Vendors A-H

21st CentEd

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/1/2022 - 2/1/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. 21stCentEd’s online educational services collects contextual or transactional data as part of its operations, often referred to as “metadata.” Metadata refer to information that provides meaning and context to other data being collected; for example, information about how long a particular student took to perform an online task has more meaning if the user knows the date and time when the student completed the activity, how many attempts the student made, and how long the student’s mouse hovered over an item (potentially indicating indecision). This metadata is not linked to FERPA-protected information.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The 21stCentEd Data Security Plan (DSP) details procedures implemented at the administrative level to protect private information such as training personnel on information handling best practices. The DSP also outlines the physical protections implemented for protecting private information such as ensuring paper records and servers are secured and access-controlled. Lastly, the DSP includes 21stCentEd’s technology-based instruments and procedures used to protect private information such as requiring Common Access Cards for System Access and encrypting computers and emails.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Abbott House

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Community Schools Resource program of Abbott House provides both PS294 and PS311 with Mental Health services, community engagement initiatives, and family support. We provide in-school individual and group counseling to students with mental health challenges. We not only help students in school but help families bridge the educational gap with attendance initiatives, connecting them to resources in our community, applying for public assistance and advocating for the needs of their family. We use PII to contact families to receive our services and connect them to the school community. Additionally, PII is used to inform our decision making when targeting vulnerable populations that may need our assistance such as students with low attendance rates or students in temporary housing.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., ASARA Fulton Street Software.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Entity has a data privacy and security policy in place that implements principles, processes and solutions that facilitate secure business operations related to data privacy and security. The policy is reviewed frequently to manage the new challenges and requirements of the funding sources. This policy identifies the categories of attack surfaces (cyber-attack vulnerabilities), path by which cyber-attacks are enacted and the processes or technologies used to prevent these attacks and protect Abbott House information assets. The following areas are managed by advance technologies, constant monitoring and various physical/technical and administrative controls to ensure protection against data breaches and cyber attacks.

• Network Security/High Availability
• Web Content Filtering/IPS
• Anti-Virus/Anti-Malware
• Anti-Spam/Phishing
• Access Control
• Data Encryption
• Email Security/Encryption
• Patch Management
• Data Backups/Testing
• Mobile Device Management
• Secure Wi-Fi
• Print/Fax Security
• System Disposal
• 3^rd Party Security Audits
• BC/DR Plan
• Cyber Security Awareness Training
• Cyber Liability Insurance

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Academics in Motion

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We will compare student data before our programing and during our program to see the students improvements pertaining to academic progress and attendance results, only. We will provide Academic Support, SEL and Life Skills workshops, wellness activities and college and career resources.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. AIM PII data is reported to and stored in AIM database which uses usernames and passwords to prevent unauthorized access and to restrict user access within the application. Each unique user account is assigned access to programs and permission sets to restrict access to data and features in the system. Data is stored using redundant Amazon Web Services hardware technologies and SSG fault tolerant software and journaling file systems. All data is automatically encrypted while in transit and in storage. User-based permissions and audit trails further enable secure access to data within the system. To prevent breaches the AIM database conducts continuous vulnerability scanning, integrated security code scanning, and penetration testing. In the event systems are affected by a breach, it is their policy to notify without undue delay, and in no case greater than 48 hours, from the confirmation of a data breach.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Acadience Learning Inc. (ALI)

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: Nondisclosure agreement was signed on 6/25/2021

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The purpose for which ALI will receive/access PII is to provide online assessment and data management services for Acadience assessments and for psychometric and research services which may be called upon by NYC DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Acadience Learning Online (ALO) system follows industry-standard best practices to ensure that all system data, including data containing PII, is secure and protected at all times. Technical security protections include, but are not limited to: encryption of data in transit and at rest, use of US based servers, proactive monitoring of network access, and regular security testing and review of results. ALI takes a proactive stance on mitigating data privacy and security risks by utilizing strong security procedures and protocols.

Additionally, ALI upholds rigorous internal policies to ensure that employees with access to data containing PII follow strict procedures related to the handling and management of sensitive information. Employees with access to sensitive information must first complete required training before gaining ALO system access, and system access is limited to employees who need access to the information to complete job duties.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Accelerate Learning (for STEMscopes, Math Nation)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII is utilized solely for application operations and curriculum interaction by students and teachers.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. Amazon Web Services.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Accelerate Learning (ALI) implements cybersecurity practices and requirements based upon CIS’s well-established Controls and Benchmarks that are compliant with the federal standards in the Federal Information Security Management Act (FISMA) in NIST Special Publication 800-53 Revision 5, published September 2020. We implement authentication, authorization and accounting (AAA) based on these controls following a least privileged model. Additionally, ALI utilizes leading industry tools to monitor, restrict, and secure information resources and sensitive data. The fundamentals of our security operations include:

• Passwords and Employee Access. Accelerate Learning Inc secures all usernames, passwords, and any other means of gaining access to the Services or to Student Data, at a level suggested by the applicable standards, as set forth in Article 4.3 of NIST 800-63-3. ALI only provides access to Student Data to employees or contractors that are performing the Services. Employees with access to Student Data shall have signed confidentiality agreements regarding said Student Data. All employees with access to Student Records shall be subject to criminal background checks in compliance with state and local ordinances.
• Destruction of Data. Accelerate Learning Inc destroys or deletes all Student Data obtained under the Service Agreement when it is no longer needed for the purpose for which it was obtained.
• Security Protocols. Accelerate Learning Inc utilizes security protocols that meet industry standards in the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so.
• Employee Training. Accelerate Learning Inc conducts periodic security training to those of its employees who operate or have access to the system.
• Security Technology. When the service is accessed using a supported web browser, Accelerate Learning Inc employs industry standard measures to protect data from unauthorized access. The security measures include firewalls, deep packet inspection, application stream analysis, restrictive load balancing, network segmentation, network ACLs, data transit encryption utilizing TLS 1.2 with 2048-bit certificates, data at rest encryption utilizing 256-bit AES encryption, log aggregation and analysis, vulnerability management and remediation process, application authentication, server authentication and administrative authentication following least privileged access.
• Periodic Risk Assessment. Accelerate Learning Inc conducts regular digital and physical risk assessments and remediates any identified security and privacy vulnerabilities in a timely manner.

We adhere to the following standards, laws, and certifications:

• NIST Cybersecurity Framework v.1.1
• NIST SP 800-53 Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), SP 800-171
• ISO 27000 Series
• Center for Internet Security (CIS) Critical Security Controls (top 20)
• Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
• Children's Online Privacy Protection Act (COPPA)
• Protection of Pupil Rights Amendment (PPRA) 

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Achieve3000, Inc.

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 9/1/2022 – 8/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Achieve 3000, Inc. offers multiple products that will collect Personally Identifiable Information (PII) including: Actively Learn, Actively Learn Unlimited, Achieve3000 Literacy, Achieve3000 Literacy with Boost, SmartyAnts, Achieve3000 Math, eScience3000, and NWEA MAP Informed Learning Path.

Achieve3000, Inc. will use personally identifiable information (“PII”) to provide the educational product or service subscribed to by a DOE institution or to process transactions such as information requests or purchases in order to meet our contractual obligations to the DOE institution that has subscribed to our products and services . We will also process DOE PII to meet our legitimate interests, for example to personalize your experience and to deliver relevant content to DOE; to maintain and improve our services to the DOE; to generate and analyze statistics about DOE use of the services; and to detect, prevent, or (if permitted by law) to respond to fraud, intellectual property infringement, violations of law, violations of our rights or our terms of use for Achieve3000, Inc. online products and services, or other misuse of the services. Except as described in this notice, we limit the use, collection, and disclosure of DOE PII to deliver the service or information requested by DOE.

• Actively Learn- Actively Learn gives teachers access to thousands of texts and videos for ELA, social studies, and science with scaffolds and data to inform instruction
• Actively Learn Unlimited - Actively Learn Unlimited gives teachers access to thousands of texts and videos for ELA, social studies, and science with scaffolds and data to inform instruction, plus an additional 6,500 copyright books from publishers including Penguin Random House, HarperCollins, Simon and Schuster, and HMH.
• Achieve3000 Literacy - Achieve3000 Literacy is a digital learning solution that accelerates literacy growth for all students through differentiated content and instruction. A wide body of research, including a gold standard study with a rating of Strong from Evidence for ESSA, has shown Achieve3000 Literacy can double and even triple expected learning gains
• Achieve3000 Literacy with Boost- For targeted and intensive intervention, Achieve3000 Literacy with Boost for Intervention accelerates the literacy gains of students who need additional supports and services. Achieve3000 Literacy’s suite of classroom-tested scaffolds for students and supports for teachers, combined with Achieve3000’s patented methodology and world-class technology, deliver a successful RtI implementation with results that you and your students can see after a few as four lessons. Plus, with Achieve3000 Literacy’s focus on nonfiction science and social studies content, as well as academic vocabulary, intervention students do not miss out on essential grade-level, standards-aligned instruction while engaged in Tier II, Tier III, or Special Education instruction during targeted instruction in the general classroom or intensive intervention in a specialized classroom.
• SmartyAnts - Smarty Ants is an effective, research-driven solution that differentiates instruction in foundational reading skills and accelerates student achievement – all in an engaging, interactive, online learning environment. The program continuously evaluates each student’s exact skill level, learning temperament, and learning pace. Based on this information, the adaptive content system automatically delivers the right level of skill instruction and practice to keep learners in the zone of proximal development. No two students will approach the content or process in the same manner, but they all will reach the same critical milestones for primary-grade literacy success and emerge as confident, capable readers ready for the challenges of second grade and beyond.
• Achieve3000 Math - Achieve3000 Math offers a powerful experience to support math fluency and skills mastery across grades, standards, and topics. The solution includes individualized practice and intervention for math standards mastery for elementary, middle, and high school learners.
• eScience3000 - Core science program for grades 6-8
• NWEA MAP Informed Learning Path - Achieve3000 offers access to the Northwest Evaluation Association (NWEA™) -MAP Informed Learning Paths. MAP Informed Learning Paths use MAP assessment data and Achieve3000 data so that Achieve3000 user can create a personalized and differentiated learning path for each student. Teachers can easily see each student’s results by RIT ranges and assign lessons to address skill strengths and weaknesses. Instructional recommendations for each skill and concept further help teachers to differentiate instruction.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Achieve3000, Inc. utilizes the most up-to-date security systems and 24/7 monitoring. Achieve3000, Inc. also has very strict internal processes to safeguard customers’ data, and all applications are built in compliance with federal regulations including FERPA. System penetration testing, vulnerability management and intrusion prevention is managed in conjunction with our third-party infrastructure provider. The application logs security-relevant events, including information around the user, the date/time of the event, type of event, success or failure of the event, and the seriousness of the event violation. User authentication communication and storage is protected by 256-bit advanced encryption standard security. Achieve3000, Inc. employs Role-Based Access Control (RBAC) and Principle of Least Privilege (PoLP) when provisioning access to its infrastructure and technology. All access follows approval flows, logged, and audited. The Achieve3000, Inc. Cybersecurity and Privacy Teams maintain a 24x7 security incident process and a confidential Incident Response Plan, along with standard operating procedures for handling security incidents and notifications. The infrastructure which hosts Achieve3000, Inc.’s digital products reside in AWS, which is physically located in Amazon’s datacenters, which are all SOC 2 compliant.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

The Achievement Network

The exclusive purposes for which Protected Information will be used: The information collected is first used to enable access to ANet’s online platform, myANet, which provides resources and reports for District and Schools leaders. These data also allow ANet coaches and school leaders to understand student performance on interim assessments administered. These learnings then enable ANet to provide the appropriate guidance and best practices to boost student learning. Additionally, we also occasionally use anonymized, aggregated student response data to inform our own internal analyses of the efficacy of our services and tools.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: ANet and our partners are considered to be a “School Official” under FERPA. Access to data reports that include more granular student data can only be accessed through our secure data reporting platform. Any individual or non-aggregated student data is available only to that student's school leaders and teachers, not to other educators in the network.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: ANet typically retains all data collected. In the event that a partnership with ANet is concluded, user access to the myANet platform will be terminated on a mutually agreed upon date. This ensures that the data collected for that partner is no longer available to other schools within the district that utilize the platform. [NYC DOE comment: The current agreement became effective starting on December 20, 2019 and terminates when all NYC DOE schools and/or offices cease using The Achievement Network’s products/services. The terms of the agreement remain effective through the period during which The Achievement Network possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Our data and servers are part of AWS and are housed in US-based AWS data centers. https://aws.amazon.com/compliance/data-center/controls/. At our offices we do not have any servers.

How the data will be encrypted (described in such a manner as to protect data security): Applications communicate with RDS databases within a secure Virtual Private Cloud (VPC) via Transport Layer

• Security version (TLS) 1.0 and 1.2.
• AWS RDS encryption at rest with KMS uses FIPS 140-2 validated hardware security modules (HSMs) to generate
• AES-GCM 256-bit keys.

Actively Learn Inc

Adobe

The exclusive purposes for which Protected Information will be used: The NYCBOE uses Adobe products and services for its students in the K-12 school environment. Protected information (as defined in the Additional Terms) will be provided to Adobe and used by Adobe for the purposes of providing such student services to the NYCBOE and its students under the agreement between Adobe an NYCBOE. [NYC comment: Adobe refers to the New York City Department of Education as NYCBOE throughout the agreement.]

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In the event that Adobe engages subcontractors or other authorized representatives to perform one or more of its obligations under the agreement, it will require those to whom it discloses protected information to be subject to contractual data protection terms at least as restrictive as those set forth in the agreement, and those subcontractors or other authorized representatives shall have a legitimate need to access protected information in connection with their responsibilities in providing services to Adobe.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The initial term of the agreement with the NYCBOE will be thirty-six (36) months from the effective date. Upon expiration of the additional terms without renewal, or upon termination of the additional terms prior to expiration or termination of a student account, Adobe will adhere to the student data retention and deletion protocols agreed to with the NYCBOE and set forth in Seton 5.4 of the Additional Terms of the Agreement. [NYCDOE comment: the Agreement was signed and put into effect on February 28, 2022.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to Section 6.3 of the Additional Terms, Adobe will work with the NYCBOE to process requests for copies of, and challenges to the accuracy of, protected information in the custody or control of Adobe. Such requests should be directed to the NYCBOE at studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Any protected information Adobe receives will be stored on systems in a secure data center facility. Adobe processes and stores information in the U.S. and other regions, which made include Europe and Japan. Adobe Cloud Services meet the specific requirements of data protection, including, but not limited to, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability) and ISO 27001 compliant and others as indicated at http://www.adobe.com/go/cloudcompliance. Additional information on Adobe’s various security controls and processes for its products and services are located in Exhibit C (Technical Organizational Measures) to the Additional Terms of the Agreement.

How the data will be encrypted (described in such a manner as to protect data security): Adobe uses technologies, safeguards and practices, including, but not limited to, encryption, firewalls, password protection, and/or equivalent that are consistent with its industry standards. Adobe Cloud Services meet the specific requirements of data protection, including, but not limited to, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability) and ISO 27001 compliant and others as indicated at http://www.adobe.com/go/cloudcompliance. Additional information on Adobe’s various security controls and processes for its products and services are located in Exhibit C (Technical Organizational Measures) to the Additional Terms of the Agreement.

Advanced Assessment Systems (also called LinkIt!)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. “Typically, agreements are 1 year in duration, beginning on July 1 and ending on June 30 the of the following year.”

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LinkIt! will receive PII data related to student assessment records, including student names, IDs, and demographic information. Additional student records, such as attendance, behavior and programmatic associations may also be sent to LinkIt! All such data shall be used and maintained as a service to school and district stakeholders authorized to access the same and exclusively for the purposes of analyzing the data for instructional improvement, professional development and resource allocation purposes, as well as other such purposes as the district may deem necessary and appropriate.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “LinkIt! leverages industry-leading provider AWS (Amazon Web Services) for data hosting and posts regular and frequent security updates. Access to data is limited to those individuals that require such access in the reasonable performance of their job function and all staff receive annual training in the area of privacy and security.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The safeguards in place to protect PII data are too numerous to fully detail here, but data and files are stored securely on the industry-leading Amazon (AWS) hosting platform. Data is also encrypted on our platform, both in transit and at rest. The LinkIt! data and security model follows best practices and consists principally of the following:

• Physical Security: Web servers, data servers and network data storage are on servers maintained by AWS. We perform full daily backups and hourly incremental backups which are stored offsite in the event of a disaster. The data center is located in a secure area with restricted onsite access.
• Data Security: LinkIt! utilizes industry-leading Microsoft SQL database that enables encryption in transit and at rest. Electronic access to database servers is restricted through dedicated web servers on a local network. This provides an effective barrier against attempts to directly compromise database integrity.
• Web Security: Our web layer consists of a passcode encrypted web service with enforced business logic. The business logic restricts user activity based upon permission level such that data access is limited to role within the LEA organization.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Age of Learning (for My Math Academy and My Reading Academy)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We collect and use PII for the purpose of providing our services My Math Academy and My Reading Academy, both of which are adaptive digital learning programs for students. We do not use PII for any other purpose. Student information is provided in order to track the students progress within the products and to provide reporting to the teacher, school, and district.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The vendor has policies and procedures in place to ensure safeguarding practices are in place. This includes the protection of data from corruption, theft, or unauthorized access.

• Data Access – Age of Learning practices the principle of least privilege. Access is provided based on role and granted when necessary to fulfill the requirements set out by the contract.
• Account Protection - Single Sign-On (SSO) and a strong password is required.
• Encryption – All data is encrypted in transit and at rest.
• Monitoring – Age of Learning products are continuously monitored for vulnerabilities by employees and through state-of-the-art third-party monitoring tools.
• File Transfer Protocol – All file transfers are secure over SSL/TLS cryptographic protocol.
• Web Application Firewall (WAF) – Inspects and filters traffic between Age of Learning products and the internet.
• Software Security – Product development is based on OWASP, SANS, NIST, CSF, CIS, SCF frameworks.
• Audits – Annual SOC 2 audit and third-party penetration testing are performed for additional security awareness.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Agile Mind

Type of Entity: Commercial Enterprise

Contract / Agreement Term: [NYCDOE Comment: NDA was signed on 7/12/2021]

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Agile Mind provides comprehensive math and science programs for middle and high schools. To that end we store a student’s name, school, grade level and DOE assigned login ID– all nonsensitive PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data (not just PII) is stored in a highly secure fashion. Data is protected using encryption while in motion and at rest by serving all data via HTTPS and storing it in a secure manner. For storage specifically, all data is stored by MySQL Data at Rest Encryption. The security of this data is ensured by limited employee electronic access to production databases, and databases are housed in a secure data center with physical security and a named access list for visitors.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Alegra Learning (for Joy School English)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2023 - 7/31/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Alegra Learning, Inc. is the creator of Joy School English. Joy School English is a software program for elementary aged students (PreK-5) that focuses on oral language production, early literacy and social and emotional learning (SEL). Joy School English is accessible on iPads, tablets, mobile devices, Chromebooks and computers. Upon starting the program, students follow an individualized scope and sequence that takes them through the research-based curriculum. The curriculum is aligned to the NY State PreK and Kindergarten learning standards. Joy School English uses voice recognition technology where kids use their own voice to explore and advance to encourage speaking and oral language production. Joy School English also provides resources for teachers including data and progress monitoring, an interactive teacher menu to use in small/whole group instruction and teacher lesson plans. Joy School English is accessible from home so students can continue their learning pathway from home and the program serves as a great resource for parents. Student PII is used to create a unique student account for each student so that they can receive individualized instruction.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is hosted via Amazon Web Services (AWS), which is a robust and secure service to host data (https://aws.amazon.com/compliance/data-privacy/). In addition to all of Amazon’s protocols, all data in our portal is password protected and only accessible with those authorized to do so. We use Role-Based Access Control (RBAC): RBAC assigns specific access permissions based on the roles or responsibilities of users within an organization. Users are granted access only to the resources and data necessary to perform their job functions.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

All In Learning, Inc  

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2020 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Product: ALL In Learning is a cloud-based formative assessment platform providing in-the-moment and summative assessment data collection utilizing a variety of collection modes (clickers, student devices, bubble sheet scanning, and even teacher-graded rubrics). Our reporting supports improving the teaching and learning process in the classroom as well as provides student performance insight at every level (classroom, campus, and district).

Purpose for using PII: ALL In Learning will utilize some PII for Teachers and Students for the purpose of rostering for administering and reporting on formative assessments.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. The vendor specifies that “We store our data in AWS/Aurora databases. The data is encrypted in transit and at rest. These databases are not shared resources with their other clients, nor is the data shared with AWS. It is not a cloud database.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ALL In Learning application data is stored in an Amazon Web Services virtualized environment. Data is always transmitted encrypted and stored encrypted. We have data access restriction policies in place within the ALL In Learning development and support organizations.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Amplify Education, Inc. 

Aperture Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Aperture will use PII to administer student social and emotional assessments to be completed by students, teachers and (optionally) parents. PII will also be used in reporting (e.g., to disaggregate data by subgroup).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Aperture Education considers security of PII to be of utmost importance. As such, we follow a rigorous security policy which includes, but is not limited to, third party penetration and security testing, annual security training of all of our employees, completion of background checks on our employees, encryption of confidential information in transit and at rest, and limiting user access to confidential information based on role. Please see our security policy for more information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Applied Curiosity Research, LLC

Type of Entity: Research Institution or Evaluator

Contract / Agreement Term: 2/1/2022 – 1/31/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are conducting a mixed-methods, implementation evaluation of a pilot program with students from two NYC schools. The pilot program occurs for five weeks over the summer and consists of a blend of classroom instruction from DOE teachers and community-based organizations as well as work-based learning. The focus of the pilot program is promoting computer science skills and knowledge while exposing students to careers in related fields. Research participants include participating students, teachers, and select agency stakeholders. The goals of the evaluation are to collect evidence of student outcomes, understand barriers and affordances to program implementation, assess the extent to which activities are completed as intended, identify best practices, and inform effective scaling of the program.

Methods include student pre/post surveys administered in class, student focus groups, teacher in-depth interviews, and in-depth interviews with key stakeholders.

The only PII we will collect is student and teacher names during the consent process. Consent is critical to ensure participants understand their rights as a research participant, including that the research is voluntary and how their information will be handled. Consent is also a mandatory requirement for NYC DOE IRB.

Type of PII that the Entity will receive/access: Student PII. We may collect student, parent, or teacher names on consent forms. We may also collect student names for the purpose of focus group attendance lists. We will not, however collect student names that are attached to any academic or demographic data.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. The Entity selected “Other: We will remove all PII from any documents or digital files (consent form, survey responses, audio files, notes, transcripts) and replace this with an ID number assigned by the study team. The document linking IDs to PII will be stored in a password protected folder on an encrypted external drive, in a locked cabinet, accessible only by the principal investigator.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We will remove all PII from any documents or digital files (consent form, survey responses, audio files, notes, transcripts) and replace this with an ID number assigned by the study team. The document linking IDs to PII will be stored in a password protected folder on an encrypted external drive, in a locked cabinet, accessible only by the principal investigator.

Any PII will be kept secure and only used for study purposes, except as otherwise required by law. The study team will not disclose participant’s names or any personally identifiable information in any report or presentation.

De-identified consent forms, audio files, notes, survey data, and transcripts will be stored on a password-protected, encrypted cloud storage system accessible only by the project team.

After three years, we will delete and overwrite copies of all data and also wipe all blank space on the external hard drive to ensure there are no elements of the files retained on the drive.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Apptegy

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The PII we receive or access in connection with our services is either provided by a school (referred to as a “Client”) in order to create or manage users under a Client’s account or is provided by such users in the course of using our services. Thrillshare is a content management system that enables Clients to: update or share information via their website or social media; communicate with parents, students, or other stakeholders through a messaging feature that can send voice calls, text messages, push notifications, or emails (referred to as “Alerts”); or communicate directly with stakeholders via an online chat feature (referred to as “Rooms”). PII shared for these purposes may include: personal information shared by a Client in order to create accounts for administrators, teachers or other personnel; contact information shared for the purpose of sending Alerts; or any PII that a user may include in any messages sent via the Alerts or Rooms features. Apptegy only uses such information for the purpose of providing the services. For more information regarding the purposes for which Apptegy receives or accesses PII, please see the Apptegy Privacy Policy (“Privacy Policy”) (available at: https://www.apptegy.com/privacy-policy/).

Type of PII that the Entity will receive/access: Student PII. “How Clients use Apptegy’s services may change over time. In such case, the PII that Apptegy will receive/access in order to perform its services may change or be supplemented. This is at our Clients’ discretion. If a parent of a student or other individual wishes to review a list of PII accessed pursuant to the services, the parent or individual should contact the applicable Client to confirm. For a more generalized description of potential PII received/accessed, please also see our answer to Question 4 above and our Privacy Policy.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and

written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. As indicated, Apptegy uses Amazon Web Services (“AWS”) to host and operate our services, and to host and process Clients’ data. AWS supports more security standards and compliance certifications than any other hosting provider, including ISO, SOC2, NIST, GDPR, PCI-DSS, and others. Comprehensive information about AWS security practices and certifications is available at https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/. In addition to other means of ensuring privacy and security (including encryption, vulnerability monitoring and remediation, and Role-Based Access Control (RBAC) principles), Apptegy monitors and manages system access by AWS security groups and internal access controls. We review our AWS security group rules at least annually and update them as appropriate. Apptegy uses single sign-on (SSO) and HTTPS protocol where available and technologically feasible. Apptegy uses a virtual private network (VPN) for remote access to AWS and the parts of our services that contain Client data where available and technologically feasible. Apptegy has implemented multi-factor authentication for our production environment. Clients can choose to require multi-factor

authentication for end users. For more information on how we mitigate data privacy and security risks, please see our Privacy Policy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Arete Education

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Grant Participation requires PII in the form of program enrollment, attendance tracking and record maintenance for possible review and report generation. Arete acquires paper enrollment forms and attendance records in the classrooms and maintains private records in our locked main worksite office only accessible to designated Arete staff (i.e., Community School Director, Arete Data Specialist). All files are uploaded to our private Arete organization cloud account and maintained for the life of the outstanding contract. When said time has expired and records are no longer needed, all records are shredded and/ or deleted from our cloud servers supervised by our Director of Operations.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Cityspan Technologies Inc.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Cityspan’s Security Policy contains a Risk Assessment Policy that identifies data privacy and security risks and mitigating controls. The Risk Assessment Policy was developed subject to COV2 audit requirements and approved by an external auditor in June 2020.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Asase Yaa Cultural Arts Foundation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/2/2023 – 1/3/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Asase Yaa Cultural Arts Foundation will use Personally Identifiable Information (PII) for evaluations and for program development for student workshops so it can be appropriate for grade and age levels. Workshops are offered in all of the disciplines offered to students including Drumming (Djembe, Conga, Drum Line); Dance (African, Ballet, Jazz, Hip Hop, Modern); Theater (Original Productions); and Visual Arts. Workshops can be scheduled when it best fits parents which includes am sessions and pm sessions. Sessions typically are 45 minutes to 90 minutes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third parties.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We would only keep the information in a password protected drive that is accessible to program directors only and which will be discarded at the end of each school year. Additionally, all devices used to access the PII have virus scanners, as well as firewalls to ensure that the information is not compromised.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ASPIRA of New York

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ASPIRA will manage and operate community schools contracts with the goal of fostering ongoing collaboration and common vision with the partner schools to provide students and their families with coordinated programming that targets their individual academic, social, emotional, and developmental needs. PII will be utilized to register program participants, communicate their academic and social progress with parents and allow for student choice when program planning through the utilization of participant satisfaction surveys.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ASPIRA will limit access to a minimal number of authorized personnel who have a legitimate need for such data access. Confidentiality agreements will be required for any personnel with access. ASPIRA will encrypt data in transit and storage, set access controls, and implement regular and encrypted backups. Data is entered into a password protected cloud based database. Policies for reporting security incidents to parents/guardians are in place. All security incidents will be communicated to parents/guardians and students.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Assessment Technologies Institute (also called National Healthcare Association)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor’s Services include the provision of learning content hosted on Processor’s platform and Certification examinations. End users create an account (or the school does so on behalf of each end user) that includes contact information and all data related to the interaction of the end user with the content is recorded by the platform and can be accessed by instructors and end users. Such data is PII. Additionally, certifications data (such as exam date, responses to exam questions, exam scores, pass/fail) is also PII in that it is linked a specific individual.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is encrypted at rest and in transit. Processor utilizes many controls and protections that includes but is not limited to: Network and Border Security, Endpoint Security, Email Security, Threat and Vulnerability Management, Access Management. ll critical and high risk vendors, is any, are reviewed annually as part of Processors Vendor Management Program. In addition, Processor completes an annual SOC 2 Type 2 assessment, which can be provided upon execution of a nondisclosure agreement.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Attainment Company

The exclusive purposes for which Protected Information will be used: Products provided include AAC applications & devices for student communication needs; student & teacher instructional applications/software for special education.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Attainment provides industry standard data protection and security; annually authorized staff are trained on the appropriate requirements of FERPA, COPPA & SOPPA. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Protected information is returned to the district & after 30 days purged from Attainment systems. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All data is stored in the US with AWS certified protected industry standard practices.

How the data will be encrypted (described in such a manner as to protect data security): The transmission is controlled using TLS (Transport Layer Security) encryption for the browser to database connection. The data is encrypted between the client computer and Attainment’s servers. The Hub uses HTTPS (Hypertext Transfer Protocol Secure) over a secure SSL.

Avaya

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Avaya is providing contact center services to multiple business units at DOE. Some of these business units require Avaya to store call and screen recordings for playback for up to 90 days. Avaya has not confirmed the exact PII that could be received but these recordings may contain certain PII.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Avaya protects and safeguards PII data by enacting the following measures and procedures:

Access control to premises. Avaya will prevent physical access to Personal Data processing equipment by unauthorized persons as follows:

• Avaya will implement and maintain physical security measures in order to prevent unauthorized access. This is accomplished by the following measures:
  • an electronic access control system with a 90-day log retention;
  • a 24/7 video recording of physical facility with 30-day log retention; and
  • intrusion detection / burglar alarms, or engaging on premise security officers.
• Avaya will restrict the access to various zones at its premises based on roles, and periodically revalidate the access by owners.
• Avaya will have personnel and visitor security measures in place to prevent unauthorized access, which is accomplished by the following measures:
  • Personnel must display IDs;
  • Visitors must sign in;
  • Visitors will be reasonably escorted by staff; and
  • Visitors must wear a badge which easily identifies them as visitor.

Access control to use of system. In order to prevent logical access to its Personal Data processing equipment by unauthorized persons, Avaya will implement and maintain the following measures:

• Avaya will only grant individuals access to the Personal Data processing equipment with
  • a unique user ID for access with formal authorization process, and
  • a unique password with the following features:
    • a complex password, consisting of eight characters and three of four character sets;
    • a maximum password lifetime of ninety days; and
    • an account lockout on failed logins.
• Avaya will grant the individuals access based on their job function with the following criteria:
  • role-based access;
  • least-privileged access; and
  • access only on a need-to-know basis.
• The screen of endpoints will be automatically locked after 20 minutes idle time.
• Avaya will log access to the data processing equipment.
• Avaya will use a multi-factor authentication of Avaya’s virtual private network (VPN) for remote access.
• Avaya will implement and maintain a central user administration.
• Avaya will encrypt endpoints provided by itself.

Access control to Personal Data. Avaya will prevent logical access to Personal Data by unauthorized persons by implementing and maintaining suitable measures to prevent unauthorized reading, copying, alteration or removal of the media containing Personal Data, unauthorized input into memory, reading, alteration or deletion of the stored Personal Data. This will be accomplished by the following measures:

• Avaya will only grant individuals access to the Personal Data with:
  • a unique user ID for access with formal authorization process, and
  • a unique password with the following features:
    • a complex password, consisting of eight characters and three of four character sets;
    • a maximum password lifetime of ninety days; and
    • an account lockout on failed logins.
• Avaya will grant individuals access to the Personal Data based on their job function with the following criteria:
  • role-based access;
  • least-privileged access; and
  • access only on a need-to-know basis.
• The screen of endpoints will be automatically locked after 20 minutes idle time.
• Avaya will log access to the data processing equipment.
• Avaya will maintain access control lists (ACL).
• Avaya will conduct data backups and retrievals, using a secure storage of backup media and testing backups.
• Avaya will implement and maintain a formal access control change management program.
• Avaya will implement and maintain internal policies and standards comprising security policies and standards, both at a corporate and business unit level.
• Avaya will conduct periodic mandatory trainings with respect to protection of personal data, and will monitor and enforce the training participation.
• Avaya will implement and maintain anti-virus programs, which are centrally monitored and updated, and conduct regular anti-virus scans.
• Avaya will conduct a secure deletion and /or disposal of data.

Transmission control. Avaya will prevent any unauthorized access to Personal Data via implementation of secure communication channels and logging as follows:

• Avaya will use a VPN with a multi-factor authentication for remote access.
• Avaya will use firewalls with the following features and processes:
  • stateful inspection;
  • default denial access rules are implemented unless access rules are explicitly approved;
  • role-based and least-privileged access on a “need to know” basis;
  • logging and alerting of access; and
  • annual review of firewall rules.
• Avaya will use encrypted email if the same has been enabled by Customer, using transport layer security (TLS) as the methodology.
• Avaya will implement and maintain security policies and standards both at a corporate and business unit level.

Input Control. Avaya will ensure the possibility to check and establish whether and by whom Personal Data have been put into, modified or removed from the Personal Data processing equipment as follows:

• Individuals accessing personal data will require a unique user ID and authorization for access.
• Avaya will implement and maintain security policies and standards both at a corporate and business unit level.
• The Personal Data processing equipment will have logging functionalities.
• Avaya will only grant individuals access to Personal Data based on their job function, with the following categories:
  • role-based access;
  • least-privileged access; and
  • access on a “need-to-know” basis.

Organization control

• Avaya will ensure that in case of commissioned data processing, the Personal Data are processed strictly in accordance with the instructions of Customer.
• Customer will provide clear instructions to Avaya regarding the scope of the processing of personal data, and Avaya will adhere to these instructions.

Availability control. Avaya will prevent any accidental destruction or the loss of Personal Data by appropriate measures as follows:

• Avaya will implement and maintain uninterruptable power supply, fire and smoke alarms, fire suppression systems, generators, cooling systems and raised flooring.
• Avaya will implement and maintain a disaster recovery plan, and annually review and test it.
• Avaya will implement and maintain a backup strategy and backup procedures.
• Avaya will implement and maintain anti-virus programs and firewall systems.

Control of separation of data. Avaya will implement and maintain appropriate measures to allow the separate processing of data which have been collected for different purposes as follows:

• Avaya will separate different customers’ Personal Data by storing Personal Data in logically separated databases.
• Avaya will separate between productive and test data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Ballet Tech Foundation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/1/2022 – 8/31/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The service provide is Dance Training at Ballet Tech. PII is required in order to take attendance and for grading.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Protected Information is stored in the US. Ballet Tech uses has various administrative, operational and technical safeguards in place in place to protect any Protected Information that it will receive under the contract – including training staff members as to best practices for data security and student privacy, the use of Google Drive and Gmail with their built-in data privacy protections, using an on-site physical server for day to day file storage, requiring strong passwords (and 2FA when available), and shredding any paper documents containing Protected Information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Beable Education

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Beable provides literacy and test prep software to the NYC DOE. PII is collected for purposes of providing students with access to the system, and teachers with ability to monitor their progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services (AWS). Amazon Web Services (AWS) utilized are AWS RDS, AWS S3 and AWS Elasticache.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Beable employs a variety of administrative, technical and physical safeguards designed to protect PII in its custody from loss, misuse, unauthorized access, disclosure, alteration, or destruction. Our measures consider the sensitivity of the information we collect, use, and store and the current state of technology. Our security measures include data encryption, firewalls, data use, and access limitations for our personnel. Should we become aware of an authorized disclosure of your information and/or any data breach of our systems and information, we will notify NYCDOE promptly in compliance with N.Y. Education Law 2-d Requirements.

Beable has implemented a mandatory training program for its employees and contractors and clearly defined guidelines to which they are held accountable for collecting, storing, accessing, securely transmitting, interacting with, and destroying PII. Employees and Contractors are required to sign Confidentiality Agreements.

Beable’s application is hosted in AWS in our secured private network and leverages many of AWS’s broad range of cloud services.

Teachers have visibility into student-specific information via the application dashboards, reports or other features and can respond to parents who request access to their child’s records. Beable will support the teachers or other NYCDOE staff in responding to parent requests for data as necessary.

Administrative, technical and physical safeguards have been implemented to protect the security, confidentiality, and integrity of PII in its custody as summarized below:

• Administrative – Beable maintains user registration information within our AWS secure private network and limits accessibility to such information to only those few employees that have special access rights to production systems. Security training is conducted annually.
• Technical – Application is developed following Secure Coding Standards established for the team. Access decisions are based on the principle of least privilege meaning a user only has access and privileges which are essential to perform their intended function. Password requirements are strong and utilize multi-factor authentication. Data is encrypted in-transit and at rest and transmitted by Secure Socket Layer (SSL) technology. Workstations are hardened, patched and hard drives are encrypted. In addition to leveraging High Availability, redundancy and resiliency of AWS services, backups of all relevant systems are performed and the restore process is periodically tested. Records of change are maintained via audit logs. Penetration testing and security audits are run frequently and are a necessary part of Beable’s security posture.
• Physical – Beable’s solutions are hosted in the Cloud at AWS. All customer PII is stored within our AWS secured private network.

Beable is committed to comply with all state, federal, and local data security and privacy laws, and NYCDOE Information Security Requirements for vendors.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Beam Center

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/15/2022 – 7/14/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Beam Center school partnerships combine both professional learning opportunities for teachers with a wide range of direct services for students. Professional learning and DSS are woven together in a way that reaches students immediately and builds long-lasting skills for teachers.

• IN-SCHOOL PROJECTS

• Fundamentals Projects are projects designed by Beam Center staff with the purpose of introducing students and teachers to basic skills in one or more making disciplines such as woodworking, programming, electronics, and digital fabrication skills.
• In-Class Collaborative Projects are co-designed by teachers from our 29 partner schools and Beam Center Project Designers for implementation in classrooms.
  • PROFESSIONAL DEVELOPMENT
    • Custom Project Development is a professional learning opportunity for teachers and administrators from Beam Center’s 29 partner schools. In this program, Beam Center Project Designers introduce educators to our practice of hands-on project design as well as various technical making disciplines. With guidance from our staff, teachers collaborate to design a custom project for their classroom that is aligned to the learning goals, standards, and/or curriculum that educators are working with in their classrooms. Educators produce project plans, materials lists, and day-by-day schedules for the collaborative projects that they design. Participants in this program spend 12-18 hours total on this process; these hours are eligible for CTLE requirements.
  • Beam Center receives Student PII (names only) for the purposes of invoicing schools. We receive Teacher PII (names only) for the purposes of PD attendance sheet and for certifying CTLE credit.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Beam Center currently stores all student digital information (name, phone number, email address) on Google Suite documents that are accessible by only a restricted number of personnel directly responsible for managing the program covered by this contract, trained on DOE’s and Beam Center’s privacy and security policies and protected by secure passwords that are updated every 90 days. Beam Center does not collect student Social Security Numbers or OSIS numbers. If a school inadvertently shares OSIS numbers with Beam Center the documents are shredded or hard-deleted from digital storage. At this time, Beam Center uses no proprietary or in-house developed software applications or databases to manage participant data and if ever should do so, it will be developed to meet industry standards and best practices for security and privacy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Bedford, Freeman & Worth Publishing Group (for LaunchPad, Sapling & SaplingPlus)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. With a history of publishing groundbreaking educational content that spans over 70 years, Macmillan Learning is dedicated to combining world-class content and evolving technology to drive student success. Macmillan collaborates with some of the world’s most accomplished researchers, teachers, developers, and administrators to solve pedagogical challenges. Macmillan Learning's deeply knowledgeable and committed specialists live and breathe each course and discipline, determined to clear any learning obstacles. Historically, this has been accomplished via our Textbooks. While we are still known for our textbooks, we have worked over the past two decades to merge our textbooks with technology to create unique learning tools to better serve instructors and students.

Our LaunchPad Application is a resource to help students achieve better results by providing a place where they can read, study, practice, complete homework, and more. An interactive ebook brings together the resource’s students need to prepare for their class, working with the textbook their instructor selected. For most LaunchPad titles, students can download the ebook to read offline, or to have read aloud to them. LearningCurve adaptive quizzing offers individualized question sets and feedback for each student based on his/her/their correct and incorrect responses. All the questions are tied back to the e-book to encourage students to use the resources at hand. In addition, LaunchPad offers a wealth of quizzing options, including pre-.built quizzes which are readily available and editable. Instructors can also build their own quizzes from test banks, end of chapter questions, questions they write themselves, and more.

Created and supported by educators, our Sapling and SaplingPlus Applications are available for a wide range of courses in Biology, Chemistry, Physics, Astronomy, Physical Sciences, Statistics and Economics. With content written by leading subject-matter experts, Sapling and SaplingPlus homework provides real-time feedback based on specific misconceptions of the problems at hand. Regardless of a student's initial response, Sapling and SaplingPlus ensures everyone arrives at the correct answer for the right reasons Assignments, due dates, and question weights are all customizable to educators' preferences, and the Sapling and SaplingPlus platform supplies metrics related to attempts taken, time spent on each question, and more - offering immediate insight into class and individual student performance. Sapling and SaplingPlus provides students with real-time targeted feedback based on their specific misconceptions or understanding of the course material. Multiple question types - such as clickable area, ranking, sorting, labeling, multiple choice, multiple-select, graphing, and numeric entry - enhance student engagement and critical thinking skills.

BFW is committed to protecting the privacy and security of all School Data that we process as a “data processor” or “service provider” to your school in order to provide the services to you and your school, pursuant to applicable laws. The data we collect includes Student Name, Student Email Address, Teachers Name, Student Scheduled Courses, Student ID Number, Student Username, Student Password, Student responses to surveys/questionnaires, Student generated content, Student course grades and performance scores. If you use our products and platforms in your courses at your school, we only use your personal information in the School Data as needed to:

• Provide you with the products, content or services selected by you, your instructors or your school and for related activities, such as customer service and “helpdesk” functions,
• Assure academic integrity, such as in connection with investigations and anti-plagiarism program,
• Send end-of-course surveys, and
• Manage our everyday business needs, such as website administration, business continuity and disaster recovery, security and fraud prevention, corporate governance, reporting and legal compliance.

We will only use School Data for other purposes with the consent of your school and (if applicable) with your consent.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS Web Services.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. BFW will:

• Store PII on servers in a secured facility in the US operated by Amazon Web Services (AWS).
• Use infrastructure built on industry-tested technology and security practices.
• Take measures aligned with industry best practices and NIST Cybersecurity Framework Version 1.1. These measures include, but are not limited to disk encryption, file encryption, firewalls and password protection.
• Stored all data in a password protected database with strong password requirements.
• Run periodic penetration tests, then logs and resolves discovered issues
• Limit access to PII and application data to people who require access in the performance of their role in providing the service.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Behavior Analysts

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2022 – 7/31/ 2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Receiving access to PII as part of a commercial relationship wherein Vendor’s product provides the ABLLS-R Assessment for use by the NYC DOE.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Entity utilizes administrative, technical, and physical safeguards that are aligned with industry best practices to ensure the integrity and security of PII. Administrative safeguards include written policies and procedures, and training programs that ensure employees and contractors are properly prepared and understand their obligations in handling PII, as well as employee background screenings. Additionally, Entity leverages Amazon Web Services (AWS) Cloud Infrastructure to ensure the physical security of PII, while implementing technical safeguards, including full encryption of PII in rest and in transit, in this secure environment. Collectively, these policies and procedures allow Entity to mitigate data privacy and security risks.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Benchmark Education Company

The exclusive purposes for which Protected Information will be used: Benchmark Education Company collects personally identifiable information about you when you specifically and knowingly provide such information. For example, when you register, we collect such information as your name, email address, professional title, and school information. We use this information to customize the Site for your locale and to provide more relevant services. We may use the information that you provide when you register for Benchmark Universe to create your account. This allows your employees and students to log in, create a classroom within the product, and assign lessons to students.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Benchmark Education employees that are responsible for the onboarding and record-maintenance on behalf of school clients undergo through privacy and security training (FERPA, COPA), and sign a binding non-disclosure agreement.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: We do not retain your personal information for longer than is necessary to provide you with the features and services you have requested. When you request an account be deleted, we remove the data from our servers. At expiration or termination of an agreement, we remove data within 6 months from the termination date. At any time, you may request that we permanently delete personal information immediately by emailing us at techsupport@benchmarkeducation.com.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All student data collected for Benchmark Universe is stored and backed up in Amazon Web Services (AWS). All AWS servers are located inside the United States. Benchmark Education follows industry best practices for network and physical security. All data is encrypted in transit and at rest. 

How the data will be encrypted (described in such a manner as to protect data security): Pupil records are transferred to Benchmark Education via an OAUTH 2.0 over SSL security encryption. Pupil records are stored (data at rest) in a secure AWS environment and are encrypted. Benchmark Education utilizes standard SSL encryption and authentication mechanisms with sha256RSA Signature algorithms, sha256 Signature has algorithms, RSA (2048 Bits) Public Key.

• Server authentication (1.3.6.1.5.5.7.3.1)
• Client authentication (1.3.6.1..5.7.3.2)

Big Ideas Learning

Bloomz

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Bloomz is the unified parent-teacher communication app that increases parental engagement by connecting everyone with one easy-to-use tool. Bloomz handles ALL district, school, teacher, parent, student communication. Bloomz supports and translates into 109 different languages. Bloomz is a time saver for admins, a valuable tool for teachers, increases engagement and work ethic among students, and helps parents of all backgrounds engage in their children's education. Bloomz uses the core PII information in the following ways:

• PII is used to map relationships of and allow for communication between parents, students and staff for a specific class i.e. math for educational purposes for progress reports, homework or additional support required from a teacher/counselor. PII may also be used for attendance and grade support.
• Client data is handled with utmost care at Bloomz. Data is secured through role-based access. Data encryption is in place for data at rest and in motion. All the backups are encrypted by mongo and data in motion is secured through TLS based encryption. Within the application data security is ensured through role-based access restrictions and all the user passwords are stored encrypted. Customer data is never stored locally, and production access is restricted to staff with explicit approvals.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud and AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Bloomz employs a combination of administrative, technical, and physical safeguards to protect Personally Identifiable Information (PII) and mitigate data privacy and security risks. While I'll provide a general overview without compromising security, specific details are intentionally excluded to maintain the integrity of Bloomz' security practices and protocols.

Administrative Safeguards:

• Bloomz has established strict access controls and role-based permissions to ensure that only authorized personnel have access to PII.
• FERPA and COPPA compliance.
• Regular training and awareness programs are conducted to educate employees about data privacy and security best practices.

Technical Safeguards:

• Bloomz utilizes encryption protocols (TLS/SSL) to secure data during transmission, preventing unauthorized interception.
• PII is stored in encrypted format to prevent unauthorized access even if data storage is compromised.
• Firewalls, intrusion detection systems, and advanced threat detection mechanisms are implemented to safeguard against cyber threats.

Physical Safeguards:

• Cloud-Based Security:
  • Data is entered into a password-protected cloud-based database that adheres to current industry standards for data security and privacy.
• Access Control:
  • Access to Protected Information is restricted to a minimal number of authorized personnel who have a legitimate need for such access.
  • Multi-tiered authorization is implemented for accessing cloud-based service logs, ensuring that only authorized personnel can view sensitive logs.
• Confidentiality Agreements:
  • All personnel with access to Protected Information are required to sign confidentiality agreements to ensure they understand their responsibilities for maintaining data confidentiality.
• Personnel Training:
  • Employees receive training on data security, privacy policies, and best practices to ensure they handle Protected Information appropriately.
• Regular Audits and Monitoring:
  • Regular audits are conducted to monitor data access and usage to detect any unauthorized or suspicious activities.
  • Logs of system access and changes are regularly reviewed for anomalies.
  • Test environments used for development and testing purposes do not contain actual Protected Information, and they operate with separate security keys to prevent accidental exposure of sensitive data.
• Cloud-Based Security:
  • Data is entered into a password-protected cloud-based database that adheres to current industry standards for data security and privacy.

Data Privacy and Security Risk Mitigation:

• Bloomz conducts regular risk assessments and vulnerability assessments to identify potential weaknesses in its systems.
• Ongoing monitoring and analysis of network traffic and system logs enable rapid detection of any unusual or suspicious activities.
• Incident response plans are in place to ensure swift and effective actions in the event of a security incident or breach.

While the above description outlines Bloomz' general approach to safeguarding PII and mitigating data privacy and security risks, specific details and methodologies are withheld to ensure that disclosure doesn't compromise the effectiveness of these security measures. Bloomz remains committed to maintaining a robust security posture while respecting the confidentiality of its security practices and protocols.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Blue Engine

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Blue Engine utilizes monthly data cycles to ensure the co-teaching model is being effectively implemented. We work with the district or school-based instructional coaches to embed effective co-teaching practices, approaches, and mindsets within coaches and teams of teachers. The student data collected (listed below) is used to measure student progress and allows Blue Engine staff to effectively support teachers in using data and facilitate data reviews with school administrators:

• Rosters for each classroom receiving services which list student names and ID
• Student standardized assessment scores/results
• Student demographics including grade level, gender, race/ethnicity, ELLs, and SPED status
• Student experience surveys

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. QuestionPro for secure uploads and Google Suite Spreadsheet for analysis.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Blue Engine uses Google’s G Suite for email and data storage. All student data will be maintained on the encrypted Google server in the US. Staff are only able to access the server using their organization accounts. All staff devices are password protected and only to be accessed by them. Two-factor authentication is required for all staff accounts. Student Data may only be shared with individuals within the Blue Engine account.

Blue Engine will respond to data privacy and security incidents in accordance with the following steps:

• Employees must report suspected incidents that threaten the confidentiality, integrity or availability of Blue Engine’s data systems or data to the Vice President of Impact, Learning & Design and their immediate supervisor or manager.
• If a critical incident is verified, the Vice President will convene a meeting with Senior Management.
• Where there has been a breach of Personally Identifiable Information (PII), the CEO will be notified and will coordinate the process of compliance with notification requirements.

For purposes of this policy, a breach means the unauthorized acquisition, access, use, or disclosure of student, teacher or principal PII as defined by Education law §2-d, or any Blue Engine sensitive or confidential data or a data system that stores that data, by or to a person not. authorized to acquire, access, use, or receive the data. Blue Engine will comply with legal requirements that pertain to the notification of individuals affected by a breach or unauthorized disclosure of personally identifiable information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

bNapkin (also called School4One)

The exclusive purposes for which Protected Information will be used: The student data or teacher or principal data (collectively, “the Data”) received by The Vendor will be used exclusively with the purpose of distributing content to students, gathering evaluation data from students, distributing teacher feedback to students, providing data visualization to administrators in The School District.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Vendor will ensure that all subcontractors and other authorized persons or entities to whom student data or teacher or principal data will be disclosed will abide by all applicable data protection and security requirements, including those mandated by New York State and federal laws and regulations, by not providing them with private data provided by The School District.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon termination of the Original Agreement, The Vendor will extract all data associated with the School District and deliver an archive including the database table content, table description, and associated files. This archive will be delivered by means preferred by The School District. All database records and files associated with the School District will be deleted from the production master database and all its replicas.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. A parent, student, teacher or principal can challenge the accuracy of the Data received by The Vendor by contacting support@school4one.com. An audit of the challenge will be executed, and a report, accompanied with the raw data, will be produced within 14 days from the request.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Refer above to Attachment B.

[The following is an excerpt from the vendor’s Data Privacy and Security Plan: “The School4One platform is hosted by one or more leading public cloud providers which operate data centers that are state of the art, utilizing innovative architectural and engineering approaches. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. Office Security Access to School4One’s offices in New York is controlled 24 hours a day by electronic key access. Building access is monitored 24 hours a day with staffed security during normal office operating hours. Remote Work Security Access to School4One’s servers and hosting services is controlled by a two-factor authentication, and only accessible using a secure VPN.”]

How the data will be encrypted (described in such a manner as to protect data security): Refer above to Attachment B.

[The following is an excerpt from the vendor’s Data Privacy and Security Plan: “AES-256 encryption is used for data at rest and stored in the DB.”] 

Boom Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Boom Cards are used as digital learning resources. Schools use Boom Cards to support learning and intervention. Educators who elect to collect Student Data will collect student performance data (correct/incorrect answers and time to answer) which is associated with a username, which may be pseudonymous. The purpose of the data collection is to evaluate student progress towards mastery.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., MongoDB on AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity of a data breach, Boom Learning has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by exposure of the User Data to unauthorized persons. Safeguards include:

• Privacy and Security by Design
• Data Minimization
• Data Deletion Practices
• Adoption of the NIST Cybersecurity Framework
• Need-to-know access
• Annual or more frequent training for employees and vendors

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

BrainPOP LLC

The exclusive purposes for which Protected Information will be used: BrainPOP is an online educational solution that makes rigorous learning experiences accessible and engaging for all students. PII will only be used to provide the BrainPOP Products – BrainPOP, BrainPOP Jr, BrainPOP Francais, BrainPOP Espanol and/or BrainPOP ELL. PII may be provided to third parties service providers that are necessary to provide the services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Third parties are contractually bound to practice adequate security measures and to use NYC DOE PII solely as it pertains to the provision of their services. Third parties do not have an independent right to share the data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Prior to expiration of a subscription, NYC DOE can delete the PII at any time. If PII is not deleted, we will retain the information for up to ninety days after expiration of the contract. The [agreement with] NYC DOE starts 4/22/2021.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing requests for copies of PISI and challenges to the accuracy of student data in the custody of the Recipient. Such requests or challenges should be directed to studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PII will be stored in the US. We maintain best industry standard security practices. Our servers are located in a secured, locked and monitored environment to prevent unauthorized entry or theft, and are protected by a firewall. The server is backed up daily to a secure, US based off-site data center. We apply SSL or HTTPS encrypting technology to establish and ensure that all data passed between the server and browser remains encrypted. Only limited personally have access to the database and personnel only access it when necessary to provide the services. Personnel with access pass criminal background checks at least once per year. We follow standardized and documented procedures for coding, configuration management, patch installation, and change management for all applicable servers and we audit our practices at least once a year. 

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest (AES 256) and in transit (SSL).

Braintrust Tutors

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide live, synchronous, high dosage academic tutoring services for students in Grades K-12, either one-on-one or in small groups of 2-4 students, both in person and online, primarily focused on accelerating foundational reading and math skills. We collect limited student PII in connection with the delivery of our services, including student name, email, and grade.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Pencil Spaces.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Braintrust Tutors limits the collection of personally identifiable information ("Student PII") to ensure the privacy and protection of each student we serve. Braintrust Tutors stores Student PII in databases and on servers powered by Amazon Web Services ("AWS"), one of the leading and most secure cloud computing environments, behind multiple layers of electronic safeguards. Braintrust Tutors protects Student PII in the course of business through various means, including by implementing secure user authentication protocols, secure and limited access control measures, data encryption on public networks, and more. Braintrust Tutors restricts access to NYCDOE Student PII other than to NYCDOE, and Braintrust Tutors employs various encryption techniques for NYCDOE Student PII provided to NYCDOE (e.g., password protection, exclusion of student last names, etc.).

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Branching Minds

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. 

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Branching Minds Platform (the “Platform”) is a web application for use by teachers and administrators. The Platform supports all aspects of a district’s Multi Tiered System of Supports intervention work and system. The Platform helps teachers follow the best practices of problem-solving work efficiently, effectively, and collaboratively from the start, saving time and effort while improving outcomes for all students.

PII collected on the Platform is used solely:

• To provide contracted educational services. For example, the Platform collects information about a student’s English language proficiency in order to determine the best learning interventions to recommend for that student.
• To conduct statistical research. Any data used for this purpose is de-identified (made anonymous by removing all personally identifiable information). This research helps us evaluate the effectiveness of the Platform and improve our product.
• For compliance and protection reasons. We may need to use data to comply with applicable laws, our internal policies.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All information collected on the platform, including Student Personally Identifiable Information, is safeguarded through administrative, operational and technical safeguards around the AICPA Trust Service Principle Security as part of the System and Organization Controls (SOC) 2 Report, under the direction of a dedicate Director of Security Operations. Safeguards include:

• Software Security: We implement privacy and security practices which are compliant with FERPA and COPPA. Our Districts and their users, however, must use secure practices to help achieve comprehensive protection of student personal information as well.
• Data encryption: We encrypt personal information in transit and at rest.
• File transfer protocol: We use File Transfer Protocol (FTP) over secure (SSL/TLS) cryptographic protocol to transfer personal information.
• Firewalls: We utilize stateful firewalls, network access control lists, subnetting and virtual private cloud networks to segment and protect our information resources.
• Proactive Defense: We utilize antivirus software, intelligent threat detection, and enhanced detection and response software to protect our systems. Policies prevent users from disabling antivirus and enhanced detection & response software on company computers.
• Data storage provider: We store all our data and host the Platform at off-site facilities which are managed by Amazon Web Services (AWS) at their United States data centers. AWS secures our data using a variety of measures, including: (a) housing the data centers in nondescript facilities; (b) strictly controlling physical access both at the perimeter and at building ingress points by professional security staff utilizing video surveillance; intrusion detection systems, and other electronic means; (c) requiring authorized staff to pass two-factor authentication a minimum of two times to access data center floors; (d) requiring all visitors and contractors to present identification, sign in, and be continually escorted by authorized staff; (e) limiting access and information to employees and contractors who have a legitimate business need for such privileges; (f) revoking access privilege when an employee no longer has a business need for these privileges; (g) logging and routinely auditing all physical access to data centers by AWS employees; (h) encrypting all access to the information within the Platform stored on these servers; (i) encrypting user passwords; and (j) securing all data stored with AWS behind a firewall.
• Security audits: We conduct internal and third party security audits and code reviews.
• Secure programming practices: Our software developers are aware of secure programming practices and strive to avoid introducing errors in our application (like those identified by OWASP and SANS) that could lead to security breaches.
• Account protection and identity verification: We support account authentication and identity verification exclusively through single sign-on technologies and protocols, such as SAML.
• Facility security: Our facilities are located in the continental United States. Physical access to our facilities is protected by electronic access devices, with monitored security and fire/smoke alarm systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Brooklyn Bureau of Community Service (also called Brooklyn Community Services)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: Extension is from 7/1/2023 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The LTW program provides student support, guidance, evaluation, assessment, and planning. As such, the program needs to be able to access PII for the purposes of registration and enrollment, attendance and other tracking, communication, and associated needs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Apricot 360.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We will follow our HIPAA and DOE’s guideline policies and procedures to safeguard the data. We do not store student data in Google drive. We use https to connect to our data. We use secure VPN to access data. All computers and laptops are encrypted. All documents are sent encrypted with strong passwords.

Student PII collected by LTW on enrollment is:

• State or school ID
• Social security card and/or number
• Birth certificate
• Tax information, financial information (i.e. for direct deposit)
• Address and contact information

Student information collected during the course of student time with the program:

• Grades and academic status
• Interaction and case notes
• Medical information in select cases, e.g. a doctor's note to excuse absence
• Timesheets and attendance

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Brooklyn College Community Partnership

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Community schools collaborate with Lead Community-Based Organization (CBO) partners to create welcoming, supportive environments that help students navigate barriers and build on strengths so that every student can thrive academically, socially, and emotionally.

Community School Lead CBOs use student level data to ensure the right students are getting the right services at the right time. Through collaborative leadership between schools and CBOs, the information is utilized to support family engagement, expanded learning time and wellness and integrated student supports such as mental health services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Rackspace cloud services provider.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data at rest remain stored under secure conditions at all times, All electronically stored data reside on a password protected area of our server, which is backed up regularly. The server is protected by 15 separate firewalls, and is continually scanned by malware protection software. When in transit, confidential data are encrypted and transferred using secure File Transfer Protocol (FTP) account. Upon disposal, printed materials are shredded and electronic files are securely deleted.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

buildOn

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 9/1/2023 – 9/1/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. buildOn will work with partnering schools providing year-round specialized service learning programming, including during school breaks and summer vacations. Program activities include in-class service projects, after-school, weekends, school holiday programming, as well as school-wide service days. All programming follows buildOn’s IPARD service-learning framework: Investigation, Preparation, Action, Reflection, and Demonstration.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. buildOn implements and maintains reasonable physical, administrative, and technical safeguards designed to safeguard PII in accordance with applicable law and the NIST Cybersecurity Framework. These safeguards include asset management, access controls and identity authentication, encryption, personnel training, and least-privilege functionality. buildOn engages in a risk assessment in accordance with the NIST Cybersecurity Framework to identify areas of improvement to improve its security posture to ensure PII is adequately protected. buildOn also maintains a written information security program and incident response plan to provide clear guidance to personnel.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CAMBA, Inc (Community Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term:

• PS 306 and PS 1998: 7/1/2021 – 6/30/2024
• Forsyth Satellite Academy: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

PS 306 and PS 1998: CAMBA’s Community Schools program helps students succeed by offering academic enrichment, along with programs to improve school culture, engage families, and connect students with other nonprofit and public support services to ensure their success. In order to assist these students, CAMBA collects PII to better understand student needs, to stay in contact with the student, and to track outcomes of CAMBA’s work. CAMBA uses the collected data to provide academic and student support, social and educational development, middle school advising and preparation, skills development, and alumni services. CAMBA also uses the data to conduct follow up with graduates after graduation to assist them in maintaining their continuing success, and provides DOE with historical information on outcomes to further improve the on-going services.

Forsyth Satellite Academy: CAMBA’s Community Schools program helps students succeed by offering academic enrichment, along with programs to improve school culture, engage families, and connect students with other nonprofit and public support services to ensure their success. In order to assist these students, CAMBA collects PII to better understand student needs, to stay in contact with the student, and to track outcomes of CAMBA’s work. CAMBA uses the collected data to provide academic and student support, career and educational development, college advising and preparation, work preparation, skills development, alumni services, and paid internships. CAMBA also uses the data to conduct follow up with graduates after graduation to assist them in maintaining their continuing success, and provides DOE with historical information on outcomes to further improve the on-going services.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

If granted permission by DOE, CAMBA will remove any identifiers from student data making it no longer PII, and maintain the de-identified data in order to continue reporting on historic outcomes and tracking outcomes for improvement of on-going services.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Eccovia Solutions, Inc, and using an Entity-owned and/or internally-hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAMBA’s polies are designed to ensure that PII is protected. All student files are maintained in locked filing cabinets in the program offices. Access to student files and information is limited to staff with a need to have such access. Electronic PII is kept in a secure database that is segregated from CAMBA’s agency-wide client management system, and only staff with specific permission can have access to information in the database. Mandatory training is provided to all staff on the requirements and importance of the agency’s confidentiality policy. Student information, records, and data are not disclosed by CAMBA to any person, organization, agency, or other entity except as authorized by law or appropriate consents. CAMBA’s database management systems supports the creation of user accounts, roles, user group security, and permissions based on programs’ protocols. CAMBA maintains student data confidentiality by creating the specific workgroups and security organizations in database systems. CAMBA practices Universal Precautions/Standard Protocol & Procedures and compliances with any and all Federal, State, City, and CAMBA confidentiality, privacy, and security laws. CAMBA uses appropriate safeguards to prevent us or disclosure of the PII and implements administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CAMBA, Inc (Learning to Work)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAMBA engages in joint review of student data, both personal and academic, with both NYC DOE and CAMBA staff who work with our students. The Learning to Work Program [at a Transfer School at Brooklyn Academy and for Young Adult Borough Centers (YABC) at Franklin K. Lane] utilizes data monitoring tools and surveys created by DOE and CAMBA’s Data, Assessment, Research and Evaluations (DARE) department to track student attendance and progress. The results from these data monitoring tools and surveys provide the Learning to Work program, Principal, and school administration with the information necessary to create goals and establish areas of focus. Qualitative data is essential to our understanding of what is working well and what needs improvement.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. Upon expiration or termination of the contract for any reason, CAMBA shall return or destroy all PII received from DOE or created by CAMBA on behalf of DOE and certify in writing to such return or destruction. This provision shall apply to PII that is in the possession of CAMBA’s subcontractors. CAMBA shall retain no copies of the PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an entity-owned and/or internally hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAMBA’s policies are designed to ensure that client information is protected. All client files are maintained in locked filing cabinets in the program offices. Access to client files and information is limited to staff with a need to have such access. Electronic information is kept in a secure database that is segregated from CAMBA’s agency-wide client management system, and only staff with specific permissions can have access to information in the database. Mandatory training is provided to all staff on the requirements and importance of the agency’s confidentiality policy. Client information, records, and data are not disclosed by CAMBA to any person, organization, agency, or other entity except as authorized by law. Our database management systems supports the creation of user accounts, roles, user group security and permissions based on programs’ protocols. We maintain clients’ data confidentiality by creating the specific workgroups and security organizations in database systems. We practice Universal Precautions/Standard Protocol & Procedures and comply with any and all Federal, State, City and CAMBA confidentiality, privacy, and security laws, specifically including, but not limited to, HIPPA. We use appropriate safeguards to prevent use or disclosure of the PII and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentially, integrity, and availability of the electronic PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Canva

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/12/2023 – 6/1/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Canva for Education – an online design tool used by students, teachers, and staff to design a wide array of products, including presentations, posters, websites, videos, and much more. The software allows an authorized user to create from scratch or use a library of templates, photos, videos, and other media, through the use of digital design tool elements. Basic user information, including PII such as the user’s first and last name, plus District-issued email address, is required for SAML-based Single Sign On (SSO); allowing the District to centrally control and manage access.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Measures of pseudonymization and encryption of personal data: Canva encrypts Data transmitted between customers and the Canva application over public networks using TLS 1.2 or higher. Customer Data stored on Canva’s servers is encrypted using AES 256 or stronger.
• Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: Canva has personnel responsible for oversight of security and privacy. It has appointed Heads of Security, Privacy and Data, together with an Information Security Committee that meets quarterly to discuss privacy and security risks managed in its risk registers.
• Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: In order to support availability of the service, Canva utilizes Amazon Web Services (AWS) auto scaling, AWS availability zones, extensive application and infrastructure monitoring, and 24x7 application support rosters. Canva maintains backups of the data stores, including Customer Data, that support the core functionalities of the Canva application. Backups are stored in a location geographically-separated from the primary data storage location. Canva maintains a security incident response capability that includes a documented Personal Data Incident Response Plan for security incidents involving Data. This defines how we contain, respond, assess, communicate incidents, as well as roles and responsibilities of Canva personnel and a requirement for post-incident reviews.
• Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing: Canva engages a specialist third-party security tester to perform an annual penetration test of its application and infrastructure. Canva also employs a third-party application vulnerability scanning service and runs a public bug bounty program.
• Measures for user identification and authorization: Where a Customer’s account contains a password for authentication, Canva stores the password salted and hashed using an industry-standard password hashing function. Canva supports Single Sign On (SSO) integration with a customer identity provider using Security Assertion Markup Language (SAML).
• Measures for the protection of data during transmission: As per item 1, Canva encrypts Data transmitted over public networks between customers and the Canva application using TLS 1.2 or higher.
• Measures for the protection of data during storage: As per item 1, Customer Data stored on Canva’s servers is encrypted using AES 256 or stronger.
• Measures for ensuring physical security of locations at which personal data are processed: The service is hosted and Data is stored within data centers provided by Amazon Web Services (AWS). As such, Canva relies on the physical, environmental and infrastructure controls of AWS. Canva periodically reviews certifications and third-party attestations provided by AWS relating to the effectiveness of its data center controls.
• Measures for ensuring events logging: Canva maintains application and infrastructure security audit logs. Audit logs are analyzed to detect anomalous activity.
• Measures for ensuring system configuration, including default configuration: Canva hardens its server infrastructure using a hardening standard based on a common industry standard. Canva applies security patches to its servers in accordance with its Vulnerability Management Procedure.
• Measures for internal IT and IT security governance and management: Canva staff access to Customer Data is role-based and follows the principle of least privilege. Staff are only provided with sufficient access to Customer Data to be able to discharge their responsibilities effectively. Remote network access to Canva systems requires encrypted communication via secured protocols and use of multi-factor authentication. Canva has established and will maintain procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
  • cryptographically protecting passwords when stored in computer systems or in transit over the network;
  • altering default passwords from vendors; and - education on good password practices.
• Staff access to production infrastructure requires multi-factor authentication (MFA). Canva staff are subject to confidentiality obligations and a Personal Data Handling Policy. Canva requires its staff to undergo information security awareness training, both at the commencement of their employment and then annually thereafter. Canva also requires its staff to undergo privacy law training annually (including to comply with COPPA and FERPA in respect of student data). Canva has implemented privacy by design, including but not limited to, privacy impact assessments.
• Measures for certification/assurance of processes and products: Canva will maintain an ISO 27001 certification, undergoing periodic external surveillance and recertification audits to ensure that its Information Security Management System (ISMS) meets the requirements of this standard. Canva will maintain an information security policy that meets the requirements of the ISO 27001 standard, an internal audit program that assesses Canva’s ISMS and information security controls, and a management committee that is responsible for oversight of Canva’s Information Security Management System (ISMS).
• Measures for ensuring data minimization: Canva allows visitors to use certain functionalities of its platform anonymously and minimizes the Data it requires from Customers to only what is necessary to provide the service requested.
• Measures for ensuring data quality: Canva ensures the quality of its data through verification of emails that sign up to the canva.com platform. Canva also allows users to update the information in their accounts themselves or via requests to its customer support function, the Customer Happiness Team.
• Measures for ensuring limited data retention: Canva maintains a Data Retention Policy setting out the retention periods for various types of data based on legal requirements, justified interests of Canva and the purposes of collection.
• Measures for ensuring accountability: Canva has designated local representatives in Europe and the United Kingdom. Canva’s local representative in the European Economic Area is European Data Protection Office (EDPO) with registered address at Avenue Huart Hamoir 71, 1030 Brussels, Belgium. Our local representative in the United Kingdom is European Data Protection Office UK (EDPO UK) with registered address at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom. Data Protection Impact Assessments are carried out for high risk processing activities and Canva maintains records of its processing activities.
• Measures for allowing data portability and ensuring erasure: Canva has an automated process for deleting Customer Data on request within 28 days and enables the download Customer Data to provide to alternative service providers.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Canvas Institute

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/15/2023 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This program will deliver Compassionate Systems tools and Practices to students including social emotional learning and well-being education/guidance.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Vendor selected “Other: No PII will be stored in a database. Any information such as surveys will not have students full name, address or personal information that can compromise their identity.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The program is taking place in person. No personal information will be uploaded or stored in any data base. Any surveys that administration will have access to will not have any student identifiers on them that can pose a security risk to the students or the school.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CAPIT Learning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAPIT Reading provides teachers with a lesson plan and a phonics curriculum that teaches students to read and spell. [Information collected: Student first name, last name, username, password, student ID, grade, class, teacher, school, and district.]

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAPIT collects only the information necessary to deliver its services and ensure students learn to read. This data is never stored on personal devices, never emailed or sent from one user to another, or made accessible to anyone other than those who are directly involved in delivering or aiding in the delivery of student instruction. All data is encrypted and stored on AWS cloud services. All CAPIT employees and subcontractors are made aware of our security and privacy practices and must agree to abide by them.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CareerSafe

The exclusive purposes for which Protected Information will be used: Student name and course completion information is used to process course completion wallet card from the U.S. Department of Labor, OSHA.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: As an OSHA-Authorized Provider, CareerSafe is required to provide student data to OSHA. We are contractually obligated to provide student name and course completion information to OSHA for the purpose of providing students with an OSHA completion card. OSHA, as part of the U.S. Department of Labor, complies with Federal data security standards. No student data is shared with any other organization or individual. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Student completion records will be maintained for five years, after which, CareerSafe will destroy and delete all the data in its entirety in the manner that prevents its physical reconstruction. 

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: In accordance with their contract, CareerSafe will work with the NYC DOE in processing challenges to the accuracy of student data in CareerSafe’s custody. 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All at rest data is FIPS 140-2 compliant / certified process used to encrypt the student data while at rest on the application database. Student data is stored in/on an application database, located in the Amazon Web Services hosting facilities. The back-up data is presently stored on site in a secured storage unit. No data is store outside of the US. All data is fully encrypted to an AES 256 bit standard at rest and while in transit. All network devices and storage units are restricted to only be access by administrators. 

How the data will be encrypted (described in such a manner as to protect data security): All data is fully encrypted to an AES 256 bit standard at rest and while in transit.

CareerWise

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CareerWise New York is a youth apprenticeship system based in New York City. CareerWise New York offers a three-year applied-learning environment for high school students and an innovative talent-acquisition strategy for businesses. With apprenticeship, students earn debt-free college credit and nationally-recognized industry certifications through their work experience in fields such as IT, financial services, and business operations…all while graduating high school on-time.

We are trying to offer youth apprenticeships in high growth areas such as health care and technology to high school aged students. We hope to use this software to facilitate the hiring of students into apprenticeships.

We use this software as a means of managing our youth apprenticeship programming such as supervisor training, apprentice training, recruitment, and hiring. We also use this software for case management, relationships management, and communications management. It is what allows us to be an effective intermediary between industry and education. Through this system we can post available apprenticeships, recruit students, and communicate to both employers and school staff where students are at in the process. Students can create profiles, search through job descriptions and apply. They can also see how close an apprenticeship is to their home or school. Teachers and counselors can manage a caseload of students who are interested in apprenticeship, provide feedback on their profiles and applications, and have the final say in terms of approving students and ensuring that they are eligible to apply. CareerWise staff can use the system to provide feedback, offer application support and interview preparation to students. We can use this information to track progress on a school by school basis which allows us to assist schools at an individual level.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII information is only accessible to the staff that need access to the information. Any staff who do not need to see the PII information for their jobs will not be able to access this information through encryption and access restrictions.

CareerWise has implemented data security measures to monitor the data on a regular basis to ensure the data is protected from unauthorized users. For any incident that is reported CareerWise has an incident response coordinator to assemble the data that is affected and communicating to specific parties and incident response handler to analyze evidence so the incident can be resolved. CareerWise will manage incidents with phases defined in NIST SP 800-61 of preparation, detection, containment, investigation, remediation, and recovery.

If someone requests the deletion of PII information, CareerWise will take the proper steps in deleting all personal information from our cloud based Customer Relationship Management software, cloud storage, back ups, and the learning management system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CareMonkey 

• CareMonkey follows the principle of “Least Privileged Access” whereby user accounts are provided the most restrictive access necessary to perform the required business function.
• Access to data is restricted depending on job roles and all access is tracked.
• As part of our Information Security Program we maintain a systems access register.
• Access to sensitive data is restricted to those few with a need to know and must be approved by management.
• Access accounts have username and passwords with Two Factor Authentication (2FA).

Castle Software

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Very basic student and teacher rostering information is collected by the Castle Learning application for establishing logins to the application and to securely link students to the appropriate teachers/classrooms. The application provides test item content and supplemental content teachers may assign to students for student learning and assessment for academic progress in core subjects.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The data is stored in SOCII compliant data centers within the US. All data in transit is encrypted to industry standards (TLS 1.2), sensitive data is encrypted at the column level in the database, only authorized staff with a need to access the data to provide the service have access and the network environment is scanned weekly using a third party scanning service. Additionally, Castle Learning uses a Web Application Firewall to further protect the system.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

CCI Learning Solutions Inc (Jasperactive)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/2022 – 3/26/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Jasperactive is a web-based learning product designed for Microsoft Office with tailored exercises for Word, Excel, and PowerPoint, Outlook and Access. Students are delivered a Benchmark, Lessons and Create Exercises. The primary purpose of Jasperactive is to teach the students the required fundamentals to pass the Microsoft Office Certification exams.

Type of PII that the Entity will receive/access: Student PII

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CCI Learning Solutions Inc. is committed to protecting users’ privacy and PII and developing technology that gives users’ the most powerful and safe online experience. We safeguard PII through a combination of policies, procedures, training, segregation of duties and robust systems, security and technology. We mitigate data privacy and security risks by following and adhering to industry protocols, standards and practices, employing up to date technology, training and segregation of duties and user access controls.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Center for Educational Innovation (CEI)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CEI supports school leaders and educators collaboratively with community members, families, nonprofit organizations, and students to implement the community school model as an equity strategy. CEI’s team of experts provides technical assistance, capacity building, family engagement, and youth development programs in the arts, STEM education, Esports, academic support, character education, and the early stages cultural experiences under our signature program Project BOOST(Building opportunities and options for students). PII is necessary to track attendance in CEI programs and activities, including mental health support.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data)

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: CEI is not storing data, therefore no data needs to be destroyed.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CEI Community Schools Directors will use locked offices and file cabinets, when possible, to ensure that hard-copy documents containing PII are protected. At no point will the hard-copy documents leave the school site, in an effort to minimize risk of unauthorized disclosure. Access to PII will be limited to the CEI Community School Directors.

Any data used for analysis by CEI Community School Directors (CSD) shall be viewed, processed, and stored on NYCDOE provided devices and cloud storage under the purview of the NYCDOE’s acceptable use policies and requirements. At no time will any CBD transfer, share, submit or provide access to any data that is located on NYCDOE devices or cloud storage.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Center for Family Life in Sunset Park

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Center for Family Life’s comprehensive, school-based integrated services include whole classroom work to support students’ social emotional development; crisis intervention, counseling, case management and access to a full range of additional supports and referrals to community-based services; professional development and training for school staff; and support for school-wide, community-building initiatives engaging students and families. Our current program models for collaboration with DOE teachers and students during the school day include: 9-11 advisory & 12^th grade internship programs at Sunset Park High School; interdisciplinary arts/social emotional learning at MS 136/MS 821; and success mentoring/attendance improvement initiatives. We are receiving or accessing PII so that we may effectively assess and appropriately respond to student needs. Additionally, PII enables us to provide comprehensive supports and services to the students and families in our partner schools, as needed.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft 365 – OneDrive/SharePoint.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Microsoft Defender for Office 365 has been configured to provide secure use of all email communications. OneDrive and SharePoint services provide both at-rest and in-transit data protection.
• Multifactor Authentication is enabled on every account. Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user's identity for a login.
• N-Able Remote Monitoring and Management allows us to remotely monitor desktops, laptops, and servers across a variety of operating systems. We can monitor network devices, switches, firewalls, routers, and more using SNMP. This also assists in preventing cyberattacks, perform routine maintenance, and update devices remotely with automated patch management. The managed antivirus features allow us to remotely push out and protect our devices against known viruses and malware. BitDefender Antivirus works against all e-threats, from viruses, worms and Trojans, to ransomware, zero-day exploits, rootkits and spyware.
• CFL assures all physical devices used for transmitting confidential data are always in a secure location.
• Security Breach Response
  • Notify Center for Family Life Response Teams
  • Engage Tech Alliance, outside IT Security Consultant, if needed, depending on severity
  • Secure network, computer and cloud solution systems
  • Determine the nature, content and extent of the breach – (I.e., exactly what was breached)
  • Update all data breach protocols
  • Test to make sure new cybersecurity defenses work
  • Let CFL's employees (& Clients if applicable) know about the data breach
  • Notify the NYC DOE of any breach or unauthorized release of PII in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of such breach
  • Cooperate with the NYC DOE and law enforcement to protect the integrity of investigations into the breach or unauthorized release of PII
  • Pay for or promptly reimburse the NYC DOE for the full cost of parental notifications, where a breach or unauthorized release is attributed to the TPC
  • As a DOE partner, Center for Family Life will comply with all provisions of the Data Privacy/Security Policy for Schools and Offices as posted on the DOE website, including Compliance with Law and Policy, Restrictions on PII Use, and Data Privacy and Security Practices

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Center for Supportive Schools

The exclusive purposes for which Protected Information will be used: Center for Supportive Schools (CSS) serves as a Lead CBO under the Community School initiative to provide community school services at awarded partner schools. In addition, CSS under a sub-contract agreement with the Board of Education of the City School District of the City of New York also supports the NYS Integration Project – Professional Learning Communities (NYSIP-PLC).

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In entering data agreements with schools and school districts, CSS agrees and adheres to the below general protocols:

• Receive data through secure sites, as requested by the partner school and/or district.
• Maintain data security throughout use, by restricting data access to vetted individuals and keeping data stored on password protected devices. CSS will communicate with the appropriate parties within 24 hours should a breach occur.
• Maintain additional server security through a partnership with SureTech/IVIONICS, a cloud IT service company that provides data and hardware security through anti-virus protection software, Total Network Defense (TND) and SNAP Monitoring (a malware and instruction monitoring and alert system).
• Destroy any data within an agreed upon/appropriate timeline.
• Share only aggregate reports of non-identifiable data with staff and external audiences.
• Community with data sender post-analysis, if requested, to share analyses.
• Review these protocols annually to ensure proper adherence and adjust where necessary.
• Maintain team awareness of applicable federal and state laws that govern the confidentiality of personally identifiable information.
• Remain subject to any applicable law, most prominently, FERPA and HIPPA regulations.

In addition to the above safeguards in place, CSS also commits to managing its authorized users (including subcontractors) as follows:

• Timely and appropriate training for any and all authorized users to understand CSS data protection policies and NYC DOE contractual requirements. Consideration is being offered to the Board that all authorized users sign a training document that ensures understanding and compliance.
• The Director of Contracts & Compliance will work with the IT/System Administrator to ensure compliance of data protection and security.
• Access to the raw data is restricted internally at CSS to members of CSS’s Evaluation Team, the Regional Executive Director, and the CEO. Only these individuals will have access to the credentials that will allow them to access the data files and they will use the data files only on their password protected computers.
• Data will only be sent through the secure FTP site (Box.com). All transmission of data via the FTP site will be encrypted.

CSS acknowledges the responsibility to ensure compliance with the confidentiality provisions of the Family Educational Rights and Privacy Act of 1974 (FERPA 34 CFP 99) and the Code of Maryland Regulations (13A.08). CSS acknowledges that any unauthorized disclosure of confidential student information is a violation of FERPA and shall not be permitted to occur.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon completion, and/or termination, of this agreement with NYC DOE, CSS shall certify that Protected Information has been surrendered or destroyed in accordance with this Rider via the "Certificate of Records Disposal" form attached to this Rider as Exhibit D. Any and all measures related to the deletion, destruction or disposition of Protected Information will be accomplished within 90 days upon expiration of the agreement. CSS agrees to utilize an appropriate method of confidential destruction, including shredding, burning or certified/witnessed destruction of physical materials or verified erasure of magnetic media using approved methods of electronic file destruction.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, CSS will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests will be directed to studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): No Protected Information will be stored outside the USA. CSS policies ensure that secure data is housed on protected and secured platforms. All computers that host these platforms are protected through passwords and a secure and virus protected network. CSS understands the importance of data security. We do not request data that is not necessary for our work and when we do, it is housed appropriately. PII data is NEVER stored on personal equipment.

How the data will be encrypted (described in such a manner as to protect data security): CSS understands that data encryption helps to keep data safe and compliant and provides extra security against unforeseen mishaps. CSS has hired a full-time IT System Administrator that has begun reviewing data management policies and identifying a high-quality data encryption strategy which identifies data needed to manage encryption keys and block unauthorized access to company data.

When data is stored or when accessed (by authorized staff) it is done securely within the Data Protocol Framework which includes: data management, ethical walls, privileged user monitoring, sensitive data access auditing and secure data trail tracking.

CSS utilizes a complex cipher to make data unreadable to third parties. The encryption strategy incorporates technologies that defend data in all three of its states:

• Data at Rest: this is data located in data storage areas or within various devices, including authorized CSS and school staff.
• Data in Motion: this is data that is being transmitted from one endpoint to another across a network. This includes local LAN and WWW.
• Data in Use: this is when data is being actively accessed by a credentialed user.

CSS understands that developing a solid encryption strategy is a long-term, collaborative process that includes IT, operations, and management stakeholders. CSS continuously identifies high-value data and regulatory requirements and has processes in place to identify and prioritize the most sensitive or valuable data for encryption. A new IT Director is in place to ensure critical data security, implement access controls and properly train all staff on data security policies and procedures. CSS also works with a cybersecurity firm to ensure data lifecycle management.

Central Family Life Center

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The Central Family Life Center will be conducting services associated with Project Pivot, which will include counseling, mentorship, mediation, and restorative services for students. As such, it is reasonably expected that PII will inform select activities, practices, and approaches implemented through the work of counselors, mentors, and mediators serving on the Project Pivot contract.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CFLC will collect and disclose students’ PII only as necessary and only for educational purposes. The organization commits to ensuring that all administrative files and protected documents are stored and protected by password protection, and any physical files containing information will be stored securely in a locked filing system. The organization further commits that access to any/all files containing PII is restricted and made available to only those staff and/or affiliates who have a need for utilizing such data/information in the course of their implementation of program activities. All staff and affiliates, including subcontractors, if/as applicable, will receive comprehensive training in data privacy and security, including applicable laws, policies, and safeguards associated with industry standards and best practice; the policies, practices, and protocols of the organization; and all policies and regulations established by DOE and the related/relevant contract.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CEV Multimedia

 Type of Entity: Commercial Enterprise

Contract / Agreement Term: September 2023 – September 2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NYCDOE is using iCEV CTE curriculum to prepare students for taking certification exams in several subjects. Including pre-med electives: medical terminology, anatomy & physiology, and medical assisting. The district will provide basic roster related PII as they need to manage their classroom roster and records in the solution. This includes at the district’s discretion PII such as the teacher and student first name, last name, email address or UPN.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Simpatico Systems US based and certified data centers in Dallas and Los Angeles.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administrative access to PII is limited to named privileged authenticated users required to support the services that the DOE has contracted.  NIST CSF policies and procedures are followed to provide the service. Sharing of PII is limited to what is required to provide the services and confidentiality agreements are in place to protect DOE data. Team members are provided cybersecurity and data privacy awareness training throughout the year with training. Systems are hosted in US based, certified, and secure hosting environments.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."

Changing Perceptions Theater

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Participants learn to write and perform original dramatic works such as monologues, short plays and full length-plays for their school community and families. Participants will see professional plays performed in New York City. PII will be utilized to contact parents regarding trips, emergencies, program updates, invitations to events and to keep enrollment or attendance lists, and progress reports.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Cloud and "if there are physical attendance sheets they will be kept in a locked and secure space at the school that is agreed upon by the school administration and CP.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• A child’s PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with state and federal law.
• A centralized staff person is responsible for supervision and monitoring appropriate safeguards, policies, and practices in place to protect the data.
• Staff will participate in mandatory 2-part training about applicable laws, policies, and safeguards associated with industry standards and best practices; consistent with NYC DOE’s data security and privacy policy.
• Encryption, firewalls and password protection will be mandatory for all emails and cloud usage to electronically transmit sensitive PII information.
• CP will not maintain copies of participant’s PII once PII is no longer needed for the educational purpose/ for which the DOE has disclosed PII to CP.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Children’s Aid Society

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. In accordance with FERPA, Children’s Aid agrees that to the extent that the services provided relate to the processing of protected information, the services are for Children’s Aid to perform an institutional service or function for which the BOE would otherwise use its employees.

The services being provided are the continuation of Community School services previously funded through 21st Century Community Learning Center grants that expired on June 30, 2022. Community Schools emphasize family engagement, characterized by strong partnerships and additional support for students and families designed to counter environmental factors that impede student achievement. While some of the specific attributes of a community school program vary based on the needs of its respective community, all Community Schools share three foundational pillars:

• A rigorous academic program with strong supports to prepare all students for college, careers, and citizenship, and that supplements quality curriculum with expanded learning opportunities that keep students engaged, coupled with high levels of accountability for results;
• A full range of school-based and school-linked programs and services that, based on a needs assessment of the community, address the comprehensive needs of students and their families and that work with families as essential partners in student success; and
• Partnerships that demonstrate collaboration with the local community, including by engaging families and other community stakeholders and drawing on a broad set of resources, incorporating local and State government agencies, non-profit service providers, institutions of higher education, and the philanthropic and business communities in order to extend the impact and depth of services and programs.

It is important to emphasize that Community Schools do not seek to duplicate effective services that already exist in their communities; rather, through partnerships, these schools leverage existing high quality programs and assets by linking them to the school and providing robust services to students and their families.

Children’s Aid uses protected information to provide the following required Expanded Learning and Enrichment Activities:

• in coordination with the Principal, SLT and CST, determine the focus, content and manner of expanded learning and enrichment programming to be provided at the school(s), considering the needs and expressed interests of students at the school(s) in alignment with the grant(s). Children’s Aid shall work with existing after school and expanded learning providers at the school(s) to align their work with the school’s instructional focus in order to provide more opportunities for personalized learning for as many students as possible. Children’s Aid shall also consider student and parent input via the community school planning process and use such input to inform the selection of specific activities to be offered, and such input must be reflected in the CS plan.
• ensure that expanded learning and enrichment programming delivered at the school is tailored to the needs of the school(s) and its student population, and is in alignment with the goals and objectives of the grant(s).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Children’s Aid employs administrative, operational, and technical safeguards including policies regarding the protection of confidential information, policies regarding the acceptable use of technology resources, training, and data system monitoring.

Confidential data is protected and only used in accordance with state and federal laws, rules and regulations, and Children’s Aid policies to prevent unauthorized use and/or disclosure. Staff must obtain written consent prior to the disclosure of personally identifiable information, except in those instances specifically allowed for by law. These include disclosure pursuant to a valid court order, or lawfully issued subpoena, a request for disclosure by authorized representatives of the officials or agencies headed by State or local educational authorities, a health or safety emergency where disclosure of PII is necessary to protect the public health of the student or others, and reason permitted by law.

Education records may be released without consent after the removal of all personally identifiable information provided that a reasonable determination that a student’s identity is not personally identifiable (whether through single or multiple releases, and considering other reasonably available information) has been made.

Reasonable methods must be used to identify and authenticate the identity of parents, students, school officials, and any other parties to whom PII in education records is disclosed.

Violation of the Children’s Aid policies by staff is grounds for dismissal. Staff agree to abide by the rules covering the maintenance and use of mobile equipment assigned to them. All devices and accounts are subject to inspection without user permission. Handling of protected information must be exclusively for the conduct of job-related duties and may not include dissemination of confidential information for unauthorized purposes nor any commercial uses. Use of technology and devices must incorporate use of strong passwords, dual authentication when required, protection of unique passwords, physical security of devices, and safe practices that protect systems from viruses and spyware. Use of technology and devices must not include any effort to circumvent data protection configurations, decrypt intentionally secure data, or copy data to non-secure devices for any purpose.

Children’s Aid utilizes subcontracted systems that demonstrate Systems and Organizations Controls (SOC) through SOC 2 audit reports based on the Auditing Standards Board of the American Institute of Certified Public Accountants' Trust Services Criteria (TSC). The purpose of the SOC 2 is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy. These reports are intended to provide detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Security principles within the fundamental designs of the systems permit users to access information they need based on role while restricting them from accessing information not needed for the role. Encryption technologies protect data at rest and in transit. Subcontractor information security and availability policies define how systems and data are protected. These include policies around how the service is designed and developed, how the systems is operated, how the internal business systems and networks are managed, and how employees are hired and trained.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Chinese American Planning Council (Community Schools)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The services we provide are in alignment with the needs assessment based on the school population. Our food panty aims to reduce food scarcity for families in need with our high need families being able to utilize our food panty every 2 to 3 weeks and our low need families a couple of times per year. Our afterschool program aims to reduce the number of students in of afterschool services. We work with the other CBOs in the building along with the school leadership team to identify and prioritize students and families that are in need of after-school services. We meet with the school leadership team formally on a quarterly basis as well as keeping an open line of communication in terms of highlighting new needs that the school community may need, for example offering workshops on topics such as identify theft. We determine the effectiveness of such services by eliciting feedback from the school leadership team as well as the school community itself. The PII which we have access to are necessary for student identification, family communication, and record keeping purposes for the services we are providing.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365 Enterprise.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CPC uses Microsoft Office 365 Enterprise. Microsoft 365 Enterprise’s data at rest is located in the United States. It also has inherent high-quality security protections. For example, in the event a staff member sends an email or shares a file through email containing personal information, Office 365 uses DLP policies to protect the information. For emails it will encrypt the message so that only the receiver can read it. A link and a pin will be sent to them to open the email. File sharing also uses the same verification method.

CPC inherits the same Data Encryption provided by Microsoft on their Office 365 Enterprise platform. All sensitive information is given an extra layer of encryption, as part of CPC multifactor authentication (MFA). The user login is paired with a password and an SMS code to verify the login. CPC and our technology vendors maintain encryption, firewalls, and password protection protocols. CPC staff also participate in an annual cyber security training to ensure staff are aware of digital threats to privacy such as malware and phishing.

Physical copies of community member information such as intake forms will be filed into participant folders and kept under lock and key in a file cabinet with only designated staff access (Program Director, Program Aide, and if appropriate Division Lead and Chief Program Officer). Staff are trained during onboarding not to leave files out in the open and to return files to the cabinet as soon as possible.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Chinese American Planning Council (Project Pivot)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 11/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The services and activities are aligned with violence prevention by providing the following: specialized and intensive academic coaching supports for students who need to be reengaged in the schooling and learning process; targeted and tiered supports to improve student attendance in school; engaging and connecting families to resources; classroom focused behavioral services and strategies to ensure students are able to get the most out of each lesson, remain on task, and meet the learning objectives for the day; and offering in‐school and after school tutoring. CPC will be evaluating the program through participant’s daily attendance, report cards and feedback through surveys and weekly evaluations. The PII shared with CPC will be student names, student ID, addresses, phone.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity‐owned and/or internally hosted‐solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII will be maintained and tracked at the school level and store in a secured filing cabinet. Attendance and Email correspondence with students are kept on Office ‐ OneDrive & Outlook. Our Office Suite includes Two‐factor authentication (2FA), which is an identity and access management security method that requires two forms of identification to access resources and data. This safeguards our most vulnerable student data information

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Chinese American Planning Council (Project Reach)

Please include a brief description of the product(s) or service(s) being provided, and the exclusive purposes for which Protected Information will be used, collected or otherwise processed: The Chinese-American Planning Council, Inc. (CPC) Project Reach program will provide Department of Education (DOE) funded MTAC R1155 for Components of 1) Social Emotional Learning, 2) Respect for Diversity and 3) School Culture and Climate/Approach to Establishing and Sustaining a Positive School Culture as part of the services to promote safe and supportive school communities. DOE Principals, through this contract, request CPC Project Reach staff to provide workshops and trainings to support and enhance safe school cultures for youth, families and staff of DOE schools.

While it is not the policy of CPC to retain protected information, identifiable information may be kept in certain records required to work with the DOE, such as sign-in sheets showing attending students' names which are generally collected to verify that workshops were provided.

CPC Project Reach, to evaluate its own services, shares an anonymous survey at the end of a workshop for students, family members and/or school staff. No identifiable protected information will be requested and any results reported in the aggregate.

Occasionally, CPC staff, usually by request of city or state agencies, may ask for student or staff home zip codes to better understand where in NYC Project Reach has had a possible impact. This information is collected but only shared in the aggregate.

How you will ensure that the subcontractors or other authorized persons or entities that you will share Protected Information with will abide by data protection and security requirements required by your agreement with the NYC DOE: Any CPC subcontractors, authorized persons or entities will adhere to the protocols and protections set forth in Education Law § 2-d.

CPC uses several services such as internet providers like online Microsoft 365 Enterprise services and some technical vendors who support our program administrations/operations. Any technical vendors CPC retains will honor those protections for students and participant information to meet the standards of the Education Law § 2-d.

CPC has insurance in place and follows a yearly review of IT and technical processes agency wide to ensure best practices are continuously reviewed, monitored, and improved annually.

When your agreement with the NYC DOE starts and ends, and (ii) what happens to Protected Information upon expiration of the agreement: Upon expiration of the DOE-funded MTAC R1155 program, or upon request by the DOE, CPC can provide the appropriate certification that destruction of data related to any protected information is completed. In general, CPC's current practices involve maintaining data for the prescribed period of time per the requirements of the funder, City, New York State or federal guidelines. After this, CPC destroys all paper documents on-site or through a third-party vendor specializing in this process/activity. Digital records are deleted and servers scrubbed.

If and how a parent, student, eligible student, teacher or principal may obtain copies of, and challenge the accuracy of, the Protected Information in the custody or control of the Contractor: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and (ii) the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): CPC uses Microsoft Office 365 Enterprise. Microsoft 365 Enterprise's data at rest is located in the United States. It also has inherent high-quality security protections. For example, in the event a staff member sends an email or shares a file through email containing personal information, Office 365 uses DLP policies to protect the information. For emails it will encrypt the message so that only the receiver can read it. A link and a pin will be sent to them to open the email. File sharing also uses the same verification method.

How the data will be encrypted (described in such a manner as to protect data security): CPC inherits the same Data Encryption provided by Microsoft on their Office 365 Enterprise platform. All sensitive information is given an extra layer of encryption, as part of CPC multifactor authentication (MFA). The user login is paired with a password and a SMS code to verify the login. CPC and our technology vendors maintain encryption, firewalls, and password protection protocols.

Circle Blocks EDU (also called PlaBook)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PlaBook is an innovative reading technology platform designed to assist children in developing their reading skills. Leveraging artificial intelligence, natural language processing, gamification, and speech recognition, PlaBook offers a range of services to make the learning process engaging and effective. Our platform provides interactive reading exercises, personalized assessments, and adaptive learning experiences tailored to each child’s needs. Through a combination of AI-driven feedback, gamified elements, and speech recognition features, PlaBook helps children improve their reading fluency, comprehension, and vocabulary, fostering a love for reading while enhancing their overall literacy skills.

While PlaBook may collect Personally Identifiable Information (PII) from users, it is solely for the purpose of delivering personalized and tailored learning experiences. PII helps us create individual profiles, track progress, and provide targeted recommendations to optimize the learning journey for each user. However, PlaBook ensures that all collected PII is securely stored, encrypted, and handled in compliance with privacy regulations. User consent and data transparency are fundamental principles that guide our approach to maintaining the privacy and security of PII within the PlaBook program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS S3 storage, AWS RDS Database, AWS Redis caching, Cloudflare firewall and SSL protocol.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. No one has access to AWS server other than the applications. Caching server and DB is only allowed from approved IPs. Database and caching server password rotation every 6-9 months. We are using Cloudflare firewall protection for DDOS attack and other known attacks. Application is using token authentication for api protection.

• Data Encryption: All personal data will be stored and transmitted using strong encryption methods to prevent unauthorized access or interception. All data is encrypted at rest and in transit.
• Access Control: Implement strict access controls based on the principle of least privilege, ensuring that only authorized personnel can access and manage sensitive data.
• Data Encryption at Rest: Use encryption mechanisms to encrypt PII stored in databases, file systems, and backup archives. Employ native encryption features provided by the database or storage systems.
• Data Encryption in Transit: Utilize secure communication protocols like SSL/TLS for encrypting data in transit between systems and during data transfers.
• Access Control and Authentication: Implement strong authentication mechanisms, such as multi-factor authentication (MFA), to ensure that only authorized users can access PII.
• Security Audits: Regular security audits and vulnerability assessments will be conducted to identify and address potential weaknesses in our systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Circles Learning Labs

The exclusive purposes for which Protected Information will be used: Our goal is to provide an easy, fast and reliable meeting platform. For this reason, we ask for and store minimal information; first name, last name and email. Your information is stored in a safe and protected environment (encrypted at rest and in motion). 

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We do not share data with external parties. Employees of Circles are required to sign a non-disclosure agreement when starting their work agreement with Circles. 

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All meeting data is stored for 2 hours after the end of the conference, after which it is deleted. During this time, any user can choose to download the chat from the meeting room should they wish to save the data. Additionally, a user can make notes during a meeting and share these with others later. Participant attendance to a meeting is recorded, as is the duration (much like you’d expect from a phone call record.)

City Year New York

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/01/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Data will be used to monitor progress and complete compliance reports regarding attendance rates, academic outcomes in math and ELA courses, and behavior.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Under federal law, due to our AmeriCorps grant, City Year is required to retain student data for 7 years. At the end of the retention period the data will be deleted.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. City Year has a comprehensive security program documented in our Written Information Security Program (WISP). We require all staff and ACMs to read and attest to following our data security and breach policies. Furthermore, we provide annual cybersecurity training and student data protection training. Access to any data requires a password and multi-factor authentication. We have a security incident process. We have selected high-quality IT cloud vendors to manage our systems with PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Claire Weisz Architects LLP (also called WXY)

Type of Entity: Commercial Enterprise

Contract Start Date: 9/1/2021 

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. WXY will lead in development of a comprehensive review of the status of each recommendations presented in the D15 Diversity Plan. WXY will primarily use interviews and stakeholder meetings, combined with data analysis to report on how relevant stakeholders in the D15 community have approached implementation in the three years since the plan’s release.

In the Spring of, 2021, WXY conducted an initial review of the status of the Plan’s implementation and synthesized the findings into a presentation Superintendent Anita Skop delivered to the CEC on April 29, 2021. WXY will expand on that initial presentation and will conduct interviews and analysis with the D15 leadership, the DOE offices responsible for implementing recommendations, and with the wider D15 community to compile a more thorough progress update. Additionally, WXY will conduct a wide range of data analysis in support of District 3 and District 13’s New York State Integration Project grants including the analysis of student level data.

WXY will support D14’s District Equity Initiative. WXY will take responsibility for organizing and performing all work in a timely manner and ensure the various elements effectively build on one another. WXY will introduce the process to up to six identified stakeholders, collect reflections and input, and share out with D14 leadership. WXY will work closely with D14 leadership to establish a D14 Equity Working Group, comprised of stakeholders from across District 14, as deemed appropriate by the DOE. WXY will conduct data research on Equity Audit best practices and precedents. WXY will conduct data analysis in support of a district wide equity audit.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Established data management workflows will be employed when transferring, storing, and using the data. Clear roles within the Processor organization will be established at the outset of the project, distinguishing responsibilities for obtaining, analyzing, and deriving insights from the datasets. Furthermore, raw data will be formatted, analyzed, and presented using industry-standard conventions and best practices. Each of these responsibilities will be allocated based on the Processor’s policies governing confidentiality and prior experience interacting with sensitive information. Any identifiable information linked to the datasets that is unnecessary to perform the stated scope of work will be erased. Any derived products will be de-identified and presented at a resolution that is consistent with the Processor’s standards as well as the BOE’s requirements for internal use and for external publication. Clear communication channels between analysts, communications managers, project managers, and the public will be clearly identified to interface between the Processor and BOE. These functions address the Control-P and Communicate-P functions of the NSIST Privacy Framework.

Access to the raw data will be limited to personnel identified to the BOE. Each personnel will receive an overview of this document, the sensitivity of the Protected Information, and the repercussions of violating local, state, and federal privacy laws before finally being introduced to the dataset. The Processor intends to limit the number of personnel interacting directly with the data to the bare minimum.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ClassDojo

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ClassDojo is a school communication platform that helps bring teachers, school leaders, families, and students together. Among other things, ClassDojo provides the following services through its platform:

• Communication tools to help teachers, students and parents connect with each other
• A way for teachers to give feedback and assignments to students, and other classroom management tools
  • A way for teachers to share photos, videos, files, and more from the classroom for parents and students to see
  • A way for parents and students to post comments and “likes” on Class Stories and School Stories
• Student portfolios, where students can share their work with teachers and parents
• Activities and other content that teachers or parents can share with students. 
• A way for school leaders to see how connected their school community is, and also to communicate with parents and other teachers and school leaders
• “Dojo Island”- a virtual playground for kids and their classmates where they’ll explore a variety of activities focused on creativity and collaboration to explore, build, and live in a world with their classmates.

It’s important to note that this document does not apply to any services or products that you may use for non-school related services (i.e., ClassDojo services you use at home and not related to school).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

“It’s important to note that this does not apply to any services or products that you may use for non-school related services (i.e., ClassDojo services you use at home and not related to school).”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud, AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Consistent with industry standards, ClassDojo shall employ the following administrative, physical, and technical safeguards:

Infrastructure Security

• Encryption at Rest and In Transit
• Access to the ClassDojo Service occurs via encrypted connections.
• (HTTP over TLS, also known as HTTPS) which encrypt all data before it leaves the ClassDojo Service's servers and protects that data as it transits over the internet. All of our Services are in Amazon Web Services (AWS) and served from either Cloudfront or Elastic Load Balancer (ELB). We use HTTP Strict Transport Security to ensure that pages are loaded over HTTPS connections and our TLS configuration receives an A+ from Qualys SSL Labs.
• Student Data is stored at our Service Provider, AWS, and the following applies to their technical and organizational measures. In addition, we secure decentralized data processing equipment and personal computers. All personally identifiable information is encrypted at rest using modern encryption algorithms. In AWS S3, we use AES-256 with AWS managed keys, in Aurora (MySql) we use AES-256 with customer managed keys and in Redshift we use AES-256 with AWS managed keys. Additionally, we use MongoDB with AES-256 with keys managed by AWS.

Network Security

• The ClassDojo Services use AWS, to host the infrastructure. AWS undergoes strict ongoing security assessments from external audit firms to ensure compliance with security standards including ISO 27001, SOC 2, PCI DSS Level 1, and FISMA. See https://aws.amazon.com/compliance/programs/ for more details.
• Network access to the ClassDojo Services infrastructure is highly restricted. AWS hosted infrastructure resides in a dedicated Virtual Private Cloud (VPC) which is designed to ensure that only authorized traffic over approved ports is allowed. We use ThreatStack to monitor for suspicious activity.

Patching

• We use automated processes to regularly install security updates on the infrastructure that powers the ClassDojo Services, these processes include:
  • AWS Managed Services (e.g., Relational Database Service):** AWS proactively notifies our engineering team when updates are available and we apply them in a timely fashion.
  • AWS EC2:** All EC2 instances are monitored by ThreatStack and AWS inspector and updates are applied in a timely fashion
  • Classdojo Application:** Monitored by Snyk.io and Github for vulnerabilities and they are updated in a timely fashion.

Backups and Availability Control

• We have a data backup and recovery capability that is designed to provide a timely restoration of the ClassDojo Services, with minimal data loss, in the case of catastrophic failure. These backups are encrypted and stored in multiple availability zones. Additional technical and organizational measures to ensure that Student Data are protected against accidental destruction or loss (physical/logical) include:
  • Uninterruptible power supply (UPS);
  • Remote storage; and
  • Firewall systems.
• Note: Student Data is stored at our Service Provider - currently AWS - and the above applies to their technical and organizational measures as well as any other relevant such as MongoDB. In addition, we have a disaster recovery plan in place.

Physical Security

• Physical Access Controls
• Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Student Data are Processed*, include:
  • Establishing security areas, restriction of access paths;
  • Establishing access authorizations for employees and third parties;
  • Access control system (ID reader, magnetic card, chip card);
  • Key management, card-keys procedures;
  • Door locking (electric door openers etc.);and
  • Surveillance facilities, video/CCTV monitor, alarm system.
• Note: The ClassDojo Services are currently hosted in AWS and Student Data is stored at our Service Provider - currently AWS – which employs industry- leading physical security measures to protect their data centers and the above applies to their technical and organizational measures. These security features are regularly audited by third -party auditors.

Virtual Access Control

• Technical and organizational measures to prevent data processing systems used for Student Data from being used by unauthorized persons include:
  • User identification and authentication procedures;
  • ID/password security procedures (special characters, minimum length, change of password); and
  • Encryption of archived data media.
  • Data Access Control
• Access to the ClassDojo Services infrastructure is highly restricted. We limit access to individuals who need access to do their jobs such as engineers, data scientists, product managers, and support personnel. All access to our infrastructure is logged. All access to our infrastructure requires the use of strong passwords and multi-factor authentication.
• Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Student Data in accordance with their access rights, and that Student Data cannot be read, copied, modified or deleted without authorization, include:
  • Internal policies and procedures;
  • Control authorization schemes;
  • Differentiated access rights (profiles, roles, transactions and objects);
  • Monitoring and logging of accesses;
  • Disciplinary action against employees who access personally identifiable information without authorization;
  • Reports of access;
  • Access procedure;
  • Change procedure;
  • Deletion procedure;

Disclosure Control

• Technical and organizational measures to ensure that Student Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Student Data are disclosed, include:
  • Encryption/tunneling;
  • Logging; and
  • Transport security.

    Entry Control

• Technical and organizational measures to monitor whether Student Data have been entered changed or removed (deleted), and by whom, from data processing systems, include:
  • Logging and reporting systems; and
  • Audit trails and documentation.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Clever Prototypes (also called Storyboard That)

 Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Storyboard That Education Edition for Teachers and Students. Storyboard That is a web-based product for teachers and students. With our Award-Winning Storyboard Creator, teachers and students can create storyboards, graphic organizers, comics, and powerful visuals to enhance their learning in all grades and subjects. We have over 5,000 resources for teachers to easily integrate Storyboard That meaningfully into their curriculum. PII Collected: IP Addresses of users, use of cookies, students school of enrollment, student grade level, student scheduled courses, teacher names, student app username, student app passwords, student name first and/or last, student generated content such as writing and pictures.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Privacy-centered design means that students can use Storyboard That with as little PII as possible. Student accounts and all relevant personal data may also be deleted at any time.
• To keep your personal data secure, all data is encrypted in transit and at rest.
• Data is stored in access-controlled data centers with 24/7 monitoring by Microsoft Azure, an industry-leading provider.
• Employee access to personally identifiable information is provided on an as-needed basis, to provide customer support for example.
• Employees with access to personal data are required to undergo background checks, sign a nondisclosure agreement.
• Storyboard That has signed the Student Privacy Pledge.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Clickview

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ClickView is an educational video platform specializing in K-12 video resources. ClickView lets teachers find and share video that engages students in a format they understand. The ClickView platform also lets teachers transform videos into interactive quizzes with formative assessment tools to show evidence of learning and engagement. ClickView receives PII to enable it to provide the platform to students, teachers and school or district administrators.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administrative safeguards include the documentation of policies and processes, the allocation of roles and responsibilities, training, risk management, human resources security, asset management, access management, system hardening measures and data logging. Physical safeguards include physical security systems, entry controls, equipment maintenance, equipment security, controls against physical damage and environmental controls. Technical safeguards include encryption, firewalls, antivirus, intrusion detection system and intrusion prevention system, authentication, data retention and database separation.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Code.org

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Code.org® is a 501(c)(3) nonprofit that provides an online curriculum for teaching computer science and an online learning platform to support that curriculum. Access to its CS education platform and curriculum for free. For more information please visit https://code.org. The PII processed by Code.org is necessary in order to provide the service and retain student progress (e.g., teachers may enter a student name in the teacher’s section so the teacher can identify the student’s progress vs. that of other students).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

“The Services are intended for use both within schools (i.e., as part of classroom sections established by teachers in the K-12 setting) and outside of school (i.e., for use at home and not for K-12 school purposes). Upon the NYC DOE’s request, following a process outlined between the DOE and Code.org, Code.org will ensure the deletion of all Code.org student accounts enrolled in a DOE’s teacher’s section In the absence of a deletion request by the teacher, the DOE, or student (as the case may be), the Code.org Personal Data Retention and Deletion Policy provides for automatic deletion or de-identification of Code.org student accounts after five (5) years of inactivity.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Platform hosting: Amazon Web Services (AWS); Other service providers used for internal operations: AnswerDash; Atlassian; Dropbox; Google (G-Suite); Honeybadger; Slack; Tableau; Trevor; Twillio; and Zendesk.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Code.org employs a mix of physical, administrative, operational, and technical safeguards designed to reasonably protect the confidentiality, availability, integrity, and security of Student PII and Protected Information. These safeguards include, for example:

• Data Minimization. Code.org follows strict data minimization standards in order to collect and process as little Personally Identifiable Information as necessary to provide the underlying services and measure.
• Encryption of data in transit. Code.org employs industry standard encryption technology to protect information and data transmitted over the internet or other public networks.
• Encryption of data at rest. Code.org employs industry standard encryption technology to protect personal information in storage (at rest) and other non-PII in storage when commercially feasible.
• Data storage and server hosting. Code.org utilizes a leading cloud services provider - Amazon Web Services (AWS) data centers located in the United States – to host the Code.org services and relies on AWS for server and datacenter security, including restrictions on physical access to the datacenter.
• Data access control. Code.org uses role-based security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources or user data. Internal asset owners are responsible for granting access based on the users’ role, and access is reviewed periodically.
• Employee Background Checks and Non-Disclosure Agreements. All Code.org employees must sign a non-disclosure agreement and pass a background check.
• Employee Privacy and Security Training. All Code.org employees are required to complete privacy and information security awareness training upon hire and periodically thereafter. Such training covers applicable federal and state privacy laws, security risks and practices, and other related information.
• Vulnerability and Patch Management. Code.org uses a variety of tools, practices and procedures to monitor and protect our data and systems. Code.org maintains a vulnerability disclosure program that fields reports from security researchers, and reports are promptly triaged, prioritized and addressed according to their severity.
• Periodic Risk Assessments. Code.org conducts periodic risk assessments and remediates identified security vulnerabilities in a timely manner.
• Data Backup and Disaster Recovery. Code.org regularly backs-up production data so that it can be restored if necessary, and maintains a disaster recovery policy and process.
• Information Security Incident Response. Code.org maintains an incident management plan for data security and privacy incidents that may affect the confidentiality, integrity, reliability, or availability of systems or data.
• Passwords and Two-Factor Authentication. Code.org secures usernames, passwords, and other access means using industry standard methods, and most internal systems utilize two-factor authentication as an additional access control.
• Risk Management. Code.org employs a cross-functional risk management process to identify and manage strategic, operational, and compliance risks. A variety of methods are used to assess and manage risk, including policies, procedures, and use of industry standard tools to monitor and protect data and systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

CodeCombat

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CodeCombat provides a web-based computer science curriculum platform for NYC DOE schools. A minimal amount of student PII is collected in order to provide authentication, rostering, and classroom management features to students and teachers. For example, when not using an SSO provider, students are asked for usernames and passwords to provide authentication, and optionally an email address for password resets. Similarly, student first name and last initials are requested so that teachers can associate student progress to students on the web dashboard. Student PII is never used for marketing or commercial purposes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CodeCombat Inc. agrees to abide by and maintain adequate data security measures consistent with industry standards and technology best practices, to protect PII from unauthorized disclosure or acquisition by an unauthorized person. Contractor shall secure usernames, passwords, and any other means of gaining access to PII, at a level suggested by the applicable standards, as set forth in Article 4.3 of NIST 800-63-3. Contractor shall only provide access to PII to employee or contractors that are performing Services. Employees with access to PII shall have signed confidentiality agreements regarding said PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CodeHS

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CodeHS is a web-based platform that provides coding curriculum, teacher tools and resources, and teacher professional development. Student data is accessed in order for teachers to determine student accounts using our platform. Students complete assignments relating to their computer science courses.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We use several techniques to ensure that PII is protected at all times. First, we use industry standard encryption for all data at rest and in transit using AES-256, TLS 1.2, and HTTPS. All data is stored securely in AWS - employees are only able to access data within AWS if they have the necessary permissions and authorization. To minimize access, we use the Principle of Least Privilege. Additionally, data access within the app is separated from data of other clients using logical controls and user-based permissions. To mitigate further security risks, we require MFA when available, strong passwords, and hold regular security training and reviews for all employees. We also have a data deletion plan that will dispose of all PII at its "End of Life" according to our Date Deletion Plan.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

CodeMonkey Studios

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Student PII is used in order for the student to login to its individual account and for the system to identify and monitor the student's progress.

Type of PII that the Entity will receive/access: Student PII. “We do not require the name of the student, each student will use an alias and/or the system will assign the student a unique identifier. In addition, students who are signing in through a single sign on, i.e. Clever, CodeMonkey will receive the email of the student.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII information is accessible only to a handful of individuals within the company. Those individuals receive a bi-yearly review by our Security and Privacy officers and update on privacy and security related issues. There are also mechanisms in the system that do not allow un-authorized personnel to enter PII, which is reviewed and updated periodically.

From a technical level, we comply with all data and privacy related matters, whether we are COPPA compliant, the data is encrypted in both motion and rest, we have systems in place to monitor threats and mechanisms to deal with it, a firewall being one of them. Additionally, we constantly improve our system best to industry standards, we have processes in place to deal with attacks/threats/downtime etc.

From the human side of things, we have a security officer and a privacy officer that each conduct a bi-yearly training to all employees, regardless if they have access to PII or not. Furthermore, as mentioned only a handful of people have access to PII. All these policies are in place and constantly being updated.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

College Board (PSAT and SAT Tests) 

The exclusive purposes for which PISI will be used: College Board uses the PISI to provide the PSAT-related and SAT assessments to NYC students. Data is used exclusively in the registration, delivery of score reports to schools and students, and test security processes associated with each of the assessments.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All College Board vendors are required to complete our Data Security questionnaire to identify the security controls that they have in place. After a risk assessment of each vendor is completed, any remediations are provided to the organizations. Furthermore, each vendor that stores PISI on behalf of the College Board is required to agree to the College Board Data Security Requirements and, in most cases as applicable, provide evidence of their compliance via a SOC 2 report.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to PISI upon expiration of the agreement: At the end of the agreement, PISI collected from the students, or data that is connected to the student accounts, is retained by the College Board on behalf of the students, for legitimate educational purposes including but not limited in order for students to continue to access their assessment scores and related data from assessments. This allows students to send scores to colleges and other programs, as well as use the information to support students direct contact with the College Board. The data continues to be protected via the College Board information security management system.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient.

Whether the PISI will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI collected through this agreement is stored within the United States. The College Board does make use of cloud service providers, but restricts this data to US-based regions. The College Board maintains a comprehensive, layered security program that is based upon the ISO 27001 framework. Where ever possible, it also uses the NIST Cyber Security Framework and the CIS benchmarks as guideposts for standards. The security program, which is evaluated annually by third party audits, consists of physical, network, system, data, and application security-related components. The College Board maintains ISO 27001 and SOC 2 certifications, as well as PCI DSS compliance. It has a comprehensive set of policy controls, awareness training for all users who interact with PISI, and third-party risk management programs. In addition to its annual compliance audits, it engages multiple third parties to conduct assessments and penetration tests to continually evolve.

How the data will be encrypted (described in such a manner as to protect data security): All PISI data is encrypted at rest and in transit using industry standard or better practices. In transit, the College Board uses TLS 1.2 as its standard, and at rest data, it uses multiple industry standard formats such as AES-256 or better. In cases where data cannot reasonably be encrypted, a wavier and evaluation process exists, and additional mitigating controls are put in place to ensure the security of the data.

College Board (AP Exams)

CommonLit

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• Software as a service: online digital reading and writing lessons
• Professional development for teachers
• Access to assessment series
• Canvas integration (rostering, grade passback, CommonLit lessons available to students on Canvas)
• Rostering support options with Clever rostering, ClassLink rostering and Google Classroom

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CommonLit encrypts data at rest and in motion; administrative operational, and technical best practices are followed; staff receive training on data security and privacy and best practices. Access to facilities is limited by physical security measures (locks, etc.) and virtual assets are tightly controlled by a limited policy that’s limited to engineering and user support teams, with user support receiving less access than engineers. Credentials are regularly rotated, including upon termination or departure of any member with access.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

The Community Initiatives of NY

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/2023 – 6/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Our organization (TCIONY) focuses on teaching Social Emotional Learning inside the classroom by preparing and developing the self-awareness, self-control and interpersonal skills that are vital for school, work and life in the student’s. Some of the topics the students will explore are: decision making, conflict resolution, positive self-image, peer-mediation, mentoring, mental health, communication skills, leadership skills, entrepreneurial workshops, behavioral management, social awareness, relationship skills, self-care, job readiness and much more. We do this by facilitating small student workshops in the classroom - usually 12-15 students as well as 1:1 mentoring. In addition to our social emotional curriculum, our organization also has a Community Engagement Team who are a group of credible messengers, therapists, social workers, retired Law Enforcement and educators working to bridge the gap between law enforcement, school safety and the youth. This team focuses on the youth who are at higher risks of failing academically, falling behind due to attendance, or are at a higher risk of behavioral or social issues on school campuses. The team aims to help change the students behaviors through mentoring, evidence based workshops and supporting them in their decision making. We also work closely with NYPD Options in facilitating Emotional Intelligence through Virtual Reality. We have facilitators that are retired NYPD officers as well as on our board. We are deliberately seeking to bridge the gap between law enforcement and the community, especially the youth.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Sheets.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The safeguards that TCIONY uses to ensure all PII data will be protected are as followed: 1.) We encrypt any sensitive/PII information that must be transmitted 2.) Failed logons to our internal server will lock accounts after 2 failed attempts. 3.) Any personal computer used to access information will require anti-virus software and patch levels on their machines. 4.) Authentication will be required for all user machines at startup 5.) Account termination with 2 hours of employee being terminated, staff change, suspension or change of job function. 6.) Guest access will not be allowed under any circumstance!

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Community Software Solutions, Inc

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CSS provides software to NYC DOE internship program. NYC DOE utilizes the software to manage the internship program. The PII that is processed by CSS and the DOE internship application is necessary for hours entry, payment processing, distribution, tax payments and reporting.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Microsoft Azure Cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our management team works with out information technology and risk compliance team to implement administrative, technical and/or physical safeguards to ensure PII will be protected. These administrative, technical and/or physical safeguards include:

• Implementation of policies and procedures that govern human resources, information technology, information security, incident management, and data management practices performed within the company.
• Implementation of people, processes, and technology that support the implementation and operation of established policies, procedures, and practices established by management to protect customer data and PII.
• Execution of contractual obligations with third-party vendors and sub-contractors to communicate their commitments for security, confidentiality, and privacy and bind them to these commitments.
• Performance of periodic risk assessment and internal audit activities to evaluate the state of business operations and their alignment with the policies, procedures, and the protection of customer data and PII.
• Performance of period risk assessment and internal audit activities to evaluate third-party contractor services and practices for security, confidentiality, and privacy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Community Studies

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CSI provides school support to 34 DOE schools, including curriculum and resource creation, professional development, and classroom coaching for school staff. PII of individual students is received in the course of communication and discussion with teachers and school leaders about school and instructional improvement efforts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All CSI employees and contractors receive training on ensuring the confidentiality of student PII that they may receive during their work. All email communication and documents shared between employees and DOE staff are managed via cloud services platforms, which use TLS encryption. Files uploaded or created in Google Docs are encrypted in transit and at rest with AES256 bit encryption.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

COMPanion Corporation

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Alexandria Library automation will be implemented at a number of schools within the DOE to manage and maintain library and curricular resources for teachers and students. COMPanion Corporation does not collect any PII for company purposes, other than patron first and last names. Patron first and last names are required to enter a patron into Alexandria Library automation to create a patron record. This information is used to identify a student or teacher for circulation purposes only. The system can assign a patron number that is not related to any patron personal information, so student PII such as school ID number or social security are not required. Our customers determine what they require for the management of their individual libraries. The DOE has the flexibility to share whatever PII information they choose with Alexandria, but as noted above, only the first and last name are required.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using an Entity-owned and/or internally hosted-solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. COMPanion does not sell customer data or make available to 3rd party companies for commercial purposes. Any data shared with sub-contractors will be authorized by the customer. Our hosting services run on secured private networks running all current security protocols. All outside connections are secured connections protocols (HTTPS) and no outside access to internal Data is permitted. Every customer database is stored separately from all other customer databases for added security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Comprehensive Youth Development

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CYD functions as an embedded service provider within the contracted school to provide individual college and career advisement services to students information is utilized to manage who is served and units of services provided to each student. It is necessary to accurately identify the student to record and report back to the school administration the specifics of the services provided and the student’s progress within the scope of the contract. Beyond providing real-time data to the school, and providing data to the National Student Clearinghouse on behalf of the contract school, no PII is necessary or employed for outward facing reporting. Such reporting is restricted to PII-blind, cumulative data.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Symantec. Symantec Endpoint Protection is employed on DOE workstations used by CYD staff.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All staff will be using multi-tiered authorization to access cloud based service logs. All public facing reporting is summary data and does not include PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Counseling in Schools

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Counseling In Schools provides services to students, students’ family members and school staff that support emotional well-being and social skill development. Before any student can receive the services of one of our programs, we must receive contact information for students’ parents/ guardians so that we may inform them of our services and request their consent for the student to participate in our services. As part of the request for consent, we explain to parents/ guardians that indicators of our impact will include attendance, academic and behavioral data collected by the Department of Education. If consent is received, in order to track progress against the above identified indicators, we request the students provide us with their Student ID, otherwise known as their OSIS number (Office of Student Information System).

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Citrix: Sharefile and YouthinMind: SDQ SCoring” and “Using an Entity-owned and/or internally hosted-solution,” and “Other: Physical records are stored in locked cabinets in the schools we serve.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Counseling In Schools only uses software that holds PII that is FERPA compliant. All staff are informed of our data security policies and trained in how to keep information secure. In addition, we have engaged a data security consultant that reviews our data security systems and provides on-going security training of staff and monitoring. Any potential breaches or unauthorized attempts to access data we store are quickly reported and responded to by this consultant.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Creative Connections

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Creative Connections provides critical wrap around Community School services and student supports intended to serve the whole child. Services focus on the four pillars: Collaborative Leadership & Practice, Family & Community Engagement, Expanded Learning Time, and Wellness & Integrated Support through the following programs:

• COLLEGE CONNECTIONS 1 (CC1): CC1 is a beginner’s exploration of the college process. CC1 helps students identify the initial steps in planning for their educational future.
• COLLEGE CONNECTIONS 2 (CC2): CC2 is a detailed exploration of the college application process. It is designed to help 11th and 12th grade students apply to colleges and secure loans and scholarships.
• CAREER CONNECTIONS (CC): CC guides students through activities and experiences that help them explore what their strengths and passions are, and how they connect to an exciting career choice.
• ELEMENTARY & MIDDLE FUTURE CONNECTIONS (EFC / MFC): EFC & MFC engage students through interactive activities that are designed to give them a practical insight into careers while learning how to create a vision for their future.
• BOYS & GIRLS CONNECTIONS (BC / GC): BG & GC empower students through social and emotional learning to develop skill sets such as conflict management, self reflection, and relationship building.
• FINANCIAL CONNECTIONS (FC): FC is a middle and high school program that addresses the fundamentals of basic personal financial planning and money management.
• TEEN ENTREPRENEUR CONNECTIONS (TEC): TEC introduces students to the exciting world of the entrepreneur, by having students create and run their own small business.
• FINANCIAL CONNECTIONS (FC): FC is a middle and high school program that addresses the fundamentals of basic personal financial planning and money management.
• ART CONNECTIONS (AC): AC introduces students to the exciting world of art, and connects them to possible future careers.
• PROFESSIONAL DEVELOPMENT WORKSHOPS: Goal oriented, interactive workshops centered around goal setting, team building, managing change, developing leaders, and more.
• PARENT WORKSHOPS: Parents will learn about financial aid, the college process, and more.

It is necessary for the Entity to receive or access PII, such as the student's name, personal identifiers, the student number, the student's date of birth, etc., to conduct the services in order to effectively communicate with all relevant stakeholders (in the mode most conducive to them), track/document/update improvement metrics, and drive tangible outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google and/or Microsoft cloud.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Creative Connections and any subcontractors and/ or affiliates will (at all times during the Term) use encryption to protect personally identifiable information in its custody while at motion or at rest and implement appropriate safeguards to protect the Personal Information that are no less rigorous than accepted industry practices (such as ISO 27002, ITIL or COBIT or other industry standards of information security), and will ensure that all such safeguards, including how Personal Information is processed, comply with applicable data protection and privacy law and comply with the terms of the contract.
• Creative Connections shall implement and maintain a written information security program, including appropriate policies and procedures that are reviewed for new risk assessments at least annually. Such obligation shall continue throughout the contract term.
• At a minimum, Creative Connections’ information safeguards shall include: (a) secure business facilities, data centers, paper files, servers, back-up systems and computing equipment including, but not limited to, all mobile devices and other equipment with information storage capability; (b) network, device application, database and platform security; (c) secure transmission, storage and disposal; (d) authentication and access controls within media, applications, operating systems and equipment; (e) encryption of Personal Information; (f) encryption of Personal Information when transmitted over public or wireless networks; (g) access controls, including logging of all access and exfiltration, and retention of such access control logs for a period of no less than one (1) year; (h) conducting external and internal penetration testing and vulnerability scans and promptly implementing a corrective action plan to correct the issues that are reported as a result of the testing; and (i) limiting access of Personal Information, and providing privacy and information security training to staff.

Creative Connections and its employees will adopt the following measures:

• Employees will not at any time during or after affiliation Creative Connections (CC) disclose CC Confidential Information to which they have or had access in any form (i.e., electronic media, paper, verbal etc.) to any unauthorized individuals.
• Employees will not access any record(s) they are not authorized to, including but not limited to the student or family records of any program member or co-worker.
• Employees will utilize and access only the minimum amount of information necessary for performance of their duties.
• Employees will not access or request data on students for whom they have no professional relationship and/or legitimate CC related purpose. If a given employee has reason to believe that the confidentiality of his/ her user log-in has been compromised, he/ she will immediately ensure that the password is changed.
• Employees will respect the confidentiality of any reports and handle, store and dispose of these reports when necessary.
• Employees will not install or operate any non-licensed software on any CC computer.
• Employees understand it is against CC policy to electronically communicate student information to others outside of the CC/ school network.
• Employees are responsible for all e-mail messages generated from their e-mail accounts.
• Employees understand that the use of e-mail is for business purposes, however limited personal use is acceptable.
• Employees understand that the e-mail administrator may monitor CC e-mail if non-compliance with the electronic messaging policies is suspected.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Creative Response to Conflict

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 5/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Creative Responses to Conflict (CRC) will provide services through the community schools program. CRC will provide workshops in conflict resolution, restorative practice, problem solving, and mediation and training for students, staff and parents. PII is needed to track attendance and communicate programmatic information.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• All data will be kept in a secure location with limited access to employees with a legitimate need. Physical files will be kept in a locked office/cabinet.
• All documents will be reviewed at the end of the day to ensure that nothing is missing or has been tampered with.
• CRC will keep the least amount of data needed for the functioning of the program.
• All communications will be handled through DOE managed channels.
• All staff will be trained in security best practices to ensure that data is always handled appropriately.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “No data is being stored electronically by CRC.”

The Crenulated Company

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Crenulated Company Ltd will provide Community School services to the DOE School Community at Claremont International High School. Services will include mental health advisement, community events, legal support, etc. The Crenulated Company Ltd. needs to access PII so that we can communicate and provide services to our students and their families and accurately track our work and report on student outcomes.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce as a cloud service provider.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Crenulated Co. Ltd. will use industry standard data encryption technology to ensure PII will be protected. We will use all reasonable, appropriate, practical and effective security measures to protect important processes and assets in order to achieve its security objectives of confidentiality, integrity, and availability of information. In order to ensure PII will be protected, New Settlement shall limit information system access to authorized users and encrypt student data in our password protected Salesforce data system. Additional safeguards include but are not limited to:

• Use of a firewall to protect access to our system
• Data Encryption
• Regular security audits
• Regular updates to our operating and security systems
• Use of a mobile device management system

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Curriculum Associates (for i-Ready)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• i-Ready Assessment: Designed to give a full picture of student performance and growth in Reading and Mathematics by giving deep insights into student needs to connect instructional resources to classroom action.
• i-Ready Personalized Instruction delivers powerful online lessons that motivate students on their path to proficiency and growth. Driven by insights from the i-Ready Diagnostic, i-Ready’s lessons for Grades K–8 provide tailored instruction that meets students where they are in their learning journey and encourages them as they develop new skills.
• Toolbox: A flexible digital collection that gives teachers the tools they need to implement whole class, small group, and individualized instruction that meets the needs of all learners

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Access to production servers is limited to a small, identified group of operations engineers who are trained specifically for those responsibilities.
• The servers are configured to conduct daily updates for any security patches that are released and applicable.
• The servers have anti-virus protection, intrusion detection, configuration control, monitoring/alerting, and automated backups.
• Contractor conducts regular vulnerability testing.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Currier, McCabe and Associates (also called CMA Consulting Services)

 Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/1/2023 – 7/31/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CMA proposes to implement a custom software solution to modernize and streamline disparate and dated legacy systems utilized by the Office of Pupil Transportation to support its critical mission of safely and effectively transporting 150,000 student riders annually. This new system will improve scheduling, communication, specific requests from parents, necessary passenger accommodations and better provide for the current and emerging needs of the diverse population it serves.

To achieve this objective, CMA will require access to student PII data to ensure the unique identification of individual students. Specifically, this information is needed in order to properly identify students – as simple as use of first and last names are often not enough. Where this is the case, access to and use of parent names, address and other factors is necessary. It is key to uniquely identify each student in order to provide the best alternatives and service needed for their safe and proper transportation.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CMA will encrypt PII in transit and at rest. Data will be stored in a physically secured Data Center with environmental controls and backup power. Data will be backed up to secure disaster recovery site in Forest Hills, NY. IT staff’s access will be role based and the least privilege needed to perform their tasks will be assigned to them. IT staff receive training on security and privacy awareness. HR conducts background checks of IT staff prior to employment. The application environment is monitored to ensure the system is available as required, access to the data is controlled and restricted by user need to know. Networks are secured and monitored for inappropriate activity.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Cypress Hills Local Development Corporation (CHLDC)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2021 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The project that CHLDC conducts is identifying high school students from disadvantaged backgrounds with potential for education at the postsecondary level and encourage them to complete secondary school and undertake postsecondary education. This project is funded by the federal Department of Education via a five-year grant. CHLDC does not conduct any evaluation or research that is not required by any government funder. Instead, the exclusive purpose for receiving or accessing PII is in order to prepare aggregated and de-identified performance reports required by funders in order to share results on desired short-term outcomes of the program. On an annual basis to comply with stipulations of the grant, we report on the number of students served through an aggregated report of participant demographics (eg, age and race / ethnicity), secondary school persistence (eg, grade promotion from one school year to the next), secondary school graduation (eg, discharge data), and postsecondary enrollment of the participants. There is no individual PII shared with a funder.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted-solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CHLDC has created a “CHLDC Data Privacy and Security Plan” that states the steps taken to maintain appropriate administrative, technical and physical safeguards in accordance with industry best practices and applicable law to protect the security, confidentiality and integrity of Protected Information in our custody. It is a plan to adhere to BOE Information Security Requirements. Our administrative practice is to only request data from NYC DOE that is essential for meeting the reporting requirements of restrictive grants that provide the funding for services to students. The request is made only by the Division Program Director or higher. The information provided by NYC DOE will only be shared with CHLDC’s Director of Evaluation via encrypted email. CHLDC uses the Software as a Service (SaaS) relational database Efforts to Outcomes (ETO) licensed by Social Solutions Global (SSG). As per SSG, the ETO is “built to handle multiple partners, high volumes of programs, advanced security protocols, and multifaceted reporting and analytics initiatives.” One feature is it is compliant with HIPAA, FERPA, HUD, Fedramp and NIST. Each year, CHLDC asks authorized ETO users to sign a “Database Access and Confidentiality Agreement” as a pledge and nondisclosure agreement in their engagement with the data in the database. CHLDC never sells or releases any of our program data for any commercial purposes. None of the required program reports we submit to funders would include any itemized data nor would include any hint of PII. We destroy any files of PII data shared by NYC DOE once we have updated our records.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

D2L

Dare to Revitalize Education thru Arts & Mediation! (DREAM!)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Restorative Practices training for parents. Upon service delivery DREAM! Requires participants to fill out pre-training and post-training evaluation forms which include the borough they reside in, their ethnicity, sex, and age. This allows us to track whom we are serving and having the most impact with.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Hard copies stored in secured office and secure file cabinet.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. DREAM! has a process in place to help make sure that staff who have access to PII agree to comply with the law and help protect the information by 1) signing an agreement with data privacy and security requirements; and 2) keeping PII in designated physical locked cabinet and office area; not to be shared or copied, sold or released for any marketing, or other commercial purposes, or any purposes at all.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Only physical records will be stored.

David Kestenbaum (also called Color Keys)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our Learning Management System (LMS) software enables teachers to manage the assignment of educational content to students. Students get instant feedback, leading to formative assessment and providing the ability to correct their mistakes. Teachers are able to view rich analytical data to drive instruction and provide personalized support. Teachers are provided tools in the platform that enable them to individualize the students’ classroom experience and work at their own guided pace. The LMS application is used to manage 2 student-facing products:

• Thumbprint: The Thumbprint product provides modules for language learning, multiple choice, and other task types organized into assignments that are sent to students. Included in the product are thousands of premade tasks and assignments that teachers can leverage. Regarding PII –
  • Name: allows the teacher to know which student they are interacting with.
  • Email: used for password reset, account recovery, and other access related communications
  • Student ID: System ID used for integration between data and our application and school systems
• ColorKeys: Our music software enables students to learn the pedagogy of music playing while having an interactive and personalized experience along the way. Students have their own accounts, saving their materials from week to week. Students watch animated videos, play interactive games, engage in multiple choice quizzes, and practice and play songs. The program allows each student to move along at their own pace. Students come out learning how to play and understanding the fundamentals of music theory. Regarding PII –
  • Name: allows the teacher to know which student they are interacting with.
  • Email: used for password reset, account recovery, and other access related communications
  • Student ID: System ID used for integration between data and our application and school systems

Our Professional Development division provides general PD to teachers in an array of areas. We provide PD to teachers using our proprietary software (thumbprint) and train them as more updates are created. We also provide PD in teaching methodologies and strategies, including but not limited to Blended and Personalized Learning, stressing diversity, equity, and inclusion in all our offerings.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. AWS RDS.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The product features an authorization and role-based permissioning system that carefully limits a user’s access to PII. For example, a teacher may see PII for their students, but not students in the same school that they do not have a teaching relationship with. Within our working environment; All PII data is encrypted in motion and at rest, all credentials are encrypted and protected with 2FA where available, antivirus and logging are used to prevent and detect malicious activity and the network is secured by numerous policies and procedures to contain PII to the smallest portion of the network possible. All staff are vetted and trained to avoid accidental or malicious disclosure of PII and company policies and software are designed to prevent such disclosures as well.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

DeltaMath Solutions

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/26/2022 – 6/30/2025 

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Access to and use of deltamath.com, an online platform for the teaching and learning of mathematics.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is housed on AWS servers in Ohio, USA and is protected both physically and via data encryption. Data is encrypted both in transit and at rest. Data is only accessed in the case of a legitimate educational purpose and, if so, from registered IP addresses. All employees with access to data undergo criminal background checks and are trained, both on hire and annually thereafter, in the requirements of federal, state, and local privacy laws.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Discalced (also called Mark Morris Dance Group)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/1/2023 – 12/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Discalced, Inc., doing business as the Mark Morris Dance Group (MMDG), will conduct program evaluations throughout and at the conclusion of each in-residency and partnership. The purpose is to be able to effectively measure the overall success and impact of the program through student learning, partner expectations, and teaching team effectiveness. Findings will support efforts to improve the programs and the long-term impact of sustained engagement in the arts.

Type of PII that the Entity will receive/access: Student PII, and “we ask the school principal and/or contact to complete an evaluation as part of our triangulated approach to measuring success.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. Vendor also states, “All PII related to program evaluations will be destroyed at the end of each residency once the data is aggregated for reporting purposes. However, the findings will be kept for archival purposes at MMDG.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The following demonstrates administrative, operational and technical safeguards in place at MMDG through the following:

• Contract with HomeField IT (HIT) as its Managed Service Provider
• Microsoft 365 Business Premium Services which includes MS Defender for security
• MMDG utilizes a monitored suspicious email program managed by HIT
• HIT executes a secure daily data backup procedure
• All staff are required to complete monthly Data Security Training through Ninjio
• MMDG utilizes 1Password to maintain the highest level of password management.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Discovery Education. 

District Public

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide professional development, data analysis, and tools to help school leaders and educators use data to improve student outcomes, communicate with administrators and families, and save time.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Drive.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. District Public takes great care to ensure the security of PII. Data is encrypted while in motion and at rest. Only data that is required to conduct analyses is collected. Data is never disclosed to anyone outside the school community for whose benefit the analysis is conducted, and access to data and analysis is only granted by District Public to school leadership. District public employees and contractors are trained in laws governing data security and privacy, as well as on best practices in cyber security. District Public employees such strategies as two-factor authentication, encryption, web and email filtering, ongoing cyber security and awareness training, and phishing simulations to ensure it maintains a secure environment for working with PII.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Don Johnston 

Type of Entity: Commercial Enterprise

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.

• Snap & Read Universal is a Text Reader to read aloud materials as well as support students in comprehending materials. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.
• Co:Writer Universal is a Word Prediction, Speech to Text and Translation tool to support struggling writers. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.
• uPAR (Universal Protocol for Accommodations in Reading) is a data tool to help educators match students to reading accommodations. uPar does not require use of personally identifiable student information. Personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution. The only data collected is that which is valuable for educational purposes.
• Word Bank Universal extracts words, places, people, facts and dates into a meaningful format. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.
• Quizbot is a teacher-only tool. Build quizzes automatically from any text with one click. Automatic scoring through Google Forms shows instantly what is being comprehended. No Student Accounts exist (and no data is collected).
• Readtopia is a special education curriculum designed for teachers who work with late elementary, middle, and high school students with autism and other complex needs. It serves as an integrated comprehensive reading curriculum across several domains of study including ELA, Math, Social Studies, Life Skills, and Science. Students do not login and no student data is collected.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII; and Other. Vendor stated “The district has access to student data at all times and is responsible to download data prior to expiration of the Agreement. After that, we will automatically destroy all data in 30 days and 65 days from all backups.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Administrative Safeguards: We do annual training for all staff and assign access based on roles, limiting the number of people who have access to the data.

Physical and Technological Safeguards:

• All data is kept on AWS (Amazon Web Services) servers.
• AWS has the most stringent physical safeguards that has earned it ISO 27001 compliance, a Department of Defense Impact Level 4 Provisional Authorization, over 400 National Institute of Standards and Technology security controls, and a PCI DSS Level 1 certification among other security standards.
• All data is located in geographically discrete locations within the United States.
• Data at Rest - All data at rest is encrypted with AES-256 encryption algorithm.
• Data in Transit - All data being transmitted is protected with Secure Socket Layer and password hashing.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

DreamBox Learning

The exclusive purposes for which Protected Information will be used: To provide hosted services and adaptive math software to the district.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: DreamBox does not utilize subcontracts in its delivery of software or services; however, DreamBox will ensure that all authorized persons are aware of the confidential nature of the information being share and have been trained on data protect and security best practices.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Personally Identifiable Student Information (PISI) will be removed from the DreamBox system and returned to the district at the district’s request.

[NYC DOE comment: The current agreement became effective starting on October 1, 2019 and terminates when all NYC DOE schools and/or offices cease using DreamBox Learning, Inc.’s products/services. The terms of the agreement remain effective through the period during which DreamBox Learning, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be store in the US. DreamBox is ISO27001 certified and meets industry best practices for data security including encrypted at rest and in transit.

How the data will be encrypted (described in such a manner as to protect data security): At rest and in transit.

The DreamYard Project

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 71/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The work in question has our teaching artists working directly with students to supply arts education during school hours and after school as well. The DreamYard teachers must keep an active roster of students to comply with attendance requirements for all contracts.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted-solution.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. If PII is recorded on paper for roster purposes on the day of class, the information is shredded and securely disposed of. Before the information is shredded, it is recorded digitally to our servers, which only DreamYard administrators have access to via password and 2-step verification. The DreamYard Project does not grant access of these servers to outside vendors for any reason. DreamYard administrators must work on password protected machines and only access this information on DreamYard supplied machines, and these machines are scrubbed of data if employee’s contract is terminated. The former admin’s access is subsequently revoked if they no longer work at DreamYard.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

DroneBlocks

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. “Services” means the DroneBlocks STEM drone curriculum, which includes over 150 cloud-based lessons for teachers to choose from, and a suite of software to enable educators to teach students about computer science using drones. It includes all services offered or provided by DroneBlocks, including access to DroneBlocks Technology, as well as access to Lesson Plans, Training Materials, Webinars, and Training. DroneBlocks Services include ongoing upgrading of the product and related technology, communications with educators in support of their use of the Services, as well as the benefits of related research and development, improvements, and supplements supporting the DroneBlocks offerings, the Website, and/or the App.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Entity selected “Other: Working with School, securely delete and/or destroy PII.” In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Firebase.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. DroneBlocks conducts periodic thorough external assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic, paper, or other records containing PII; and performs ongoing system monitoring and testing and ongoing security oversight by designated members of senior management.

All submitted PII is collected and stored by Firebase and Google Cloud Platform in reliance upon Google’s stringent security regimen. HTTPS via TLS is required to connect to all web servers from the public network. DroneBlocks maintains processes for the continued encryption of customer's PII through its secure deletion/destruction when requested in writing by the customer when it is no longer needed for the purpose for which it was collected; as well as procedures that protect PII maintained from improper alteration or destruction, including mechanisms to authenticate records and corroborate that they have not been altered or destroyed in an unauthorized manner.

DroneBlocks performs appropriate pre-hire employee background checks and screening; obtains agreement as to confidentiality, nondisclosure and authorized use of PII; provides training to support awareness and policy compliance; and maintains procedures to determine that the access of employees to PII is appropriate and meets a legitimate need and is terminated when appropriate. DroneBlocks also requires under written contracts that third party partners and subcontractors maintain Data Security and Privacy policies and procedures no less stringent than those above.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Dynamic Forms (also called Mark DeGarmo Dance)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 05/15/2021 – 05/14/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We work in NYC DOE public schools with a research-based and evidence-based educational program to provide dance education instruction required by New York State Education Department, but that the NYC DOE is unable to provide its students and schools. The purposes of having the students’ names is to increase instructional effectiveness, as educational research demonstrates is most effective. The purpose of having their legal guardians’ names & addresses is to complete our consent & release forms.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third parties.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Dynamic Forms, Inc. AKA Mark DeGarmo Dance utilizes the following administrative, technical and/or physical safeguards to ensure PII: Access Controls; Encryption; Data Access Restrictions; Access Rights; Security Awareness and Privacy Training; Third Party Management; Physical Security; Information Security Incident Management; Incident Identification; Incident Severity Classification; Incident Response and Containment; Root Cause Analysis and Lessons Learned; Privacy; System and Information Integrity; Data Management; Collection; Use and Retention; Disclosure; Retention and Disposal; and Compliance with Legal and Regulatory Requirements.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

EarlyBird Education

 Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. EarlyBird works with educators to determine which children are at risk for reading struggles, and provides a comprehensive assessment to determine the child’s areas of strengths and weaknesses, as well as a series of Next Steps resources to support educators as they build strong readers. The child’s PII (ex: name, birthdate, and classroom) enables us to work with the school districts and educators.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. EarlyBird uses AWS firewalls and data protection tools and provides periodic security training to employees with have access to the system and/or data. When data is accessed through a web browser, EarlyBird employs industry standard measures to protect data from unauthorized access including, but not limited to, server authentication, data encryption, firewalls and SSL.

EarlyBird operates a secure platform and complies with FERPA regulations as described in FERPA policy. The underlying infrastructure resides entirely in Amazon Web Services and utilizes Virtual Private Clouds (VPCs) for all environments. All public facing ports are exposed only through load balancing solutions. All communication is encrypted using SSL through the load balancer and is routed to a production quality web server which resides on each server. The traffic is then proxied to the application port which is listening privately on localhost. All data that is stored on the EarlyBird platform is encrypted at rest and in transit, and no production or student data is allowed outside of the production environment. All servers are container based which ensures conformity to EarlyBird’s rigid security standards. Private keys are regularly cycled and are only distributed as needed and to a limited number of employees.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

East Side House

 Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ESH’s Learning to Work program will provide students with academic support services to improve student retention and expose students to career development through work readiness training, paid internships, and job placement. In collaboration with NYC DOE, ESH will provide services ranging from student recruitment and outreach, new student orientation, attendance outreach to referring non-eligible students to other programs.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In order to protect personally identifiable information and mitigate data privacy and security risks, Processor will:.

• Follow policies and procedures compliance with 1) relevant state, federal, and local data security and privacy requirements, including Education Law 2-d (“Section 2-d”), 2) this Addendum, and 3) the NYC DOE’s data security and privacy policy and the Family Education Rights and Privacy Act (“FERPA”);
• Implement commercially reasonable administrative, technical, operations, and physical safeguards and practices to protect the security of personally identifiable information in accordance with relevant law;
  • All student data is stored on Salesforce cloud SASS Platform. Salesforce is an external vendor with a dedicated security team. All data exists on Salesforce Cloud Tenant. No student data is stored on East Side House on premise servers.
  • Only authorized teachers and approved East Side House internal staff are granted access to Salesforce Portal. Salesforce logins are enforced with multi-factor authentication.
• Follow policies compliant with NYC DOE’s Parents’ Bill of Rights and Parents’ Bill of Rights Supplemental Information.
• Annually train its officers Annually train its officers and employees who have access to personally identifiable information on relevant federal and state laws governing confidentiality of Personally Identifiable Information; and
• In the event any subcontractors are engaged in relation to this Agreement, manage relationships with sub-contractors to contract with sub-contractors to protect the security of personally identifiable information in accordance with relevant law.
• Implement and follow an incident response plan and disaster recovery process that are compliant with relevant state, federal and local data security incident notification requirements.

To protect personally identifiable information that Processor receives, Processor will follow policies that include the following administrative, operational, and technical safeguards:

• Processor will identify reasonably foreseeable internal and external risks relevant to its administrative, technical, operational, and physical safeguards;
• Processor will assess the sufficiency of safeguards in place to address the identified risks;
• Processor will adjust its security program in light of business changes or new circumstances;
• Processor will regularly test and monitor the effectiveness of key controls, systems, and procedures; and
• Processor will protect against the unauthorized access to or use of Personally Identifiable Information.
• Processor’s sites are protected by firewalls with active threat protections including web content filtering / anti-malware scanning.
• Processor has all endpoint and servers protected by Crowdstrike EDR; systems are monitored by Crowdstrike 24/7 for proactive threats.
• Processor on premise server rooms are locked and accessed only by authorized staff. Server rooms are monitored by closed circuit television cameras.
• Processor Facilities are monitored by a 24 hours monitoring station for burglary alarms.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest.  Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

EBSCO Industries (also called EBSCO Information Services)

The exclusive purposes for which Protected Information will be used: EBSCO uses the Personal Information we collect for the limited purposes of processing your transactions, establishing and/or verifying a person’s or account holder’s identity, customer service, improving and customizing our Services and their content, authorization, content processing, content classification, and providing you with information concerning our Services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In situations where we share Personal Information with Service Providers, we ensure access is granted to the Service Providers only upon the condition that the Personal Information is kept confidential and is used only for carrying out the services these Service Providers are performing for EBSCO Information Services. As part of making that determination whether we will share Personal Information with Service Providers, we will obtain assurances that they will appropriately protect and maintain the confidentiality of Personal Information consistent with our Privacy Policy and as required by applicable law. For additional information, please see EBSCO's Privacy Policy: https://www.ebsco.com/company/privacy-policy#prod_how-do-we-secure-info

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Contract duration - 4/1/2021 to 3/31/28. EBSCO will only retain information for as long as the account is active, or as needed to provide you Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Upon contract termination, data will be deleted or pseudonymized. If this is not possible (e.g., because the information has been stored in backup archives), then EBSCO will securely store the information and isolate it from any further processing until deletion is possible).

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored within EBSCO's data centers located in the greater Boston, MA area. EBSCO maintains an extensive information security policy to protect data which focuses on web application security and includes firewall and router security, data classification and control, vulnerability identification, authentication, etc.

EBSCO also keeps audit trails to maintain records of system activity both by system and application processes and by user activity, which, in conjunction with appropriate tools and procedures, acts as a technical control facilitating the detection of security violations, performance issues, etc.

How the data will be encrypted (described in such a manner as to protect data security): All sensitive data is securely encrypted in the database with restricted access. Data is also encrypted in transit with SS/TLS1.2 2048-bit encryption.

Edgenuity Inc. (for LearnZillion)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 3/1/2021 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We use PII to help us to diagnose technical problems, administer the Site and improve the quality and types of services that we deliver. We may also collect, track and analyze information in aggregate form that does not personally identify users.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We strive to protect the confidentiality, security and integrity of the Personal Information we collect from children and adults. We have put in place physical, electronic and administrative procedures designed to safeguard and to help prevent unauthorized access to and maintain the security of personally identifiable information collected through this Site.

Primary accounts and student accounts are protected by passwords. Please keep these passwords secret to prevent unauthorized access to these accounts. If you think someone has gained unauthorized access to an account, please change your password and contact us immediately.

We take customary and reasonable measures designed to protect the confidentiality, security and integrity of Personal Information collected on our Sites, both during transmission and once we receive it. This includes the use of encryption, firewalls and other security technologies to prevent access to the data from unauthorized parties. All connections between users and our Site are secured via encryption communication technology (SSL/TLS). All passwords are salted and hashed using the practices recommended by NIST (National Institute of Standards and Technology). We use highly rated application hosting providers who agree to perform frequent diagnostics, operating system updates, and network security monitoring. Our engineering team is committed to creating and maintaining systems to protect Personal Information.

Only employees and contractors who reasonably need to access user information in order to perform their job (for example, customer service) are granted access to student information.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Edlio LLC

Please include a brief description of the product(s) or service(s) being provided, and the exclusive purposes for which Protected Information will be used, collected or otherwise processed: K-12 school website services, design, hosting, support; Content Management System (CMS) software; Related optional services, including payment processing and communication services.

How you will ensure that the subcontractors or other authorized persons or entities that you will share Protected Information with will abide by data protection and security requirements required by your agreement with the NYC DOE: Edlio, LLC. agrees to ensure that subcontractors or other authorized person or entities that we will share Protected Information with will abide by data protection and security requirements required by our agreement with the NYC DOE. Edlio, LLC. have updated our internal contracts and technical requirements related to authorizing 3^rd party entities and subcontractors to ensure we are in compliance with this NYC DOE agreement. 

When your agreement with the NYC DOE starts and ends, and (ii) what happens to Protected Information upon expiration of the agreement: This agreement relates to the services for Thomas Warren Field Elementary-P.S. 299k specifically which is a 3 year contract (contract originally signed and received 2/23/2021 and expected to run until June 30 2024). Please note that Edlio, LLC. does business with many other schools with NYC DOE on various contracts. If possible, we would like an ongoing agreement for all NYC DOE, but if that is not possible, we would accept the 3 year term above for Thomas Warren Field Elementary-P.S. 299k only.

Edlio, LLC. agrees to destroy such Protected Information Data, making it unusable and unrecoverable.

If and how a parent, student, eligible student, teacher or principal may obtain copies of, and challenge the accuracy of, the Protected Information in the custody or control of the Contractor: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov.

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and (ii) the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Edlio, LLC. agrees that all Protected Information will be stored in the US and that security protections are taken to ensure such data will be protected.

Edlio, LLC. agrees to and already limits the use and store of sensitive data. This includes but is not limited to the following internal Edlio, LLC. policy and/or procedure: all sensitive data must be encrypted while at rest and during transit across public networks to protect it from internal and external threats and provides a second line of defense in high threat areas. The requirements for data encryption are based on its classification, sensitivity, location, and media where it is stored.

If sensitive information is transmitted over public computer networks such as the Internet, this transmission must take place with encryption facilities. All portable and remote systems storing sensitive information must also employ hard disk encryption systems. In all but a few rare instances, if information is to be protected, then the user must take specific action to enable encryption facilities. Users must be careful about the inclusion of sensitive information in electronic mail messages that are not protected by encryption. It is the policy of Edlio, LLC. that all sensitive data will be encrypted while at rest and during transit across public networks to protect it from internal and external threats. The requirements for data encryption will be based on the data sensitivity, the location of the data, and the type of storage media wherein the data resides.

How the data will be encrypted (described in such a manner as to protect data security): Edlio, LLC. agrees to and already encrypts confidential information, including DOE data. This includes but is not limited to the following internal Edlio, LLC. policy and/or procedure: data in transit using algorithms and key lengths consistent with the most recent NIST guidelines.

Further, all encryption processes and algorithms must be approved in advance by the Information Security Officer. Proven, standard algorithms such as DES, Blowfish, RSA, RC5, and IDA should be used as the basis for encryption technologies. The use of proprietary encryption algorithms is prohibited for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by the Edlio, LLC. Information Security Officer.

All general-purpose encryption processes running on Edlio, LLC. information systems must include key escrow functions. These special functions allow management to recover encrypted information should there be system errors, human errors, or other problems. Encryption systems must be designed such that no single person has full knowledge of any single encryption key.

Payment information, such as credit card numbers or bank checking account numbers, must be encrypted when computer-resident and also not in active use for authorized business purposes, when transmitted over a public network, and when held in storage on computer disk or tape.

Edlio, LLC. will only implement and accept trusted keys and certificates. The protocol in use must only support secure versions or configurations. Finally, the encryption strength must be appropriate for the encryption methodology in use.

System Configuration Standards (PCI 2.2)

• All systems and devices must be configured in accordance with their respective configuration standards.
• System configuration standards must be based upon industry recognized best practices such as those provided by SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), Microsoft, or Center for Internet Security (CIS).
• System configuration standards must be reviewed at least annually and updated to reflect current industry best practices and newly-discovered vulnerabilities.
• Edlio, LLC. develops annually reviewed security configuration standards for systems in the Edlio, LLC. CDE that are hardened using industry-accepted standards. These configurations are documented, and used as system baselines. Relevant configuration changes are communicated to impacted teams. Procedures are implemented to monitor for compliance against the security configuration standards. Edlio, LLC. requires all CDE based servers to comply with CIS standards and are confirmed through NESSUS security scans prior to any new device deployment. This approach is used for servers and network devices when applicable to NESSUS scan capabilities.

Edmentum

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/1/2017 – 1/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Edmentum provides quality online programs designed to make personalized learning an achievable reality in every classroom. To meet NYCDOE’s needs, we offer Courseware, Exact Path, Study Island, EdOptions Academy, and Calvert Learning, paired with Edmentum’s Professional Services.

• Courseware offers customizable digital curriculum for grades 6–12, including core, AP®, CTE, electives, world languages, and test preparation courses.
• Exact Path personalizes K–12 learning by combining adaptive diagnostic assessments with individualized learning paths in math and ELA.
• Study Island is a customizable K–12 practice and formative assessment solution that improves mastery and retention, and boosts student achievement in math, ELA, science, and social studies.
• EdOptions Academy is a fully accredited virtual academy that allows districts to enhance and expand their program offerings, attract and retain students, and provide flexible, individualized learning experiences.
• Calvert Learning provides engaging, project-based curriculum for K–5 learners in virtual or blended learning environments.

We collect the following PII provided by the Customer, such as the student’s name, name of school, grade level, and e-mail address. Please refer to our Customer Privacy Policy: https://www.edmentum.com/privacy/customer.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review). “Our programs are not Student Information or Accountability Information Systems. Edmentum does not store academic records other than performance scores of online activities. PII is at the user’s discretion. Administrators and teachers can choose to include non PII data for required fields such as Students: First and last name; Email (username); Grade level; Student Local ID (required); Teachers: First and last Name; Email; Teacher Local ID; Role.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. “NYCDOE retains ownership and control of all student data. Your data is available throughout the term of your contract. During this time, it can be downloaded and reports generated in a variety of formats, including CSV, Excel, and PDF. All data is securely wiped from decommissioned systems. Customer data at rest is encrypted, minimizing the risk of exploitation.

Furthermore, our programs are not Student Information or Accountability Information Systems. Edmentum does not store academic records other than performance scores of online activities. Since Edmentum is an online solution provider, there are no limitations to the size or duration of data retention. Customers may retain data within our system with a valid subscription.

Within a reasonable time period after termination or expiration of the contract, or as requested or directed by NYCDOE, Edmentum will return personally identifiable data and will securely destroy personally identifiable information in its possession.

Please see our Standard Service Purchase and Software License Terms at www.edmentum.com/resources/legal/standard-terms and our Customer Privacy Policy at www.edmentum.com/privacy/customer for specific information pertaining to this requirement.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an entity-owned and/or internally-hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Edmentum maintains a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of students’ personally identifiable information against risks—such as unauthorized access or use or unintended or inappropriate disclosure—through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information. We perform quarterly internal and external security scans. In addition, Edmentum periodically performs additional penetration testing and/or other relevant threat assessments and performs subsequent remediation efforts based on the findings of these assessments.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

EDPuzzle

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Edpuzzle instructional software (accessible at https://edpuzzle.com) that allows teachers to take, embed or upload, as applicable, video-content (e.g., videos publicly accessible at third-party video-hosting platforms, a screen recorded video, or an Edpuzzle original video) and turn it into an interactive video lesson by embedding questions and notes for understanding along the way. Teachers then receive great data analytics on student progress from the completed lesson.

Edpuzzle Pro provides unlimited access to Edpuzzle to individual users, or to all users in the school or school district based on the type of license purchased. This includes unlimited storage space, a collaborative channel, and priority customer support.

PII will be used by Edpuzzle to improve the Edpuzzle services and for the following limited purposes:

• to create the necessary accounts to use the service;
• to provide teachers with analytics on student progress;
• to send teachers email updates, if applicable;
• to help teachers connect with other teachers from the same school or district;
• to assess the quality of the service;
• to secure and safeguard personal information of other data subjects; and
• to comply with all applicable laws on the protection of personal information

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services and MongoDB Atlas.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Contractor shall implement and maintain reasonable and appropriate technical and organizational security measures to protect the PII with respect to data storage, privacy, from unauthorized access, alteration, disclosure, loss or destruction. Such measures include, but are not limited to:

• Pseudonymisation and encryption of PII (TLS v1.2 for all data in transit between clients and server and AES256-CBC (256-bit Advanced Encryption Standard in Cipher Block Chaining mode) for encrypting data at rest).
• Password protection.
• Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
• Restore the availability and access to personal data in a timely manner in the event of a technical incident.
• Regularly test, assess and evaluate the effectiveness of technical and organizational measures ensuring the security of the processing.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Educa

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Educa is a private online sharing platform where teachers document and share children’s learning. It supports heart-led documentation, via Learning Stories, that in one motion meets reporting requirements and provides learning visibility – in other words, images and videos – helping families and teachers work together. In order for Educa to carry out these communication-oriented goals, it is absolutely essential that PII be readily accessible for all teachers, students, and parents that exist in the platform.

Type of PII that the Entity will receive/access: Student PII and APRP PII (Identifiable Teacher or Principal Annual Professional Performance Review Data). "Ideally Educa would have access to PII for teachers, students, and their parents. For example, all users in Educa must have a unique email address, which they use to sign into the platform.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, specifically “inside an MS SQL RDS database, hosted on Amazon Web Services in US East.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data will reside inside an MS SQL RDS database, hosted on AWS in US East. All data to and from the database is encrypted in transit and at rest. Backups are also encrypted and hosted in AWS.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Education Analytics

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To provide technical assistance and perform data analysis to measure student learning for Annual Professional Performance Reviews (“APPR”) as approved by New York Education Law §3012-d.

Type of PII that the Entity will receive/access: Student PII and student-teacher linkage data.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

Secure Data Transfer and Data Storage Protocols: All confidential data are transferred using EA’s secure file transfer solution. All client data in house is stored on EA’s file and backup servers, with access controlled via Active Directory. Our facility is locked 24 hours a day, 7 days a week, and entry requires authentication using a key fob with unique codes for each user. Within the secured office suite, the server room storing network devices and secure servers is locked 24 hours a day, 7 days a week, and entry requires authorization using a key fob with unique codes for each user.

Authorized Data Access and Data Destruction Policy: EA ensures that access to the data is restricted solely to staff who need such access to carry out the responsibilities of the project based on their role, and that such staff will not release such data to any unauthorized party as agreed by signing of EA’s non-disclosure agreement. Access to all computer applications and data at EA are managed and authorized at every step using the Windows Active Directory user ID and high security password procedures. Key personnel working on client data have federal security clearance and have undergone human subjects training on handling data. EA requires all staff to sign confidentiality agreements prior to providing data access. Also, EA prioritizes the ongoing training of employees and authorized users about laws governing the usage of sensitive data including FERPA and other appropriate state laws. More details on this topic can be found below. EA agrees that data will remain the property of the client. To this effect, EA has a data destruction policy which ensures that the electronic data stored on the EA file and backup servers are destroyed within the contracted time frames.

IT System Security: All internal servers deployed at Education Analytics shall be managed by an operational group that is responsible for system administration. Approved server configuration guides shall be established and maintained by this operational group, based on business needs.

IT Network Security: EA’s computer network storing the data ensures appropriate and secure data access by utilizing firewalls, an intrusion detection and prevention system and up to date anti-virus solutions. EA allows remote access only to authorized users using a remote gateway secured using SSL.

IT Risk Management and Contingency Planning: EA has a disaster recovery plan and a process for handling outages which will be utilized in cases a need arises. EA has redundant and uninterruptible power and internet infrastructure provisions in place. In case of data breaches, EA will notify its cyber security insurance provider about the breach and work with the provider to investigate the breach and inform the related parties.

Compliance with FERPA and Data Security Laws: EA is in strict compliance with data security and privacy laws including but not limited to FERPA, and ensures that its staff are trained on the required laws and kept up to date to gain knowledge about how to store, access and treat data records with a high level of security.

Security Audit process and Data breach policy: EA’s IT systems maintain incident, change management logs and allows for audits of the IT data security compliance. The security audit process will cover the following steps to identify, evaluate and analyze potential threats and fixes for evaluating the security requirements of EA’s IT system. In case of breaches to the student data or teacher or principal data, EA will activate its Incident Response Team. This team will investigate the breach and notify the educational agency owning the data as necessary in accordance with regulations. EA will promptly comply with any inquiries from the client based upon the client’s receipt of a complaint or other information indicating that improper or unauthorized disclosure of personally identifiable information may have occurred.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Education Analytics (for New Schools Venture Fund)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: Starting June 2022.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. EA is working with [New Schools Venture Fund] NSVF on a series of deliverables that serve to help NSVF understand the schools in their portfolio better. Using data from SEL and Culture and Climate surveys, along with MAP assessment data, this information will be utilized for a series of research questions along with a dashboard that displays school level data and subgroup data from the aforementioned surveys.

Type of PII that the Entity will receive/access: Student PII and Other (staff social emotional survey results)

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• A risk management strategy is in place to identify and detect data security incidents
• Data security protocols and procedures are in place to protect data access
• A security incident monitoring system is in place to identify cybersecurity events
• A data incident response plan is in place to ensure prompt and effective responses to any security breach
• A recovery process that ensures restoration of systems or assets affected by a security incident
• Access controls that is only provided to staff with a need to use information for the direct study and research purposes

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Educational Alliance

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 7/1/2022 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Educational Alliance is committed to providing quality community school services to students and their families. As part of our services, we have assigned a Community School Director at each school who oversees the community school program. On occasion, the Community School Director may need to access Protected Information to contact a student and/or their family.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Educational Alliance has implemented various administration, operational, and technical safeguards to protect Protected Information received under our contract. EA staff are prohibited from removing anything from school sites, and are provided regular updates on confidentiality and data security obligations. All paperwork containing Protected Information is securely locked away in a file cabinet, and only the Community School Director will have access to this locked cabinet further ensuring it remains confidential and secure. When the director needs to contact parents, they will utilize DOE systems and follow the guidance provided by the Department of Education for communication. Educational Alliance is committed to maintaining the highest level of security and confidentiality for all data entrusted to us.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “Because Educational Alliance does not collect electronic data, we will not encrypt PII information.”

Educational Vistas

Type of Entity: Commercial Enterprise

Contract / Agreement Start Date: 9/3/2021

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Providing the ability to auto synch staff and student information, to successfully auto roster students, classes, schools, district, and DOE to provide assessments, such as Degrees of Reading Power and Degrees of Math Power. In addition, we can offer for additional contract of data warehousing and custom dashboards, that can host all third-party assessments and scores including NY State tests. This way miscue reports and analysis, drill down reports, generation of pre-slugged answer sheets, customizable reports, etc. The ability to track staff teacher-principal evaluations and professional development, including the process for developing SLOs, and much more.

Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Educational Vistas, Inc. complies with and exceeds all expectations of Section 2-c and 2-d of the Education Law.

Physical Safeguards are in place by utilizing a 24/7 monitored facility that restricts physical access to the servers. The servers are also appliance and firewall protected from outside access, and is housed on multiple redundant load-balanced servers with backed up data that is encrypted. We use SHA-256 bit encryption along with https:// to encrypt the data to and from the end points.

Educational Vistas, Inc. employees are instructed and trained to not store, remove, or share any customer data. We only use the customer’s information in training the customer at the customer’s site. Staff is trained on HIPPA privacy, security rules, GLBA, which talks about safeguard procedures against fraud or identity theft and instruction about computer security, and FISMA (Federal Information and Security). We also comply with FERPA, which includes hiring contractors to minimize security risks. Every employee and contractor is required to sign a confidentiality agreement as part of their employment package.

Our IT security company, WLS, monitors the servers for security related breaches. We require immediate notification of any security breach so we can in turn immediately notify our clients that a breach has occurred and what was breached. We have, to this date, not had any security breach.

The login and security policies within the program restrict access to the data to individuals that need access to the data.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Eduware

The exclusive purposes for which Protected Information will be used: To provide the requested services and to ensure proper functioning of sites. To provide requested customer support and communicate with user.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Eduware, Inc. does not use subcontractors, however in the event that Eduware, Inc. engages subcontractors, assignees, or other authorized agents to perform one or more of its obligations under the AGREEMENT (including any hosting service provider) it will require those to whom it discloses Protected Data to execute legally binding agreements acknowledging the obligation under Section 2-d of the New York State Education Law to comply with the same data security and privacy standards required of Eduware, Inc. under the AGREEMENT and applicable state and federal law.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon expiration of that agreement without a successor agreement in place, Contractor shall assist NYC DOE and any educational agencies that contracts with NYC DOE for the provisions of Contractor’s products or services in exporting any and all student data and/or teacher or principal data previously received by Contractor back to NYC DOE or the educational agency that generated the student data and/or principal data. Contractor shall thereafter securely delete or otherwise destroy any and all student data and/or teacher or principal data remaining in the possession of Contractor or its assignees or subcontractors (including all hard copies, archivist copies, electronic versions or electronic imaging of hard copies of such data) as well as any and all student data and/or teacher or principal data maintained on behalf of Contractor in secure data center facilities. Contractor shall ensure that no copy, summary, or extract of the student data and/or teacher or principal data or any related work papers are retained on any storage medium whatsoever by Contractor, its subcontractors or assignees or the aforementioned secure data center facilities. To the extent that Contractor and/or its subcontractors or assignees may continue to be in possession of any de-identified data (i.e., data that has had all direct and indirect identifiers removed) they agree not to attempt to re-identify de-identified data and not to transfer de-identified data to any party.

[NYC DOE additional information: The current agreement became effective starting on December 1, 2020 and remains effective until November 30, 2027.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov.] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Student data and/or teacher or principal data transferred to Contractor by NYC DOE or NYC DOE officers, employees, agents, or students will be stored in electronic format on systems maintained by Contractor in a secure data center facility, or a data facility maintained by a board of cooperative educational services, in the United States. In order to protect the privacy and security of student data and/or teacher or principal data stored in that manner, Contractor will take measures aligned with industry best practices and the NIST Cybersecurity Framework Version 1.1. Such measures include, but are not necessarily limited to disk encryption, file encryption, firewalls, and password protection.

More specifically, data is stored in Amazon Web Services (AWS) which are served from data center in Oregon, United States. Servers are secured physically by Amazon, and virtually by installed firewalls and a strict authorization system. Additional security information about AWS system is available online at: https://amazon.com/security/. All data storages are only available through password/key protected instances. User passwords are encrypted in the database, so even Contractor’s high level system administrators can’t view sensitive password information. All of Contractor’s network communication is now encrypted under HTTPS. 

How the data will be encrypted (described in such a manner as to protect data security): Eduware, Inc. (or, if applicable, its subcontractors) will protect Protected Data in its custody from unauthorized disclosure while in motion or at rest, using a technology or methodology specified by the secretary of the U.S. Department of HHS in guidance issued under Section 13402(H)(2) of P.L. 111-5.

El Puente de Williamsburg

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 71/1/2021 – 6/30/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. El Puente is working in partnership with the Department of Education in their Crisis Intervention initiative at EBC High School Bushwick. El Puente provides students with various engagement activities in the areas of leadership development, academic enhancement and community building with the goal of helping them build capacity to resolve conflicts and interact with their peers in positive manners. The way El Puente ensures the DOE we have provided services is by having youth sign into the activities. The signing sheets collected are provided to the DOE in order for El Puente to receive payment. Sign in sheets are uploaded to Google Drive to be submitted to the Department of Education as it is required for payment.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Drive.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Youth who participate in the El Puente programs through the Crisis Intervention Initiative are asked to sign in providing First Name and Last Name. This information is strictly safeguarded and protected and it is only utilized to invoice the DOE for services provided. All sign in sheets are secured under a locked key. The Program Director and its supervisor has access to the files and safeguards the key. Sign in sheets are scanned and kept in the Google Drive of the administrator overseeing the program and the Director of Administration who utilizes the sign in sheets for billing purposes.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Elite Learners

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 11/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Elite’s Violence Prevention Specialists and Teaching Artists will work with youth groups to facilitate age-appropriate restorative practices including peer mediation, one-on-one mentorship and conflict mediation training activities designed to help address negative behaviors such as bullying, disruptiveness, and peer conflicts that impact youth self-esteem, academic achievement, peer, and familial relationships. PII will be used to record students’ participation/attendance in the program.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. OneDrive will be used if needed.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Elite Learners has guidelines to ensure that all individuals working under/with Elite and on Elite Learners’ projects/programs understand their responsibility in reducing the risk of compromise and take appropriate security measures to protect client data.
• Nondisclosure/confidentiality agreements are included in Elite Learner’s Employee Handbook and are signed upon new hire.
• Industry standard security measures including authentication and encryption protocols are used to preserve and protect Protected Information. Protected Information is encrypted at rest and in transit.
• Protected data is maintained in a secure data center managed solely by Elite Learner's employees.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Enome (for Goalbook)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/1/2022 – 6/30/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Goalbook Toolkit is used by teachers to access our research-based instructional resources and personalize instruction more effectively. The necessary PII that Goalbook requires are: educator name, email, title, and school/district name, which are used to provision user logins to the Goalbook platform.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Your privacy and security are paramount and we are not in the business of selling your data. We comply with all federal, state and local laws governing confidentiality of your data and regularly review them for new or updated guidance and regulations. To clarify, Goalbook does not provide any student access, so COPPA does not apply. Goalbook’s infrastructure is hosted on a commercial provider, Amazon Web Services (AWS) which is fully SOC2 compliant. Goalbook itself is currently contracted and engaged with auditors to evaluate our SOC2 compliance. All of Goalbook’s AWS services and data are located within the US. Goalbook's security features also include the use of industry-standard encryption algorithms for server access, data storage, and data transit such as 256-bit Advanced Encryption Standard, TLS 1.2, SSL, RSA, and ED25519; strong network security; employee role-based access controls using the principle of least-privilege; regular data backups; employee security awareness training; export and deletion of customer data on request; and automated monitoring of any 3rd party library security issues and regular updates.

We will maintain an active line of communication with NYC DOE to ensure that we understand and comply with their evolving security and privacy requirements as well. We regularly audit, monitor, and log access to our systems, data, and applications to prevent and identify any data security or privacy incidents. In the event of any data breach, NYC DOE would be promptly notified and follow-up would include analysis and actions to prevent any future incidents.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Eskolta School Research and Design

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Eskolta School Research and Design Inc Services include:

• Research and Evaluation projects that use a mix methods approach
• Sharing Learnings through workshops, conferences and school intervisitations
• Eskolta fellows program to build leadership capacity in teachers
• Resource Development Tool Kits for Educators
• Coaching and Capacity Building for School Leaders
• Facilitated inquiry projects with individual school teams

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In any case where Eskolta received PII, all personal information (e.g. interview transcripts, names, contact info) is deidentified, stored on password protected devices of the research team, using a lookup code where appropriate, with the code key stored separately.

For many projects de-identified, linkable data will be sufficient for Eskolta and our NYCDOE partners to engage in data-centered professional learning and continuous program improvement.

Use an internal data base for client services. The data base will be password protected. Due to the organization being hybrid we use electronic communication for signatures and data collection. Staff is required to use agency issued computer device.

All of our files are behind a managed Google Workspace account that has explicitly defined permissions for all files with all users requiring 2FA to log into. This account is also monitored by our managed service provider for any unusual logons and suspicious activity. Local machines all have anti-virus installed on them as well.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Essential Skills Software

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Essential Skills is an online learning platform for K‐6 and older remedial students. Basically, it’s educational software. Student names are used to identify students in the system, create student login credentials and to maintain a record of student progress in the Essential Skills platform.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Regular employee training is conducted on data privacy and security best practices including the proper handling of PII, password protection, and phishing scams. Access controls are implemented that limit access to PII to Essential Skills employees who need to perform their job duties. Two factor authentication has been implemented to verify the identity of users accessing sensitive systems and data. PII data is stored on a private cloud server. Any backups are encrypted and stored online. PII is not stored on any physical media. PII data is erased as subscription are cancelled.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Everbridge, Inc.

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Everbridge grants access to our propriety communications SaaS solutions for emergency mass notification messaging, via email, phone, text, or mobile app. End users of the solutions provide their Client Data, which contains the names and contact information (email, phone) of the recipients of the messaging.

NYCPS comment: NYCPS is the “end user” and families’ contact information is the “client data.”]

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Everbridge has implemented and shall maintain an information security program designed to protect against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage, including the measures described below.

• Physical Security Controls – policies, procedures, and physical and technical controls designed to limit physical access to information systems and facilities in which they are housed to properly authorized persons, including:
  • A badge-based access control system to control physical access and movement into and throughout Everbridge’s facilities; and
  • Processes and procedures to promptly remove facility access rights from terminated personnel.
• Access Controls – policies, procedures, and technical controls to ensure that all members of Everbridge’s workforce who require access to Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access, including:
  • Role-based access policies that restrict user access to systems and resources based on job responsibilities;
  • Processes to grant and revoke access rights based on business need, and to regularly review user access rights to ensure ongoing alignment with business needs;
  • Strong authentication procedures for production environments that require a username, password, and multifactor authentication; and
  • The use of firewall and intrusion detection systems to log access events for review by authorized Everbridge personnel.
• Security and Data Protection Awareness and Training – a security and data protection awareness and training program for members of Everbridge’s workforce (including management), which includes training on how to implement and comply with Everbridge’s security and data protection program, and which all workforce members are required to undergo upon initial hire and annually thereafter.
• Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including:
  • deployment of an intrusion detection system to log access events and to monitor and restrict inbound internet traffic;
  • documented procedures to identify, escalate, and respond to suspected or known security incidents, mitigate harmful effects of security incidents; and
  • documented procedures to analyze the root cause of security incidents and to implement changes to existing controls, where appropriate, to better respond to future threats.
• Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Personal Data or systems that contain Personal Data, including:
  • documented business continuity and disaster recovery plans that include procedures to restore data and the functionality of affected systems, including procedures to rebuild systems, update software, install patches, and change configurations, as needed;
  • documented policies and procedures for the backup and recovery of data maintained in cloud-based environments, including periodic backups of production services, files, and databases, and the storage of backups in a separate data center; and
  • periodic testing of Everbridge’s business continuity and disaster recovery plans.
• Device and Media Controls – policies and procedures that govern the receipt and removal of hardware and electronic media that contain Personal Data into and out of a Everbridge facility, and the movement of these items within a Everbridge facility, including policies and procedures to address the final disposition of Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use.
• Audit controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including:
  • logging of system access activity, including user authentication, failed user login attempts, and access control list changes; and
  • regular reviews of the logs for unusual or suspicious activity.
• Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction.
• Storage Security – technical security measures to guard against unauthorized access to Personal Data in storage, including:
  • encryption of data in motion and at rest in hosted environments use of a key management system to securely manage the lifecycle of encryption keys; and
  • use of full-device hard drive encryption to protection the confidentiality and integrity of information maintained on approved mobile devices.
• Assigned Security Responsibility – designation of a security official responsible for the development, implementation, and maintenance of Everbridge’s security program.
• Testing – Regular testing and monitoring of the effectiveness of Everbridge’s security program, including through SOC 2 Type II audits of Everbridge’s solution performed by an external third-party auditor, and through periodic vulnerability scans and risk assessments designed to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Personal Data, and to ensure that these risks are addressed.
• Adjustments to the Program – Monitoring, evaluation, and adjustment, as appropriate, of Everbridge’s security program considering any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Everbridge or the Personal Data, and Everbridge’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

EverFi

The exclusive purposes for which Protected Information will be used: Personally Identifiable Student Information (PISI) will be used for registration and use of EverFi courses.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Everfi requires employees, subcontractors and authorized persons or entities that receive student data or teacher or principal data to sign agreements that include appropriate confidentiality obligations that covers such data.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: EverFi will return or destroy such data in accordance with the terms of this agreement.

[NYC DOE comment: The current agreement became effective starting on March 5, 2020 and terminates when all NYC DOE schools and/or offices cease using EverFi, Inc.’s products/services. The terms of the agreement remain effective through the period during which EverFi, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipients.[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be sorted in the U.S. (within contiguous 48 states) in accordance with EverFi’s Data Security Policy. Please see EverFi’s “Data Security Policy” for more details.

How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest and in transit (AES-256 encryption algorithm). Database connections are vial SSL protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384.

Everyone Reading

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: September 2023 – June 2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our training provides prevention and intervention strategies to familiarize educators with multi-sensory language education strategies to be used in general and special education classrooms and in Multi-Tiered Systems of Support, Response to Intervention (RTI) and Academic Intervention Services models of support. We provide virtual workshops and on-site training specifically on assessment and data interpretation, as well as including necessary discussion of those topics in all of our other workshops. The area of assessment includes baseline data such as attendance, school mobility, hearing and vision, home language, standardized test scores, report card grades and comments, individual, group and schoolwide assessments on such instruments as Acadience, KeyPhonics, PAST, early childhood assessments, such as the Early Screening Inventory (ESI-R), work samples and observational data. As appropriate, we also look at sample Individual Educational Programs (IEP’s) and psychosocial evaluations.

Type of PII that the Entity will receive/access: Student PII. “All participants will be asked to de-identify all student data. However, data may include multiple modalities such as writing samples, benchmark assessment data and progress monitoring reports. These multiple modalities together may lead to identifying different students if they are not correctly de-identified. Any student data will be used only during professional development sessions in real-time alongside participants. No data will be stored physically or electronically by Everyone Reading.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Data will not be stored at any time during the duration of the agreement, and will not need to be deleted or destroyed.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data will be used in real-time with professional development participants. In all sessions any assessments, work samples, records, other forms of data that may contain identifying information will be kept in the possession of participants, with Everyone Reading facilitating data analysis.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Evolution Labs (EL) (for Suite 360)

The exclusive purposes for which Protected Information will be used: For the purposes of administering and assessing learning related to the subject material of the program.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Data is only shared with Evolution Labs employees with a demonstrated need for that information (i.e. developers, DBAs, Client Services etc). Each EL employee receives annual training on protecting user data. Data is never shared outside of EL.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: NDA begins on August 27, 2020 and is sustained indefinitely until/unless either party terminates the agreement. Upon expiration of the agreement, archived data is kept for 12 calendar months upon which time it is destroyed. Accelerated deletion of data can occur upon request.

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.] 

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US and all databases are encrypted and protected with industry standard security.

How the data will be encrypted (described in such a manner as to protect data security): Databases are encrypted at rest. All programs utilize industry standard encryption.

ExpandED Schools

Type of Entity: Research Institution or Evaluator; Community Based Organization or Not-for-Profit

Contract / Agreement Term: 8/31/2022 – 8/30/2027

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This agreement covers multiple projects, and thus the type of PII collected and for which purposes will vary. PII may include, but is not limited to:

• names of students participating in relevant DOE initiatives, their parents and guardians;
• student OSIS number;
• student’s date of birth;
• school affiliation, district, and grade;
• school-day and afterschool attendance;
• state test scores or other academic achievement information (e.g., report card grades)
• Race, ethnicity, special education status, language spoken at home and English Language Learner status.

If collected, all information will remain confidential solely between relevant parties (DOE, ExpandED Schools, and any subcontractors where applicable, who are subject to the same rules and regulations governing ExpandED Schools’ access to these data). If collected, processing PII will allow ExpandED to identify youth who would benefit most from the supports we are offering, as well as to track whether students improve outcomes as a result of participation in our supports.

Type of PII that the Entity will receive/access: We are not aware of which types of data will be required at this time, but it is likely that we will be collecting student and/or educator PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; (i.e. if data are transferred via a cloud-based tool, ExpandED Schools will use a secure Sharepoint link to transfer and store data, ensuring that only those who require access are granted access); and using an entity-owned and/or internally-hosted solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ExpandED Schools commits to implementing all state, federal, and local data security and privacy contract requirements over the life of the agreement, consistent with NYC DOE’s data security and privacy policy, as well as the requirements of NYC DOE’s Parents’ Bill of Rights for Data Privacy and Security. The following outlines the data security protocols and measures and in place to ensure compliance with all requirements.

ExpandED Schools has numerous administrative, operational and technical safeguards and practices in place to protect any Protected Information that we may potentially receive under the contract. This includes, but is not limited to:

Administratively:

• ExpandED staff and its subcontractors are required to hold Confidential Information in strict confidence. ExpandED staff and subcontractors will only disclose Confidential Information to other staff who need to know the information in order to carry out tasks and only to the extent justifiable by that need.
• ExpandED will only use Confidential Information collected for projects that fall under the agreement for specific project purposes. ExpandED and its subcontractors will not use Confidential Information for its own benefit or for the benefit of another, or for any use other than specified in the agreement. ExpandED will never sell, license or distribute any Confidential Information collected as part of this agreement.

Operationally and technically:

• ExpandED will store all Confidential Information on ExpandED’s server located in the United States. Confidential Information may never be stored on personal technology devices or laptops at any time. ExpandED will not incorporate any Confidential Information into any database or any medium other than required for this agreement.
• If necessary to share information via a cloud-based server, ExpandED will use secure Microsoft SharePoint Drive folders to share information, which offers security in compliance with state, federal, and local standards and ensures only authorized individuals can access data.
• ExpandED will ensure end-to-end encryption when data is in motion and at rest to preserve safety of data at all times.
• If not necessary to share data via a cloud-based server, ExpandED utilizes a Virtual Private Network (VPN) which is secure and password-protected.

All research team members and the President & CEO of ExpandED will be trained and certified through the Collaborative Institutional Training Initiative (CITI) program Research Ethics and Compliance Training which includes federal laws, research in schools, and other topics that ensure the ethical use of data and protected information. Research team members will also receive training on state-specific laws provided by the Director of Research as part of their orientation to work on projects that fall under this agreement. Third-party subcontractors will be required to offer these same training opportunities to their staff members, and this will be included as part of our written agreement.

Any third-party subcontractors will be subject to all rules and regulations governing ExpandED’s access to this data, and ExpandED will hold subcontractors accountable to following all protocols. This will be specified in writing as part of any written agreements between ExpandED and subcontractors as part of this agreement.

Data security breaches or privacy incidents will be managed by the senior executives of the organization who will contact the NYC DOE via phone and email as soon as we learn of any breach. Staff are required to notify senior executives of ExpandED of any suspected data security breach or privacy incidents. The senior executives will act promptly to stop the breach, assess how it occurred, and make changes to ensure the breach will not be repeated, and notify the NYC DOE of its actions, findings and next steps.

All confidential information will be returned or destroyed upon termination of services.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

ExpandED Schools (for tutoring services)

Type of Entity: Research Institution or Evaluator and Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ExpandED Schools (ExpandED) is the lead organization, working in direct partnership with New York City Public Schools (NYCPS), implementing a large-scale tutoring effort, serving 10 NYC school districts, including 71 elementary and middle schools, in school year 2022-23. ExpandED and NYCPS have secured private funding to allow for each participating school principal, working in collaboration with their district superintendent, to develop a tutoring plan, choosing from a menu of tutoring service providers who meet a predetermined set of criteria. Tutoring will either focus on literacy in grades K-2, or math in grades 6-8. ExpandED will: (1) facilitate tutoring program design sprints and support school with program development; (2) coordinate data collection and analysis for continuous improvement; (3) provide ongoing coaching and support for school-based implementation; and (4) communicate regularly with updates for all stakeholders.

To effectively meet the aims of the joint goals of this initiative, ExpandED and its subcontractors will require access to the following Student Personally Identifiable Information (Student PII): (i) names of students participating in this tutoring program, their parents and guardians; (ii) student OSIS number; (iii) student’s date of birth; (iv) school affiliation, district, grade, ELA and/or Math classroom, and homeroom; (v) school-day, afterschool, and tutoring attendance; (vi) literacy and/or math screening assessments in order to target the tutoring intervention to students for whom it is most appropriate; (vii) literacy and/or math achievement data, including marking period grades and/or state test scores, to examine whether tutoring successfully improved student outcomes; (viii) Race, ethnicity, gender, housing status, special education status, language spoken at home and English Language Learner status.

As different schools will decide on different implementation plans for their tutoring programs, ExpandED and its subcontractors may also need to access DOE employee PII, such as: (i) names of teachers and other school staff participating as tutors in the program; (ii) Race, ethnicity, gender, and other demographic information; (iii) employment status, including number of years the individual has been employed as a teacher or other school staff within NYC and elsewhere.

Type of PII that the Entity will receive/access: Student PII and “depending on the type of tutoring program selected by the school, we may require identifiable information for DOE employees leading tutoring activities, such as teachers or other school staff.”

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. “We plan to use SharePoint; we may introduce additional cloud or infrastructure owned tools as the project progresses; we will update this agreement and related forms prior to making any changes.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ExpandED Schools commits to implementing all state, federal, and local data security and privacy contract requirements over the life of the agreement, consistent with NYC DOE’s data security and privacy policy, as well as the requirements of NYC DOE’s Parents’ Bill of Rights for Data Privacy and Security. The following outlines the data security protocols and measures and in place to ensure compliance with all requirements.

ExpandED Schools has numerous administrative, operational and technical safeguards and practices in place to protect any Protected Information that we may potentially receive under the contract. This includes, but is not limited to:

Administratively:

• ExpandED staff and its subcontractors are required to hold Confidential Information in strict confidence. ExpandED staff and subcontractors will only disclose Confidential Information to other staff who need to know the information in order to carry out tasks and only to the extent justifiable by that need.
• ExpandED will only use Confidential Information collected for projects that fall under the agreement for specific project purposes. ExpandED and its subcontractors will not use Confidential Information for its own benefit or for the benefit of another, or for any use other than specified in the agreement. ExpandED will never sell, license or distribute any Confidential Information collected as part of this agreement.

Operationally and technically:

• ExpandED will store all Confidential Information on ExpandED’s server located in the United States. Confidential Information may never be stored on personal technology devices or laptops at any time. ExpandED will not incorporate any Confidential Information into any database or any medium other than required for this agreement.
• If necessary to share information via a cloud-based server, ExpandED will use secure Microsoft SharePoint Drive folders to share information, which offers security in compliance with state, federal, and local standards and ensures only authorized individuals can access data.
• ExpandED will ensure end-to-end encryption when data is in motion and at rest to preserve safety of data at all times.
• If not necessary to share data via a cloud-based server, ExpandED utilizes a Virtual Private Network (VPN) which is secure and password-protected.

All research team members and the President & CEO of ExpandED will be trained and certified through the Collaborative Institutional Training Initiative (CITI) program Research Ethics and Compliance Training which includes federal laws, research in schools, and other topics that ensure the ethical use of data and protected information. Research team members will also receive training on state-specific laws provided by the Director of Research as part of their orientation to work on projects that fall under this agreement. Third-party subcontractors will be required to offer these same training opportunities to their staff members, and this will be included as part of our written agreement.

Any third-party subcontractors will be subject to all rules and regulations governing ExpandED’s access to this data, and ExpandED will hold subcontractors accountable to following all protocols. This will be specified in writing as part of any written agreements between ExpandED and subcontractors as part of this agreement.

Data security breaches or privacy incidents will be managed by the senior executives of the organization who will contact the NYC DOE via phone and email as soon as we learn of any breach. Staff are required to notify senior executives of ExpandED of any suspected data security breach or privacy incidents. The senior executives will act promptly to stop the breach, assess how it occurred, and make changes to ensure the breach will not be repeated, and notify the NYC DOE of its actions, findings and next steps.

All confidential information will be returned or destroyed upon termination of services.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology." 

Experis US (for SMART Intake)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 04/3/2023 – 3/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This project will build an online tool with the help of the vendor that can be used to conduct the intake process and perform assessments for the Office of Students in Temporary Housing (STH). Automation of process and using data from current DOE system that houses PII data to validate student information will allow support staff to best serve students and families in need. Additionally, canned and ad-hoc reporting functionalities using data from current DOE system that the vendor will help to build will allow DOE staff to make decisions to improve allocation of service resources and supports to better serve our students and families in temporary housing.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud service providers) and agrees not to share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: PII will not be transmitted to Experis and Experis will not host or store any PII from DOE.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access to PII data shall be limited to authorized persons whose job responsibilities require it. Any incidents in data security storage or handline or un-authorized access to protected client information will be reported to DOE immediately. No data shall be stored locally on staff and contractors’ servers, computers, or personal devices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Experis US (for the Social Worker Information Management System (“SWIMS”)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 04/3/2023 – 3/31/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Vendor will access certain PII in connection with integrating the Social Worker Information Management System (“SWIMS”) into DOE databases such as NYCDOE Single Sign On Identity Provider (IDP) and Student Information System. SWIMS will house all records for DOE case managers, provide a mechanism to create new cases, edit existing cases and provide an easy system to track social workers’ services across DOE. The SWIMS database will include information such as Student First Name, Student Last Name, and Student ID and the data will be encrypted.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Vendor resources are all vetted in DOE’s Personnel Eligibility Tracking System (PETS) and they will have DOE assigned user name and password. Any access to DOE systems will be monitored as per DOE guidelines. The vendor resources will also sign and follow the Experis Data Privacy document. Vendor resources will not have access to production data. Data in production environment will be encrypted. Access to PII data shall be limited to authorized persons whose job responsibilities require it. Any incidents in data security storage or handling or un-authorized access to protected client information will be reported to DOE immediately. No data shall be stored locally on staff and contractors’ servers, computers, or personal devices.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

ExploreLearning

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 6/1/2023 – 5/31/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ExploreLearning is an education technology company creating seriously fun web‐based learning solutions for the most critical challenges facing K‐12 STEM education. Our programs are state‐ and national‐standards aligned, including Next Generation Science Standards (NGSS) and the Standards for Mathematical Practice (SMP). We help teachers bring engaging instructional strategies to classrooms in every state in the U.S. and more than 80 countries worldwide.

ExploreLearning products include:

• Gizmos is a website offering interactive simulations and case studies for math and science, using structured inquiry and experimentation to help students understand concepts. With more than 450 Gizmos covering STEM topics for grades 3‐12, students can dig deeper into tough‐to‐teach concepts as they form, analyze, and test ideas to find solutions.
• Reflex is a math fact fluency website for students in grades 2–8. Using adaptive learning, Reflex builds student mastery with basic math facts in addition, subtraction, multiplication, and division. Students cycle through assessment, instruction, and academic practice personalized to maximize their progress. With lively characters, game‐based challenges, and incentives for achievement and effort, students engage deeply in their progress.
• Science4Us offers blended learning designed for students in grades K‐2, combining web‐based lessons and academic practice with offline teacher‐led instruction and hands‐on extension. The cross‐curricular approach reinforces literacy and math standards, featuring interactive games, songs, virtual notebooks, experiments, and more. Science4Us includes 28 modules (covering topics in physical, life, and earth/space science) and lessons take as little as ten minutes to complete.
• Frax is an adaptive learning website that uses story‐driven, game‐based lessons to help students in grades 3‐5 learn fractions. Frax utilizes the latest research‐based instructional methods, with fun challenges and motivating rewards to ensure that students build mastery in fractions concepts. Students practice with visual models and number lines to reinforce the essential knowledge that fractions are numbers too!

Customer PII is encrypted at rest and in transit using industry standards such as BitLocker, AES 256, and HTTPS and TLS 1.2 and higher.

The DOE student demographic data collected by ExploreLearning is data entered/provided by DOE educators and administrators. The same data is made available solely to DOE educators and administrators for their own use in reporting. DOE PII data is not used by ExploreLearning for any system testing or system reporting. DOE PII data is not used outside the scope of services of this agreement. Aggregate data may be used for our research and analysis of our customers’ use of and experience with our products and services, for the development, improvement and optimization of our educational products and services for the DOE. DOE PII data will only be used in accordance with performing the contract at DOE’s direction.

Additional educational information is collected as the child progresses through the service, such as amount of time logged in, reading rate, and assessment scores. This information allows the service to adapt to the child and inform the teacher on the child’s progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We maintain administrative, technical and physical safeguards designed to secure student data, as provided by NYC DOE, both during transmission and while in our custody. These safeguards include technical and operational measures, such as firewalls, routers, encryption (at rest and in‐transit), passwords, and vulnerability testing, as well as training, policies and procedures to limit access to NYC DOE provided data to authorized staff, contractors and agents that have a legitimate need to access such data for purposes of enabling us to deliver and support our products and services to the NYC DOE, and that are under appropriate contractual obligations of confidentiality, data protection and security.

No student PII is ever public. Our applications are designed to keep this information private and secure. It is never discoverable by the public.

• The Company has a formal onboarding and off‐boarding procedure where access to database assets are formally granted and revoked respectively; access is only granted to employees who need access to support the online products as we ascribe to the principle of least privilege.
• The Company provides student data privacy training to all employees and contractors who access our network.
• The Company employs a 3rd party company to conduct both COPPA and FERPA compliance audits.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Family Life Time Solutions (for #SameHere)

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 11/1/2021 – 9/1/2022

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The #SameHere Teacher and Student Apps allow teachers and students to share their feelings in a secure app setting. The app acts as an emotional thermometer. It is not diagnostic, and it does not make recommendations. It strictly allows student to tell teachers how they are feeling, and to track those feeling trends over time.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Log systems are in place so as to identify unauthorized access of the databases. Vulnerability assessments are done periodically to identify any threats or risks. OWASP Top 10 is being followed as much as possible. Also WAF are implemented to avoid DDOS attacks.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Finding Focus (through University of California Santa Barbara)

Type of Entity: Public, Not-for-Profit University

Contract / Agreement Term: 8/01/2021 – 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Finding Focus is an online course that is intended to help high school students learn how to improve their focus and emotional resilience. Students use their names and email addresses to securely create accounts. These accounts allow each student to receive a personalized learning experience, and it also makes it possible for teachers to track their students’ progress throughout the course. PII is used exclusively to provide this educational service.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Upon expiration of the agreement, protected information will be stored securely for the duration indicated by the NYSED Education Retention Schedule ED-1 and then deleted.”

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We follow best practices in workstation management and secure application development. Our cloud services are provided by industry leaders with excellent reputations for providing and maintaining security. All data is encrypted in transit according to industry standards, and PII is also encrypted at rest. We continuously monitor for potential security vulnerabilities through third-party services, and we apply all patches and updates needed to reduce exposure to identified vulnerabilities. A quarterly risk assessment is also implemented to identify and remediate any emerging security risks. Early warning signs of a data breach are regularly monitored, and an incident response plan is in place to ensure a rapid and effective response in case a breach does occur.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

FMYI, Inc (also called Grouptrail)

The exclusive purposes for which Protected Information will be used: NYC DOE Bridge for All Program.

How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: There is no sharing of the student data by Grouptrail for NYC DOE Bridge for All. If there was, we will have the subcontractor sign an amendment to our agreement that includes these data protection and security requirements required by this non-disclosure agreement with the NYC DOE.

When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon termination of our relationship with the NYC DOE related to this agreement, the protected information is deleted. Decommissioned media utilizes techniques detailed in NIST 800-88.

[NYC DOE comment: The current agreement became effective starting on June 26, 2020 and terminates when all NYC DOE schools and/or offices cease using FMYI, Inc.’s products/services. The terms of the agreement remain effective through the period during which FMYI, Inc. possesses or otherwise is in control of covered protected information.]

If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]

Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information is stored in the US. 

How the data will be encrypted (described in such a manner as to protect data security): SSL for data in transit, network firewall, and encryption at rest.

FOCALPOINTK12

Follett School Solutions (for Destiny Solution)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Follett School Solutions, LLC is providing its Destiny Solution to entities within the DOE. The Destiny Solution includes modules such as Library Manager and Resource Manager, which help schools purchase and track library and other school-related resources and information. PII is collected for related reasons, including to, for example, track which students have checked out which books.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Destiny has multiple levels of data security Session-level authentication—All data access within Destiny is routed through a layer that checks authentication credentials and permissions on each request. User Interface security—The Destiny interface presents different options based on the permissions associated with the users.

The Destiny application does store within its own internal database student/staff demographic data and information regarding the usage of district/school resources (Checkouts, Holds, Fines, Reviews, etc.…) by students and staff. Access to this data is restricted to district staff based on configured permissions and access levels. Customers can have Destiny installed locally within the district’s technical environment or hosted by Follett. The data for Destiny is managed/stored in a Microsoft SQL Server database. Follett supports encryption of the data under SQL Server in an optional configuration. The database is protected through Microsoft SQL Server security.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Foresight Advisory and Consulting

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 7/15/2023 – 7/14/2024; renewal is optional upon request by Queens Academy High School.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Foresight Advisory and Consulting Inc, (referred to as “Foresight”, “we”, “our” and “us”) is contracted to provide the solution, Virtual Administrator, for data analysis for Queens Academy High School (“School”). The Virtual Administrator (“Analysis”) is an Analysis that provides insight into the School's overall performance, specific Cohort information and tracking, as well as the school's standing in respect to the New York State, Every Student Succeeds Act Accountability Metrics.

The Virtual Administrator is created by incorporating several reports generated by the School's internal systems including ATS and STARS. The reports will be prepared by a NYC DOE employee designated by the School. Virtual Administrator is then run on a desktop device that is located and owned by the School. The Virtual Administrator tool does not access or require the internet or any network. The analysis is provided to the School and is henceforth wholly owned by the school.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Virtual Administrator tool is deployed on a NYC DOE device without the need to or ability to connect to internet or networks. Only authorized Foresight personnel are provided access to personal information and these employees have agreed to maintain the confidentiality of this information. The resulting analysis is saved on that same device and the tool does not record or store any data. Foresight ensures the safety of all internal processes with various cyber security solutions such as double encryption software, firewall protection, malware identification with machine learning (ML) and behavior protection software to name a few. However, the Virtual Administrator tool is administrated only on DOE desktop device and the data is not stored or transferred anywhere else. The Virtual Administrator is encrypted.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “The Virtual Administrator tool uses VBA and Excel macros, all of which has been scanned to ensure that there is no capacity to retain or record data.”

FranklinCovey Education (for Leader in Me) 

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 1/1/2023 – 12/31/2029

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Leader in Me online is a web-based application that provides resources, professional development, curriculum, and an anonymous survey given to students, staff, and parents to assess the progress of the implementation of our services. Staff are provided logins to the Leaders in Me online to access all these resources. High School students are offered 4 courses either using a LTI integration into your LMS or if needed access to our LMS can be provided to students where we would collect student first name, last name, and email address so they can login and take the courses. We prefer the LTI method so student data stays in your LMS system. This is the only case where we might collect student data. All other data collected is staff data for the Leader in Me online which consists of first name, last name, and email address with phone number being optional.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontracted, i.e. AWS.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data is stored in a Postgresql database using encryption of data at rest and encryption of data in transit. All database traffic is isolated in a private VPN behind a firewall. All web traffic is served over HTTPS, and no user information is available in the public domain. No PII data is transferred and used in any development environments or for any purposes outside of Production servers.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Giant Thinking

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 1/2023 – 6/2023

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Giant Thinking will be providing Counseling and Mentoring service. For the purpose of providing services we require the names of participating students.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity not share PII with subcontractors, outside persons, or third party entities.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. “PII (students name) will be stored on a piece of paper that will be given to school staff or shredded immediately after programming.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All employees Giant Thinking will be trained and aware of confidentiality obligations. Paperwork will not leave the building. All paperwork will be given to school staff or shredded immediately after programming.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Global Kids

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 8/1/2023 – 7/31/2028

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Global Kids will be providing services under its community school contract. This includes but is not limited to attendance improvement, parent engagement, academic enrichment and supports, college and career access programming and social/emotional wellness supports. We will need to access data to support core deliverables of the contract, which include attendance and academic interventions, and fulfilling reporting and evaluative requirements.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft; and using an Entity-owned and/or internally hosted-solution.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Global Kids adheres to data security and privacy protocols ascribed by it contractors and funders. All data we have access to, is primarily accessed through portals made available by funders. In specific instances this data may be transferred and would live on our secure cloud-based network.

Implement all state, federal, and local data security and privacy contract requirements over the life of its contractual agreements, consistent with NYC DOE’s data security and privacy policy and specifies the administrative, operational, and technical safeguards and practices Global Kids has in place to protect the Protected Information that it will receive under contracts it is bound to.

• GK uses Microsoft 365 Cloud services for storage of all records.
• In addition, Global Kids saves backup copies of all storage on its on-premises servers which are in a locked server room with secure access only available to VP of IT and other approve personnel.
• Remote cameras with movement detection recording and remote access.
• Multiple locations where remote servers are located.

Children’s PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with state and federal law.

• Global Kids implements a stringent password policy.
• All Global Kids data is encrypted while in transit and at rest.
• All authorized Global Kids staff Microsoft accounts with access to PII records are safeguarded with multi-Factor authentication (MFA), regarding accessing data from the Microsoft Cloud. MFA consists of either text based secondary authentication or using the Microsoft Authenticator Application for entering MFA codes.

Staff members and outside parties who handle children’s PII are trained in applicable laws, policies, and safeguards associated with industry standards and best practices.

PII information is permanently and securely deleted no later than when the contract ends.

• Global Kids trains its employees who have access to Protected Information on the federal and state laws governing confidentiality of such data prior to receiving access.
• Global Kids regularly monitors data security and for privacy incidents and has the following plans in place to identify breaches and unauthorized disclosures. Please see the following sections of this Data Security Plan:
• Global Kids does not maintain copies of children’s PII once it is no longer needed for the educational purpose for which the DOE has disclosed it to Global Kids. The data will be returned, deleted, or destroyed by Global Kids when the contract is terminated or expires, as per NYC DOE’s direction.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Goalsetter Foundation

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The D18 + Goalsetter Financial Freedom Project Pilot will begin with a launch in April 2023 and conclude in November 2023 engaging a spring and summer cohort of middle school students from schools across the district. In collaboration with each participating school, ~600 students will learn with selected lessons during weekly learning blocks dedicated to personal finance.

Each student and the teacher will have access to Goalsetter Classroom in which they will be able to explore learning modules related to the six National Standards for Personal Finance Education: Earning Income, Spending, Saving, Investing, Managing Credit, and Managing Risk. Students will explore the concepts by navigating through a learning progression in which they will develop a deeper understanding of not only personal finance content knowledge and key concepts, but they will also gain an aptitude for practically applying the skills they’ve been learning.

We look to expand beyond the pilot by Fall 2023 to a scale that accomplishes D18’s financial education goals. Participating in the 2023 pilot, D18 students, their families, and educators will experience the following activities and special offerings detailed below. We are excited to support the D18 community with financial wealth and wellness for all!

Type of PII that the Entity will receive/access: Student PII. GS Classroom: Student: First Name, Last Name, Classroom, Student inputted data (i.e. answers to quizzes, assignments, etc.) Employee: First Name, Last Name, Email address.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Microsoft Azure.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Goalsetter data policies align to industry best practices and standards for data security and privacy. Goalsetter restricts access to protected information based on its data classification, data protection and data retention policies; segregation of duties; and regular access reviews. Goalsetter does not sell or release personal identifiable information for any commercial purpose. Goalsetter restricts access to confidential information on a least privilege basis. Goalsetter enforces encryption of all personal identifiable information in transit and at rest. Goalsetter ensures that 3rd party contractors and 3rd party vendors that access customer PII adhere to Goalsetter standards as evidenced in our Vendor Management and Acceptable Use Policies.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Gradecam

Graduation Alliance

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The ENGAGE Attendance Recovery program has been designed to help school districts by stabilizing and improving student attendance and academic performance through outreach to and ongoing academic and social/emotional coaching support for district-referred students who are chronically absent or disengaged.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Salesforce.com, Five9, Microsoft Azure/Power PI.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data is stored and processed at data centers located in the continental United States. Data is encrypted at all times, at rest and in transit. Access to all data is via highly secure credentials using Multi-factor Authentication (MFA) and using a “zero trust” model which verifies all requests as if they originated from a network not controlled by Graduation Alliance. Passwords are strongly encrypted and cannot be known other than by the person who set the password. We perform criminal background checks for all employees. All staff who have direct access to students undergo further security and background checks as required by law in the state where Graduation Alliance provides such services. All staff receive information training upon hire, and periodic updates to their training, no less than annually. Furthermore, staff with elevated access to our technology and systems hold current certificates of completion of the US Department of Education’s FERPA 101 and 201 training courses.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Great Minds PBC

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Great Minds PBC seek to ensure that all students in America’s public schools, regardless of their circumstances, receive a content-rich education in the full range of the liberal arts and sciences, including English, mathematics, history, the arts, science, and foreign languages. Great Minds does this by working with teachers, scholars, and schools to create curricula and instructional materials, conduct research, and promote policies that support a comprehensive and high-quality education.

Great Minds Digital Platform may be used by schools, school districts, or teachers in a classroom setting use as part of their selected educational curriculum.

Within the Great Minds Digital Platform, teachers have access to curriculum materials, within-application reports and visualizations to help them assess student learning and to assist in planning. Administrative reports and data extracts are also available to district and school admin users. Students may access complete assessments and other activities their teacher has assigned to them.

Great Minds digital products are hosted by Great Minds in the Amazon Web Services (AWS) cloud, in US-based data centers. Students and teachers access our products through the web browser. Ours is a multi-tenant solution. We ensure isolation of data through secure coding practices, industry-standard claims-based authorization techniques, and routine penetration tests. We support multiple integration options to authenticate and authorize users of our digital products.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data, including customer PII, is encrypted at rest and in transit using industry-standard encryption. Data is stored in AWS (Amazon Web Services) data centers, which have stringent physical security standards in place. More information on the physical security controls in place can be found here: https://aws.amazon.com/compliance/data-center/controls/. We have multiple administrative safeguards in place to protect access to PII. Access to sensitive information is restricted to those with valid business justification for doing so and only on a temporary basis. We also have automated systems in place that scan our infrastructure and our logs for any anomalies that could indicate a security event, as well as looking for potential vulnerabilities. Potential vulnerabilities or security incidents are alerted to our DevOps team via multiple channels and action is taken as appropriate.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Groundswell Community Mural Project

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term: 5/15/2021 – 5/14/2026

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Appropriate data is only collected and utilized for the expressed purpose of educational needs in providing the most effective programming to the constituents receiving programming services through Groundswell. Only basic statistical data will be collected and utilized internally by those individuals who are permitted and whose job duties require the data to evaluate overall program performance and development.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Groundswell Community Mural Project, Inc., together with its IT Service Provider shall investigate and remediate possible network security threats by means of capture, logging, and examination of files, communications, and other traffic and transmissions over or on the network including all student communications and component network activities relevant to the incident or breach.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Happy Numbers

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 8/18/2023 – 6/30/2024

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The data is used to provide the functionality of the services. HappyNumbers.com is a PreK-5 online math supplement. It helps PreK-5 teachers differentiate instruction and deepen students’ conceptual understanding of math. Driven by pedagogy and supported by technology (not vice versa), it’s not a set of electronic worksheets or another “all dancing, all singing” resource. Instead, we teach students to “think math”: students explore the meaning behind the math, building upon simple concepts to create connections and develop deep understanding.

PII is used to provide access to HappyNumbers.com, to administer students’ membership, and to enable users to enjoy Happy Numbers and easily navigate it. PII is also used to monitor student progress in Math at HappyNumbers.com and assign them the certain topics for practice.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google cloud servers.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All the data is stored in isolated VPC Google Cloud Servers, located in the United States. In addition, we use TLS v1.2 to transit data. To safeguard the data we keep, we use a restricted network, and to access it, we use a regularly updated VPN with encryption. Administrative and Operational Safeguards:

• Minimizing the Use, Collection, and Retention of PII: We only store the minimum information required for the proper functioning of our application. This includes students' first and last names (no students' emails, addresses, etc.), group names, and the names and emails of teachers, as well as the school name. This constitutes nearly all the data we store. We collect minimal information from single sign-on (SSO) systems such as ClassLink and Clever.
• Anonymizing Information: We have a special tool to prepare databases for test and development environments with complete anonymization of PII. Throughout the development lifecycle, developers and QA engineers do not have access to any real personal data.
• Access Enforcement: All employees have their own personal auditable accounts in all our systems. We use Single Sign-On to grant access to all internal systems. The critical applications, such as the admin panel, have RBAC for different access levels.
• Separation of Duties: We adhere to the principle of minimizing access, which means that, for instance, a content manager can access the BI system with de-identified student problem-solving logs, but they do not have access to the admin panel with actual data.
• Least Privilege: We use an RBAC model in our internal systems to grant each employee the minimum level of access they require.
• Remote Access: All types of communication with our servers and systems are encrypted using battle-tested protocols, such as enforced HTTPS with TLS 1.2, SSH, and OpenVPN.
• Auditable Events: We collect all change events in our SSO system and admin panel and store them in a database without making any modifications.
• Protection of Information at Rest: We store our backups in AWS S3 using the pgBackRest tool with AES-256-CBC encryption. Furthermore, our application servers transparently encrypt sensitive personal information, such as students' first and last names, using a symmetric cipher before storing it in an encrypted form in the database.
• Data Backup and Recovery: We continuously back up all production PostgreSQL databases using the pgBackRest tool and retain data for 30 days, including four weekly full backups.
• Change Management: Our infrastructure is entirely managed by Infrastructure as Code (IaaC) tools, including a custom in-house CLI tool, Terraform, and Ansible. This means that all changes can be reviewed through standard development procedures and are stored in GitHub.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Hidden Gems II (for We Intervene)

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The application, We Intervene, allows schools to share needs assessment survey links with parents and have the survey responses uploaded into the application. The PII information, such as an address, phone number, email address, and student demographic information, is needed to connect families - students and guardians - to resources in the immediate area.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.

• Security management processes to identify and analyze risks to and implementing security measures to reduce risks.
• Staff training to ensure knowledge of and compliance with policies and procedures
• Information access management to limit access to records to protect information
• User Policies, Access permissions as per the user workflow process and standards
• Access controls to restrict access to authorized personnel only
• Audit controls to monitor activity on systems containing student and parent’s record
• Integrity controls to prevent improper alteration or destruction of information
• Transmission security measures to protect records when transmitted over an electronic network.
• AWS stores our secured data in storage locations in US regions. They have their storage facilities secured.
• Secured Backup and Storage has been implemented as part of our AWS services

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Hiperware Labs

Type of Entity: Commercial Enterprise

Contract / Agreement Term: 2/1/2023 – 1/31/2030

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Delivering differentiated math practice to each student individually.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Heroku (Salesforce), IBM (compose.com), Amazon Web Services.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The physical safeguards are done by cloud providers: Heroku, IMB and Amazon. The administrative safeguards include access limited by role-based security, continuous backup and failover within the cloud providers. The technical safeguards include two-factor authentication, encryption in storage, transit, and communication, as well as of backups.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Hive Class

Type of Entity: Commercial Enterprise

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Hive Class is a standards-based curriculum aid for use in k-12 schools. PII is used in tracking student progress within the product, and for transparency and accountability tools for teachers.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS; Cloudflare.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Hive Class and its third party partners utilize all required reasonable measures to protect PII, including but not limited to:

• password protection of the application,
• double factor authentication on all cloud services and devops accounts
• encryption in motion and at rest of all PII
• Regular review of site admin access permissions
• Regular review of all cloud services account access permission
• Termination processes in place that include access revocation
• Automated cloudwatch alarms to alert of attacks/breaches

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.” 

Home for Little Wanderers

Type of Entity: Community Based Organization or Not-for-Profit

Contract / Agreement Term:

• Learning to Work: 3/27/2023 - 7/1/2024
• Mental Health services: 7/1/2023 - 6/30/2025
• Community Schools services: 7/1/2015 - 6/30/2025

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII.

Learning to Work: Wediko at the Home for Little Wanderers Learning to Work program supports students work placement internships and post-secondary planning. In order to be eligible for the program, students need to meet and maintain attendance and academic requirements. We access PII in order to track attendance and academic records to both select at-risk students in need of services as well as track progress.

Mental Health services: Wediko at the Home accesses PII in order to track attendance and academic records to both select at-risk students in need of services as well as track progress.

Community Schools services: Through our Community School contracts the Home for Little Wanderers provides supports for students, staff, and families in several schools in NYC. These contracts are designed to support the whole child by supporting them inside and outside the classroom, including family support. The Home places social workers and advocate counselors in the schools to support social emotional needs as well as activity specialists in afterschool to support out of school time. Wediko at the Home accesses PII in order to track attendance and academic records to both select at-risk students in need of services as well as track progress.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. DrCloudEHC.”

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII is tracked in electric health care platform DrCloudEHC. Access to this platform is restricted to active Wediko at the Home employee. The system is maintained by our Data Coordinator. This position is responsible for system maintenance and employee access.

• Passwords are changed every 90 days.
• Wediko at the Home uses Multifactor Authentication.
• Active employees have unique log-in IDs and have to re-log-in if inactive for more than 15 minutes .
• Access is blocked after five unsuccessful log-in attempts .
• Employees are prohibited from having PII on their personal hard drives.
• Only the IT Director, IT vendor, Data Coordinator have the ability to allow access to PII to those employees with proper authorization.
• Work stations shall be configured to prevent unauthorized access to PII. Employees shall turn their monitors away from open spaces or use privacy screens.
• Employees are strongly discouraged from accessing PII in public spaces with limited privacy.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”

Horizon Prep (also called Horizon Education)

Type of Entity: Private, for-profit educational assessment and curriculum organization.

Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.

Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Horizon Education will use this information to allow students and teachers to use the test prep platform for SAT and ACT preparation. Teachers must see their students and their progress reports.

Type of PII that the Entity will receive/access: Student PII.

Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”

Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:

• whenever requested by the DOE
• whenever the entity no longer needs the PII to provide services to the DOE
• whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
• no later than upon termination of this Agreement

In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.

Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.

Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services and LINODE.

Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Horizon Education implements encryption, strong passwords, software updates, monitoring, regular audits, incident response plan, staff training, compliance with data security regulations, and compliance with NYCDOE’s Parents’ Bill of Rights to protect PII and mitigate data privacy and security risks.

Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”