using a key specific to the workspace. DOE schools will use Zenphi to create workflows that contain student PII.

Type of PII that the Entity will receive/access: Student PII. “Depending on the process the user automates, they may decide to use student information, etc. This information is ingested for the duration of the workflow execution and the user has the option to clean it from the workflow engine when the execution is finished. Since any data (PII and non PII) which is ingested during the workflow execution is double encrypted with workspace specific keys, and because access to our production environment is locked down, no one at Zenphi will is able to access any user workflow data.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity states “Since at Zenphi we do not know the type of data our users are ingesting, upon an official request we can only provide a copy of any existing data you have ingested. Some of this data may be encrypted and you (i.e. the Zenphi user) may need to export the raw data from within your workspace.”

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Workflow cloud storage and datastore.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Security is built into every part of our operation and platform. On top of that we are an ISO27001 certified company and follow all the known best practices. All user data is encrypted at in transit and at rest. On top of this, each workspace gets assigned a dedicated encryption key, and data at rest is double encrypted with the workspace specific keys. The keys themselves are encrypted and managed by GCP vault. The access to production environment is locked down and is only granted on absolute need basis though an audited process. The users also have the option to delete their data as soon as the flow execution is finished.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Zoobean

The exclusive purposes for which Protected Information will be used: Students’ first and last name will be used to personalize the experience when logged into our application. Their email address or school district username will be used for authentication purposes in the instances where SSO [NYCDOE comment: single sign on] isn’t available. Their age and/or grade level will be used to place them into the appropriate reading challenges for their age group. Finally, their section enrollment will be used to allow their teachers access to their reading history and achievement data.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We do not share student data with subcontractors or anyone outside of full-time employees directly supporting our work with NYC DOE. All Zoobean emloyees are required to complete a background check including social security number trace, nationwide criminal database search, sex offender registry search, county criminal court search, and domestic watchlist search. Employees attend semiannual company training and performance reviews that may include, but or not limited to, abiding by all current data protection and security requirements.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: When the agreement expires and NYC DOE no longer wishes to utilize our application, all data related to their district will be fully deleted from the database and all stored backups. Once the data is fully destroyed, the application will disconnect from the preferred NYC DOE SSO & Rostering service and their sites fully decommissioned.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov. We obtain our student/teacher data directly from 3rd party vendors like Clever and Classlink, or custom integrations. In all of those instances, we have the means to import the data so it matches the data found in those services.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All information will be stored in the US.

How the data will be encrypted (described in such a manner as to protect data security): The data in the database is encrypted at rest and all data is encrypted end-to-end while in transit via TLSv1.2.