Under FERPA and New York State Education Law §2-d, NYC DOE may disclose student information without consent to authorized third parties who have entered into written agreements with us and meet certain requirements. Such third parties must agree to comply with federal, state, and local laws, as well as the DOE’s Data Privacy and Security Policies. They also agree to comply with the DOE’s Parent Bill of Rights for Data Privacy and Security and complete a supplemental information questionnaire to provide more information to parents, students, and the public about the vendors' data security practices.
The third parties that the DOE has written agreements with include software providers, community-based organizations, researchers, and related service providers. Third parties only receive the types of student information agreed upon in the written agreement, for the schools or students that have requested to use their products or services, and only as necessary for the provision of those products or services. Please contact your school’s principal if you would like to know which vendor(s) or organization(s) your school uses or partners with.
PLEASE NOTE: The third parties listed below do not comprise a comprehensive list of “approved DOE vendors” and should not be thought of as such.
Listed in Alphabetical Order:
21st CentEd
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 2/1/2022 - 2/1/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. 21stCentEd’s online educational services collects contextual or transactional data as part of its operations, often referred to as “metadata.” Metadata refer to information that provides meaning and context to other data being collected; for example, information about how long a particular student took to perform an online task has more meaning if the user knows the date and time when the student completed the activity, how many attempts the student made, and how long the student’s mouse hovered over an item (potentially indicating indecision). This metadata is not linked to FERPA-protected information.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The 21stCentEd Data Security Plan (DSP) details procedures implemented at the administrative level to protect private information such as training personnel on information handling best practices. The DSP also outlines the physical protections implemented for protecting private information such as ensuring paper records and servers are secured and access-controlled. Lastly, the DSP includes 21stCentEd’s technology-based instruments and procedures used to protect private information such as requiring Common Access Cards for System Access and encrypting computers and emails.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
22nd Century Technologies
Type of Entity: Commercial Enterprise
Contract / Agreement Term Start Date: 7/1/2022
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Providing staffing services to NYCDOE Borough/Citywide Offices/Central Office as needed. 22nd Century employees may access PII through the performance of specific duties.
Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. 22nd Century is an ISO 27001 certified vendor. It uses Microsoft Azure as its IT cloud hosting provider. Microsoft Azure is ISO/IEC 27001 certified and therefore 22nd Century inherits all the physical security controls from Microsoft Azure. In addition, 22nd Century provides its staff IT Security Awareness and Threat Management training once upon onboarding and annually thereafter. 22nd Century has deployed Intrusion Prevention and Intrusion Detection controls for safeguarding its IT systems. Systems are audited internally on an annual basis and are compliant with the NYC DOE IT Security standard established. The SMTS system used to manage the contract implements role-based security ensuring that access to information will be granted on a need-to-know basis. The system employees industry standard data security controls such as data encryption both at rest and transit; media protection and sanitization; incident management; account management and password policies; secure coding practices as per OWASP and SANS guidelines. 22nd Century has deployed data loss prevention system to limit and prevent accidental leakage of information.
22nd Century will conduct onboarding training for all employees and temporary employees ensuring the confidentiality requirements and duties and obligations regarding safeguarding confidential information is understood. Routine training will be conducted.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
3P Learning (for Mathseeds and Reading Eggs)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 11/8/2023 – 11/30/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Mathseeds and Reading Eggs programs provided and owned by 3P Learning, allows students to conduct online math and literacy related activities while teachers can view the results of those activities in their respective portals. PII information is required in the form of student first and last names, so that the teacher can uniquely identify the students within the system. Only the teachers/admin users with access to specific classes can see results for their students. We do allow for pseudonyms to be used instead if this is the preference of the customer.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “At end of contract data will remain in our systems for a 60-day period of time (Per request of the DOE, this time can be adjusted) in case the customer wishes to re-activate and continue to utilize the product. All data will be destroyed after the 60 day period. If the customer wishes to have their data removed prior to this 60-day period, they can email privacy@3plearning.com as an authorized representative from the school or district, at which point all relevant information will be provided to the customer in a CSV format and then the data will be destroyed and deleted.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data Center is ISO27001 certified. Least Privilege, RBAC, MFA etc. The customers PII is safeguarded by 3P Learnings data protection policies. These include but are not limited to:
- Classifications of the data
- Privacy impact assessments (PIA's)
- Regular privacy training to all employees
- Firewalls/ instruction prevention systems
- ISO 270001 certified hosting systems
- Established data protection practices
- Encryptions for data in transit and at rest
- Regular Pen testing and vulnerability scanning/Audits.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
95 Percent Group
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The One95 platform supplements and extends the print offerings of 95 Percent Group with digital content and assessment capabilities focused on language learning and literacy. PII is necessary to make student accounts, provide assessments, track student progress, and develop programs for specific students.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., MongoDB Atlas database service hosted in the Microsoft Azure public cloud.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Administrative Safeguards: We have established a robust data privacy policy and a team responsible for its enforcement. Our personnel are regularly trained in data protection practices and the importance of safeguarding PII. Access to sensitive data is restricted to authorized individuals with a need-to-know basis, and we maintain a strict access control policy.
- Technical Safeguards: Our data is stored in, encrypted databases with access controls based on role and permissions. We employ advanced intrusion detection and prevention systems to monitor for unauthorized access and potential threats. Regular software patching and updates are performed to mitigate vulnerabilities. We also employ strong encryption protocols to protect data in transit.
- Risk Mitigation: We conduct regular risk assessments and vulnerability scans to identify potential threats and vulnerabilities. Any identified risks are promptly addressed through remediation plans. In the event of a data breach, we have an incident response plan in place to minimize the impact and notify affected parties as required by law.
- Third-Party Assessments: We annually engage third-party security experts to conduct independent assessments of our security practices and protocols. These assessments help ensure the effectiveness of our safeguards and identify areas for improvement.
- Continuous Improvement: Our commitment to data privacy and security is ongoing. We continuously monitor and adapt to evolving threats and regulatory requirements, updating our safeguards and practices as needed to maintain the highest level of protection for PII.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Abbott House
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2021 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Community Schools Resource program of Abbott House provides both PS294 and PS311 with Mental Health services, community engagement initiatives, and family support. We provide in-school individual and group counseling to students with mental health challenges. We not only help students in school but help families bridge the educational gap with attendance initiatives, connecting them to resources in our community, applying for public assistance and advocating for the needs of their family. We use PII to contact families to receive our services and connect them to the school community. Additionally, PII is used to inform our decision making when targeting vulnerable populations that may need our assistance such as students with low attendance rates or students in temporary housing.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., ASARA Fulton Street Software.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Entity has a data privacy and security policy in place that implements principles, processes and solutions that facilitate secure business operations related to data privacy and security. The policy is reviewed frequently to manage the new challenges and requirements of the funding sources. This policy identifies the categories of attack surfaces (cyber-attack vulnerabilities), path by which cyber-attacks are enacted and the processes or technologies used to prevent these attacks and protect Abbott House information assets. The following areas are managed by advance technologies, constant monitoring and various physical/technical and administrative controls to ensure protection against data breaches and cyber attacks.
- Network Security/High Availability
- Web Content Filtering/IPS
- Anti-Virus/Anti-Malware
- Anti-Spam/Phishing
- Access Control
- Data Encryption
- Email Security/Encryption
- Patch Management
- Data Backups/Testing
- Mobile Device Management
- Secure Wi-Fi
- Print/Fax Security
- System Disposal
- 3rd Party Security Audits
- BC/DR Plan
- Cyber Security Awareness Training
- Cyber Liability Insurance
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Abrahams Consulting
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Abrahams Consulting Consultants will provide the DOE with staffing augmentation, managed services, hardware and software support, installation, and other support services for various DOE programs, particularly MWBE specific projects and programs. Our services encompass a wide array of roles, including but not limited to: IT Engineer, DevOps, Software Architects/Lead Developers, UI/UX Designers, Data Analysts, Project Managers, Cloud Engineers, Cloud Architects. These services are tailored to support various programs within the DOE, including MWBE-specific projects and programs.
We will not hosting or storing personally identifiable information (PII) data. Based on the requirements of the positions for which our staff are required, PII may be accessed and necessary to troubleshoot issues, provide adequate support, and develop initiatives as requested by the DOE.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: We will not be hosting or storing data.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administrative measures involve assigning responsibilities to key personnel, conducting regular testing, and overseeing compliance. Technical safeguards include firewall protection, malware detection, encryption of emails and stored data, and secure user authentication protocols. Physical controls encompass restricted access, secure storage of records, disposal procedures, and monitoring of systems for unauthorized use. AC also outlines internal and external risk mitigation strategies, ongoing risk assessments, incident management protocols, and compliance monitoring procedures, emphasizing employee training and reporting obligations to ensure the security and confidentiality of PII and mitigate potential data privacy and security risks effectively.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Academics in Motion
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 9/1/2022 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We will compare student data before our programing and during our program to see the students improvements pertaining to academic progress and attendance results, only. We will provide Academic Support, SEL and Life Skills workshops, wellness activities and college and career resources.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. AIM PII data is reported to and stored in AIM database which uses usernames and passwords to prevent unauthorized access and to restrict user access within the application. Each unique user account is assigned access to programs and permission sets to restrict access to data and features in the system. Data is stored using redundant Amazon Web Services hardware technologies and SSG fault tolerant software and journaling file systems. All data is automatically encrypted while in transit and in storage. User-based permissions and audit trails further enable secure access to data within the system. To prevent breaches the AIM database conducts continuous vulnerability scanning, integrated security code scanning, and penetration testing. In the event systems are affected by a breach, it is their policy to notify without undue delay, and in no case greater than 48 hours, from the confirmation of a data breach.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Acadience Learning Inc. (ALI)
Type of Entity: Research Institution or Evaluator
Contract / Agreement Term: Nondisclosure agreement was signed on 6/25/2021
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The purpose for which ALI will receive/access PII is to provide online assessment and data management services for Acadience assessments and for psychometric and research services which may be called upon by NYC DOE.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Acadience Learning Online (ALO) system follows industry-standard best practices to ensure that all system data, including data containing PII, is secure and protected at all times. Technical security protections include, but are not limited to: encryption of data in transit and at rest, use of US based servers, proactive monitoring of network access, and regular security testing and review of results. ALI takes a proactive stance on mitigating data privacy and security risks by utilizing strong security procedures and protocols.
Additionally, ALI upholds rigorous internal policies to ensure that employees with access to data containing PII follow strict procedures related to the handling and management of sensitive information. Employees with access to sensitive information must first complete required training before gaining ALO system access, and system access is limited to employees who need access to the information to complete job duties.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Accelerate Learning (for STEMscopes, Math Nation)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PII is utilized solely for application operations and curriculum interaction by students and teachers.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. Amazon Web Services.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Accelerate Learning (ALI) implements cybersecurity practices and requirements based upon CIS’s well-established Controls and Benchmarks that are compliant with the federal standards in the Federal Information Security Management Act (FISMA) in NIST Special Publication 800-53 Revision 5, published September 2020. We implement authentication, authorization and accounting (AAA) based on these controls following a least privileged model. Additionally, ALI utilizes leading industry tools to monitor, restrict, and secure information resources and sensitive data. The fundamentals of our security operations include:
- Passwords and Employee Access. Accelerate Learning Inc secures all usernames, passwords, and any other means of gaining access to the Services or to Student Data, at a level suggested by the applicable standards, as set forth in Article 4.3 of NIST 800-63-3. ALI only provides access to Student Data to employees or contractors that are performing the Services. Employees with access to Student Data shall have signed confidentiality agreements regarding said Student Data. All employees with access to Student Records shall be subject to criminal background checks in compliance with state and local ordinances.
- Destruction of Data. Accelerate Learning Inc destroys or deletes all Student Data obtained under the Service Agreement when it is no longer needed for the purpose for which it was obtained.
- Security Protocols. Accelerate Learning Inc utilizes security protocols that meet industry standards in the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so.
- Employee Training. Accelerate Learning Inc conducts periodic security training to those of its employees who operate or have access to the system.
- Security Technology. When the service is accessed using a supported web browser, Accelerate Learning Inc employs industry standard measures to protect data from unauthorized access. The security measures include firewalls, deep packet inspection, application stream analysis, restrictive load balancing, network segmentation, network ACLs, data transit encryption utilizing TLS 1.2 with 2048-bit certificates, data at rest encryption utilizing 256-bit AES encryption, log aggregation and analysis, vulnerability management and remediation process, application authentication, server authentication and administrative authentication following least privileged access.
- Periodic Risk Assessment. Accelerate Learning Inc conducts regular digital and physical risk assessments and remediates any identified security and privacy vulnerabilities in a timely manner.
We adhere to the following standards, laws, and certifications:
- NIST Cybersecurity Framework v.1.1
- NIST SP 800-53 Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), SP 800-171
- ISO 27000 Series
- Center for Internet Security (CIS) Critical Security Controls (top 20)
- Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
- Children's Online Privacy Protection Act (COPPA)
- Protection of Pupil Rights Amendment (PPRA)
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Access411 (also called Morrison Consulting Inc)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2019 – 6/30/2026
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAASS is a school safety solution that issues ID cards for students to access schools, classrooms, gyms, auditoriums, etc. based on their registered school and classes. For example, if a student attempts to enter the cafeteria when they don’t have lunch during that period, the ScanStation attendants are alerted to prevent the student from entering the cafeteria. CAASS users have the option to add/import student suspension data, so ScanStation attendants are notified when a suspended student attempts to enter the building during their suspension. CAASS also sends guardian notifications on student arrival time and departure times if guardians choose to register through our mobile app, CAASS Notify. School users can also track student attendance based on entry/exit times and run reports to identify school and student attendance trends (chronically absent or tardy). Additionally, CAASS also has Event Scanning functionality for schools to manage students who can attend certain events and post-event reports based on when each student arrived and departed. Schools can also issue staff ID cards as well and use ScanStations to track when staff members arrive/depart.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Zerto Virtual Replication to Azure via a VPN tunnel for backup solutions (State side only).
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Morrison Consulting Inc. implements administrative, technical, and physical safeguards to ensure all PII is protected 24 hours per day, 7 days per week.
Technical safeguards are implemented for 24/7 security, including but not limited to:
- Software Vetting Process
- Patch Management
- Cybersecurity and System Monitoring
- Penetration and Vulnerability Tests
- Firewalls, Data Encryptions, Password Protections
- Disaster Recovery Solutions and Backup Protections
- Incident Response Procedures
- Change Control Procedures and Protections
Administrative and physical safeguards are also implemented, including but not limited to:
- Employee Vetting and Clean Desk Policies
- Physical Building Security and Protections
- Continuity of Business Plans
- Acceptable Use Policies
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Achieve3000, Inc.
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 9/1/2022 – 8/31/2029
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Achieve 3000, Inc. offers multiple products that will collect Personally Identifiable Information (PII) including: Actively Learn, Actively Learn Unlimited, Achieve3000 Literacy, Achieve3000 Literacy with Boost, SmartyAnts, Achieve3000 Math, eScience3000, and NWEA MAP Informed Learning Path.
Achieve3000, Inc. will use personally identifiable information (“PII”) to provide the educational product or service subscribed to by a DOE institution or to process transactions such as information requests or purchases in order to meet our contractual obligations to the DOE institution that has subscribed to our products and services . We will also process DOE PII to meet our legitimate interests, for example to personalize your experience and to deliver relevant content to DOE; to maintain and improve our services to the DOE; to generate and analyze statistics about DOE use of the services; and to detect, prevent, or (if permitted by law) to respond to fraud, intellectual property infringement, violations of law, violations of our rights or our terms of use for Achieve3000, Inc. online products and services, or other misuse of the services. Except as described in this notice, we limit the use, collection, and disclosure of DOE PII to deliver the service or information requested by DOE.
- Actively Learn- Actively Learn gives teachers access to thousands of texts and videos for ELA, social studies, and science with scaffolds and data to inform instruction
- Actively Learn Unlimited - Actively Learn Unlimited gives teachers access to thousands of texts and videos for ELA, social studies, and science with scaffolds and data to inform instruction, plus an additional 6,500 copyright books from publishers including Penguin Random House, HarperCollins, Simon and Schuster, and HMH.
- Achieve3000 Literacy - Achieve3000 Literacy is a digital learning solution that accelerates literacy growth for all students through differentiated content and instruction. A wide body of research, including a gold standard study with a rating of Strong from Evidence for ESSA, has shown Achieve3000 Literacy can double and even triple expected learning gains
- Achieve3000 Literacy with Boost- For targeted and intensive intervention, Achieve3000 Literacy with Boost for Intervention accelerates the literacy gains of students who need additional supports and services. Achieve3000 Literacy’s suite of classroom-tested scaffolds for students and supports for teachers, combined with Achieve3000’s patented methodology and world-class technology, deliver a successful RtI implementation with results that you and your students can see after a few as four lessons. Plus, with Achieve3000 Literacy’s focus on nonfiction science and social studies content, as well as academic vocabulary, intervention students do not miss out on essential grade-level, standards-aligned instruction while engaged in Tier II, Tier III, or Special Education instruction during targeted instruction in the general classroom or intensive intervention in a specialized classroom.
- SmartyAnts - Smarty Ants is an effective, research-driven solution that differentiates instruction in foundational reading skills and accelerates student achievement – all in an engaging, interactive, online learning environment. The program continuously evaluates each student’s exact skill level, learning temperament, and learning pace. Based on this information, the adaptive content system automatically delivers the right level of skill instruction and practice to keep learners in the zone of proximal development. No two students will approach the content or process in the same manner, but they all will reach the same critical milestones for primary-grade literacy success and emerge as confident, capable readers ready for the challenges of second grade and beyond.
- Achieve3000 Math - Achieve3000 Math offers a powerful experience to support math fluency and skills mastery across grades, standards, and topics. The solution includes individualized practice and intervention for math standards mastery for elementary, middle, and high school learners.
- eScience3000 - Core science program for grades 6-8
- NWEA MAP Informed Learning Path - Achieve3000 offers access to the Northwest Evaluation Association (NWEA™) -MAP Informed Learning Paths. MAP Informed Learning Paths use MAP assessment data and Achieve3000 data so that Achieve3000 user can create a personalized and differentiated learning path for each student. Teachers can easily see each student’s results by RIT ranges and assign lessons to address skill strengths and weaknesses. Instructional recommendations for each skill and concept further help teachers to differentiate instruction.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services; and using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Achieve3000, Inc. utilizes the most up-to-date security systems and 24/7 monitoring. Achieve3000, Inc. also has very strict internal processes to safeguard customers’ data, and all applications are built in compliance with federal regulations including FERPA. System penetration testing, vulnerability management and intrusion prevention is managed in conjunction with our third-party infrastructure provider. The application logs security-relevant events, including information around the user, the date/time of the event, type of event, success or failure of the event, and the seriousness of the event violation. User authentication communication and storage is protected by 256-bit advanced encryption standard security. Achieve3000, Inc. employs Role-Based Access Control (RBAC) and Principle of Least Privilege (PoLP) when provisioning access to its infrastructure and technology. All access follows approval flows, logged, and audited. The Achieve3000, Inc. Cybersecurity and Privacy Teams maintain a 24x7 security incident process and a confidential Incident Response Plan, along with standard operating procedures for handling security incidents and notifications. The infrastructure which hosts Achieve3000, Inc.’s digital products reside in AWS, which is physically located in Amazon’s datacenters, which are all SOC 2 compliant.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
The Achievement Network
The exclusive purposes for which Protected Information will be used: The information collected is first used to enable access to ANet’s online platform, myANet, which provides resources and reports for District and Schools leaders. These data also allow ANet coaches and school leaders to understand student performance on interim assessments administered. These learnings then enable ANet to provide the appropriate guidance and best practices to boost student learning. Additionally, we also occasionally use anonymized, aggregated student response data to inform our own internal analyses of the efficacy of our services and tools.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: ANet and our partners are considered to be a “School Official” under FERPA. Access to data reports that include more granular student data can only be accessed through our secure data reporting platform. Any individual or non-aggregated student data is available only to that student's school leaders and teachers, not to other educators in the network.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: ANet typically retains all data collected. In the event that a partnership with ANet is concluded, user access to the myANet platform will be terminated on a mutually agreed upon date. This ensures that the data collected for that partner is no longer available to other schools within the district that utilize the platform. [NYC DOE comment: The current agreement became effective starting on December 20, 2019 and terminates when all NYC DOE schools and/or offices cease using The Achievement Network’s products/services. The terms of the agreement remain effective through the period during which The Achievement Network possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Our data and servers are part of AWS and are housed in US-based AWS data centers. https://aws.amazon.com/compliance/data-center/controls/. At our offices we do not have any servers.
How the data will be encrypted (described in such a manner as to protect data security): Applications communicate with RDS databases within a secure Virtual Private Cloud (VPC) via Transport Layer
- Security version (TLS) 1.0 and 1.2.
- AWS RDS encryption at rest with KMS uses FIPS 140-2 validated hardware security modules (HSMs) to generate
- AES-GCM 256-bit keys.
Activate Learning (also called SASC LLC)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are providing licenses for the digital edition of our k-12 science programs. Our middle school and high school interactive science curricula require student first name, last name, email address and student ID. For teachers we require first name, last name, email address and teacher ID. The purpose of this information is for account creation and integration with applicable learning management systems.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not sure PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All communications between the user and the system are performed via SSL. All information stored either at rest or in transit is encrypted . Additionally, all Activate Learning personnel with access to PII have passed a background check. Activate Learning employs a robust backup and security strategy which includes daily backups and industry-compliant WORM (Write-Once-ReadMany) archival storage. Additionally, all backups are encrypted and locked.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Actively Learn Inc
The exclusive purposes for which Protected Information will be used: Actively Learn uses Protected Information solely to provide the Actively Learn educational service to NYC students, teachers, and schools.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We will carefully review sub-processor privacy agreements and terms of service to ensure that they abide by the data protection and security requirements required by our NDA with the NYC DOE.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon written request from NYC DOE, we can delete or de-identify NYC data in our platform.
[NYC DOE comment: The current agreement became effective starting on March 20, 2020 and terminates when all NYC DOE schools and/or offices cease using Actively Learn Inc’s products/services. The terms of the agreement remain effective through the period during which Actively Learn Inc possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All Protected Information is stored in the US (AWS us-east-1 and us-west-2 datacenters). Data is encrypted both at rest and in transit. Actively Learn employees with access to Protected Information access it via a browser over SSL (support staff) or directly over a password-protected private-key SSH tunneled. Connection to our platform database (engineering staff).
How the data will be encrypted (described in such a manner as to protect data security): Platform data is encrypted at rest using AES-256-GCM encryption provided by AWS’s Aurora managed clustered database service and AWS’s Key Management Services (KMS), Platform data is encrypted in transit between the database and our platform via SSL.
Adobe
The exclusive purposes for which Protected Information will be used: The NYCBOE uses Adobe products and services for its students in the K-12 school environment. Protected information (as defined in the Additional Terms) will be provided to Adobe and used by Adobe for the purposes of providing such student services to the NYCBOE and its students under the agreement between Adobe an NYCBOE. [NYC comment: Adobe refers to the New York City Department of Education as NYCBOE throughout the agreement.]
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In the event that Adobe engages subcontractors or other authorized representatives to perform one or more of its obligations under the agreement, it will require those to whom it discloses protected information to be subject to contractual data protection terms at least as restrictive as those set forth in the agreement, and those subcontractors or other authorized representatives shall have a legitimate need to access protected information in connection with their responsibilities in providing services to Adobe.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The initial term of the agreement with the NYCBOE will be thirty-six (36) months from the effective date. Upon expiration of the additional terms without renewal, or upon termination of the additional terms prior to expiration or termination of a student account, Adobe will adhere to the student data retention and deletion protocols agreed to with the NYCBOE and set forth in Seton 5.4 of the Additional Terms of the Agreement. [NYCDOE comment: the Agreement was signed and put into effect on February 28, 2022.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to Section 6.3 of the Additional Terms, Adobe will work with the NYCBOE to process requests for copies of, and challenges to the accuracy of, protected information in the custody or control of Adobe. Such requests should be directed to the NYCBOE at studentprivacy@schools.nyc.gov.
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Any protected information Adobe receives will be stored on systems in a secure data center facility. Adobe processes and stores information in the U.S. and other regions, which made include Europe and Japan. Adobe Cloud Services meet the specific requirements of data protection, including, but not limited to, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability) and ISO 27001 compliant and others as indicated at http://www.adobe.com/go/cloudcompliance. Additional information on Adobe’s various security controls and processes for its products and services are located in Exhibit C (Technical Organizational Measures) to the Additional Terms of the Agreement.
How the data will be encrypted (described in such a manner as to protect data security): Adobe uses technologies, safeguards and practices, including, but not limited to, encryption, firewalls, password protection, and/or equivalent that are consistent with its industry standards. Adobe Cloud Services meet the specific requirements of data protection, including, but not limited to, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability) and ISO 27001 compliant and others as indicated at http://www.adobe.com/go/cloudcompliance. Additional information on Adobe’s various security controls and processes for its products and services are located in Exhibit C (Technical Organizational Measures) to the Additional Terms of the Agreement.
Advanced Assessment Systems (also called LinkIt!)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices. “Typically, agreements are 1 year in duration, beginning on July 1 and ending on June 30 the of the following year.”
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. LinkIt! will receive PII data related to student assessment records, including student names, IDs, and demographic information. Additional student records, such as attendance, behavior and programmatic associations may also be sent to LinkIt! All such data shall be used and maintained as a service to school and district stakeholders authorized to access the same and exclusively for the purposes of analyzing the data for instructional improvement, professional development and resource allocation purposes, as well as other such purposes as the district may deem necessary and appropriate.
Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Performance Review Data).
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. “LinkIt! leverages industry-leading provider AWS (Amazon Web Services) for data hosting and posts regular and frequent security updates. Access to data is limited to those individuals that require such access in the reasonable performance of their job function and all staff receive annual training in the area of privacy and security.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The safeguards in place to protect PII data are too numerous to fully detail here, but data and files are stored securely on the industry-leading Amazon (AWS) hosting platform. Data is also encrypted on our platform, both in transit and at rest. The LinkIt! data and security model follows best practices and consists principally of the following:
- Physical Security: Web servers, data servers and network data storage are on servers maintained by AWS. We perform full daily backups and hourly incremental backups which are stored offsite in the event of a disaster. The data center is located in a secure area with restricted onsite access.
- Data Security: LinkIt! utilizes industry-leading Microsoft SQL database that enables encryption in transit and at rest. Electronic access to database servers is restricted through dedicated web servers on a local network. This provides an effective barrier against attempts to directly compromise database integrity.
- Web Security: Our web layer consists of a passcode encrypted web service with enforced business logic. The business logic restricts user activity based upon permission level such that data access is limited to role within the LEA organization.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
After-School All Stars
Type of Entity: Community Based Organization
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. After-School All Stars of New York will provide community school support services (including community school implementation; family and community engagement work; organizing support for school sites; expanding learning, enrichment, and youth programming) through which the entity will have access to PII. Access to student PII is required to develop programming, contact parents, and allocate necessary support to students.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Access to student records are limited to only those employees performing services for DOE.
- Physical data is securely stored and never leaves the site.
- All employees undergo training, including understanding their responsibilities and obligations under FERPA and New York Education Law 2-d.
- ASAS employees are also required to sign confidentiality agreements protecting your child’s privacy and disclosure of student records.
- ASAS also maintains an incident response plan and team to handle any potential security breaches involving ASAS Services and records in its possession.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Age of Learning (for My Math Academy and My Reading Academy)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We collect and use PII for the purpose of providing our services My Math Academy and My Reading Academy, both of which are adaptive digital learning programs for students. We do not use PII for any other purpose. Student information is provided in order to track the students progress within the products and to provide reporting to the teacher, school, and district.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The vendor has policies and procedures in place to ensure safeguarding practices are in place. This includes the protection of data from corruption, theft, or unauthorized access.
- Data Access – Age of Learning practices the principle of least privilege. Access is provided based on role and granted when necessary to fulfill the requirements set out by the contract.
- Account Protection - Single Sign-On (SSO) and a strong password is required.
- Encryption – All data is encrypted in transit and at rest.
- Monitoring – Age of Learning products are continuously monitored for vulnerabilities by employees and through state-of-the-art third-party monitoring tools.
- File Transfer Protocol – All file transfers are secure over SSL/TLS cryptographic protocol.
- Web Application Firewall (WAF) – Inspects and filters traffic between Age of Learning products and the internet.
- Software Security – Product development is based on OWASP, SANS, NIST, CSF, CIS, SCF frameworks.
- Audits – Annual SOC 2 audit and third-party penetration testing are performed for additional security awareness.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Agile Mind
Type of Entity: Commercial Enterprise
Contract / Agreement Term: [NYCDOE Comment: NDA was signed on 7/12/2021]
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Agile Mind provides comprehensive math and science programs for middle and high schools. To that end we store a student’s name, school, grade level and DOE assigned login ID– all nonsensitive PII.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data (not just PII) is stored in a highly secure fashion. Data is protected using encryption while in motion and at rest by serving all data via HTTPS and storing it in a secure manner. For storage specifically, all data is stored by MySQL Data at Rest Encryption. The security of this data is ensured by limited employee electronic access to production databases, and databases are housed in a secure data center with physical security and a named access list for visitors.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Alchemer, LLC
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Alchemer offers a survey tool as a hosted service to its customers. Alchemer does not have direct access to our clients data/information. Only if it’s shared by the end user at NYC DOE. Alchemer is a survey/data collection tool. Questions & responses recorded are for NYC DOE only. Alchemer does not collect data on behalf of their clients. Alchemer just provides the platform for data collection. If any PII is collected, it’s not shared or seen by Alchemer. Just the DOE.
Type of PII that the Entity will receive/access: Other: If PII is collected, it’s done by NYC DOE, and the NYC DOE would determine which types of data it collects. The Alchemer service is designed to function without the need for customers to provide PII and if the service is used in this way, no Student PII or APPR PII would be processed by Alchemer. If NYC DOE decides to collect that sort of information then it would. This would depend on the survey responses provided. Alchemer does not have direct access to any PII information. This is solely for NYC DOE and their respondents.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Alchemer has SOC 2 Type II and ISO certificates. We also run regular penetration tests and these results can be found within the user’s platform. Given data privacy laws, Alchemer does not have direct access to the DOE’s account. Only licensed users, who cannot share licenses, as this is a violation of our Terms & Conditions, have access to any student information..
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Alegra Learning (for Joy School English)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 8/1/2023 - 7/31/2030
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Alegra Learning, Inc. is the creator of Joy School English. Joy School English is a software program for elementary aged students (PreK-5) that focuses on oral language production, early literacy and social and emotional learning (SEL). Joy School English is accessible on iPads, tablets, mobile devices, Chromebooks and computers. Upon starting the program, students follow an individualized scope and sequence that takes them through the research-based curriculum. The curriculum is aligned to the NY State PreK and Kindergarten learning standards. Joy School English uses voice recognition technology where kids use their own voice to explore and advance to encourage speaking and oral language production. Joy School English also provides resources for teachers including data and progress monitoring, an interactive teacher menu to use in small/whole group instruction and teacher lesson plans. Joy School English is accessible from home so students can continue their learning pathway from home and the program serves as a great resource for parents. Student PII is used to create a unique student account for each student so that they can receive individualized instruction.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is hosted via Amazon Web Services (AWS), which is a robust and secure service to host data (https://aws.amazon.com/compliance/data-privacy/). In addition to all of Amazon’s protocols, all data in our portal is password protected and only accessible with those authorized to do so. We use Role-Based Access Control (RBAC): RBAC assigns specific access permissions based on the roles or responsibilities of users within an organization. Users are granted access only to the resources and data necessary to perform their job functions.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
All In Learning, Inc
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2020 – 6/30/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Product: ALL In Learning is a cloud-based formative assessment platform providing in-the-moment and summative assessment data collection utilizing a variety of collection modes (clickers, student devices, bubble sheet scanning, and even teacher-graded rubrics). Our reporting supports improving the teaching and learning process in the classroom as well as provides student performance insight at every level (classroom, campus, and district).
Purpose for using PII: ALL In Learning will utilize some PII for Teachers and Students for the purpose of rostering for administering and reporting on formative assessments.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. The vendor specifies that “We store our data in AWS/Aurora databases. The data is encrypted in transit and at rest. These databases are not shared resources with their other clients, nor is the data shared with AWS. It is not a cloud database.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ALL In Learning application data is stored in an Amazon Web Services virtualized environment. Data is always transmitted encrypted and stored encrypted. We have data access restriction policies in place within the ALL In Learning development and support organizations.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
American Institutes of Research (AIR)
Type of Entity: Research Institution or Evaluator
Contract / Agreement Term: 1/1/2024 – 12/31/2028.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. AIR will provide program evaluation and related services for the New York City Department of Education (NYCDOE). We collaborate with districts to develop a shared understanding of program goals and desired outcomes, and this shared understanding then informs all phases of instrument development, data collection, analysis, and reporting. The conditions under which PII may be required include the following:
- When it is necessary to link information about study participants across data sources.
- When it is necessary to contact study participants, including participation in data collections such as interviews, focus groups, or observations.
Type of PII that the Entity will receive/access: Student PII. “Evaluations may obtain administrative information about staff, such as teacher attendance or licensure information.”
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII subject to protection under BOE “Parent’s Bill of Rights for Data Privacy and Security” will be stored and processed in a secure Data Enclave designed to meet government and industry security safeguards. The Data Enclave is an enterprise-class system maintained in a FedRAMP-certified cloud datacenter that provides researchers access to a secure environment to process, store and analyze data. The Data Enclave was designed to protect the confidentiality and integrity of sensitive data and PII. The security controls in place are based on industry standards and best practices, including numerous NIST standards, such as NIST SP 800-171 (Protecting Controlled Unclassified Information).
Administrative and Technical Safeguards
- Access Control - Logical access controls are deployed as part of a defense-in-depth architecture. These controls follow the principles of least privilege and separation of duties. This is coupled with mature account management procedures and strong authentication mechanisms to strictly control access to sensitive data.
- Security Awareness and Training - All users are required to attend information security awareness training, and system administrators receive specialized security awareness training. This training is refreshed on an annual basis. This is augmented by an email phishing assessment program on a continuous basis.
- System Auditing and Monitoring - All security logs are forwarded to a Security Information and Event Management (SIEM) system that is actively monitored by 24x7 SOC that is operated by a team of dedicated security professionals. Data from the security logs are indexed and correlated to monitor system integrity and facilitate incident response searches and event analysis and to support after-the-fact investigations.
- Security Assessment and Authorization - Internal audits are performed annually on the Data Enclave to ensure compliance with NIST SP 800-171. In addition, the Data Enclave has undergone an external, independent assessment by a federal agency.
- Identification and Authentication - Strong password and authentication policies are required and enforce settings such as multi-factor authentication, minimum password length, password complexity, password expiration, uniqueness, minimum age, failed login attempts, and account lock outs.
- Data Governance - The Data Enclave is designed for the full data lifecycle, including intake (acquisition) to closeout (disposition) that can include data destruction, if required. Data groups are inventoried, classified, and catalogued using a data governance system to ensure there is proper governance over the lifecycle of the data. Data destruction is performed in accordance with NIST SP 800-88 using cryptographic erasure, ensuring proper disposition, and making the data irrecoverable.
- Security Planning - Project-level information security plans define the boundaries and security category of the NYC DOE PII. These plans provide a description of the appropriate security measures commensurate with the sensitivity of the data (e.g., administrative controls, authentication, access controls, use of encryption, and sanitization and retention).
- System and Communications Protection - The Data Enclave employs next-generation firewalls with advanced intrusion prevention and boundary protections. Data flows are controlled through a deny all by default approach, allowing only approved connections to specific resources. Encryption is applied to protect data at rest and in transit using industry standards that are compliant with Federal requirements.
- System and Information Integrity - Flaw remediation procedures identify standards and processes to identify and remediate system flaws and vulnerabilities. These procedures define roles and responsibilities regarding flaw remediation in response to vulnerability scans, web application testing, and vendor notifications. The Data Enclave is protected by malware mitigation at the perimeter and in the Data Enclave.
- Supply Chain Risk - Risks associated with weaknesses in the software supply chain are measured and continuously monitored in accordance with supply chain risk management policy and procedures. These are based on industry and government frameworks. The software inventory is maintained and monitored to assess and reduce risk related to weaknesses in the vendor supply chain.
Physical Safeguards
- Physical Security and Environmental Protection - The Data Enclave is physically located at a hardened, cloud provider datacenter under FedRAMP authorization. Access control to these facilities employs combinations of physical and biometric controls with video surveillance.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Amplify Education, Inc.
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Amplify Education Inc. (“Amplify”) provides core curriculum and supplemental programs and services in ELA, math, and science, and formative assessment products in early reading and math. Each product is briefly described below.
Amplify uses student data collected from, or on behalf of, an education agency to support the learning experience, to provide Amplify products to the education agency and to ensure secure and effective operation of our products, including: to provide and improve our educational products and to support education agency’s and authorized users’ activities; for purposes requested or authorized by the education agency or as otherwise permitted by applicable laws; for adaptive or personalized learning purposes, provided that student data is not disclosed; for customer support purposes, to respond to the inquiries and fulfill the requests of education agencies and their authorized users; to enforce product access and security controls; and to conduct system audits and improve protections against the misuse of our products, or to detect and prevent fraud and other harmful activities.
List of Amplify Products:
Core Curriculum
- Amplify Caminos - Amplify Caminos is a Spanish language arts program that inspires K–5 students to become confident readers, writers, and thinkers. Amplify Caminos was developed by a bilingual team from across the Latin American and Hispanic diaspora in a concerted effort to create culturally relevant connections for students with diverse backgrounds so their classroom experience strikes a balance between the security of the familiar and the excitement of the unknown. Amplify Caminos is designed to support any biliteracy model, including English as a Second Language (ESL), transitional bilingual programs, dual language strands, and Spanish immersion programs. When used in tandem with Amplify CKLA, Amplify Caminos provides a fully equitable, one-to-one English and Spanish solution.
- Amplify CKLA - Amplify Core Knowledge Language Arts (CKLA) is a comprehensive English Language Arts curriculum that builds foundational language and literacy skills. Amplify CKLA Grades K-2 develops these skills in a two-part program consisting of a Knowledge Strand and a Skills Strand. Amplify CKLA Grades 3-5 offers an integrated strand of instruction that covers both knowledge and skills content.
- Amplify ELA - Amplify ELA is an innovative, classroom-tested curriculum for grades 6–8. Our blended program provides a carefully sequenced system of standards-based content, tools, and support for core ELA instruction. The heart of every lesson is the text. We enable teachers to teach skills through texts and develop their students’ muscles for building meaning through reading. With Amplify ELA, students learn to attack any complex text and make observations, grapple with interesting ideas, and find relevance for themselves in their own lives.
- Desmos Classroom (also known as Desmos Curriculum) - Desmos Classroom is a digital and print curriculum for grades 6–8 and Algebra 1. The lessons are standards-aligned center student ideas and pose problems that invite a variety of approaches. The problem-based program promotes mathematical curiosity and student engagement and is built on the coherence and rigor of the Illustrative Mathematics IM K–12 Math curriculum.
- Amplify Math - Amplify Math for grades 6–8 and Algebra 1 is a 100% blended core program based on Illustrative Mathematics IM K–12 Math. The program was developed prior to Amplify acquiring the Desmos Curriculum and is currently being reworked.
- Amplify Desmos Math - Amplify and Desmos Classroom’s new unified curriculum for grades K–A2 brings the best of the Desmos Classroom lessons together with the program supports that districts need. Standards aligned lessons are delivered through an easy to use platform that allows teachers to see student thinking in real-time. Adopting schools gain access to assessments, Tier 2 intervention supports, reporting, and more. Units can begin to be piloted starting back to school 2023. Grades K–A1 can be piloted started back to school 2023.
- Amplify Science - With Amplify Science K-8, users get detailed lesson plans, embedded formative and summative assessments, hands-on activities and materials, scientific texts, robust simulations, engaging media, physical and digital models, opportunities for scientific argumentation and other forms of classroom discussion, and a variety of effective teacher supports and professional development options.
Supplemental
- Amplify CKLA Skills - Amplify CKLA Skills is a research-based supplemental skills program built on experts’ latest findings on how children learn to read. Built on a systematic scope and sequence, Amplify CKLA Skills offers the explicit skills instruction needed in today’s classrooms. Amplify CKLA Skills can be used to supplement core ELA programs to provide focused lessons to make literacy skills a priority in the classroom. Amplify CKLA Skills is the first foundational skills program to earn an all-green rating from EdReports.
- Amplify Reading and Amplify Close Reading - Amplify Reading (grades K-5) and Amplify Close Reading (grades 6-8) are digital supplemental literacy programs that provide independent, personalized instruction and practice. Both use a developmentally appropriate narrative structure to guide students through targeted reading skills practice. Both use a scope and sequence that introduces increasingly complex, sophisticated approaches and topics in reading.
- Skills Boost - Skills Boost works alongside any core program to provide 30 minutes of highly targeted supplemental foundational literacy skills instruction every day. The software license bundles a suite of solutions and includes: quick formative assessment; targeted, teacher-led instruction and intervention; and independent personalized, adaptive practice for students.
Assessments
- mCLASS with DIBELS 8th Edition - mCLASSⓇ delivers K-6 formative and diagnostic assessment and serves as dyslexia screening. DIBELSⓇ 8th Edition, the latest version, has been specifically validated as a universal screener for reading and for dyslexia and covers the “5 big ideas” of reading, quickly identifies students who are at risk, and specifies areas for remediation and acceleration.
- mCLASS Intervention - mCLASS Intervention provides the analytical tools and resources educators need to make targeted, staff-led intervention a daily reality throughout the school year. mCLASS Intervention follows a research-based skills progression and uses smart technology to: Analyze assessment results to place each student on the progression, Form small groups of students with similar skill profiles, determine the optimal instructional focus for each group, and build detailed lessons aligned to that focus, Update students’ skill profiles, groups, and lessons every 10 days as progress-monitoring results improve.
- mCLASS Lectura - mCLASS Lectura is a high-quality, authentic Spanish assessment that accounts for the major differences between English and Spanish, not simply a direct translation or transadaptation between the two languages. Aligned to the Science of Reading, mCLASS Lectura allows teachers to connect with their students through observational assessment and in the language most comfortable to them. By providing teachers with insights into the skill areas in which their students are proficient, in their native language, the program helps Spanish-speakers build on their strengths and make connections to their second language. mCLASS Lectura delivers complete parity when combined with mCLASS with DIBELS 8th Edition, including parallel reporting across English and Spanish assessments and unique dual-language reporting. Educators also receive guidance on the cross-linguistic transfer of critical skills in both languages.
- mCLASS Math - mCLASS Math is a math assessment program that uncovers students’ mathematical reasoning and measures fundamental skills to build student success. Universal screening and progress monitoring with diagnostic interviews provide a rich view of at-risk students and gauge the effectiveness of math instruction.
- mCLASS with Amplify Reading - mCLASS: Amplify Reading Edition is an adaptive assessment (K-6) and instructional solution (K-8) that creates a research-based personalized learning experience for students. By seamlessly integrating universal screening and personalized learning, teachers can identify where students need more practice in early reading skills, and students can use a program designed to grow their skills and build their confidence as readers.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services, Inc. (AWS); MongoDB, Inc. (MongoDB)
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. [DOE comment: In its agreement, Amplify outlines in detail how it meets the COSO principles. Please contact studentprivacy@schools.nyc.gov if you would like a copy of this information.]
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Aperture Education
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2021 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Aperture will use PII to administer student social and emotional assessments to be completed by students, teachers and (optionally) parents. PII will also be used in reporting (e.g., to disaggregate data by subgroup).
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Aperture Education considers security of PII to be of utmost importance. As such, we follow a rigorous security policy which includes, but is not limited to, third party penetration and security testing, annual security training of all of our employees, completion of background checks on our employees, encryption of confidential information in transit and at rest, and limiting user access to confidential information based on role. Please see our security policy for more information.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Applied Curiosity Research, LLC
Type of Entity: Research Institution or Evaluator
Contract / Agreement Term: 2/1/2022 – 1/31/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are conducting a mixed-methods, implementation evaluation of a pilot program with students from two NYC schools. The pilot program occurs for five weeks over the summer and consists of a blend of classroom instruction from DOE teachers and community-based organizations as well as work-based learning. The focus of the pilot program is promoting computer science skills and knowledge while exposing students to careers in related fields. Research participants include participating students, teachers, and select agency stakeholders. The goals of the evaluation are to collect evidence of student outcomes, understand barriers and affordances to program implementation, assess the extent to which activities are completed as intended, identify best practices, and inform effective scaling of the program.
Methods include student pre/post surveys administered in class, student focus groups, teacher in-depth interviews, and in-depth interviews with key stakeholders.
The only PII we will collect is student and teacher names during the consent process. Consent is critical to ensure participants understand their rights as a research participant, including that the research is voluntary and how their information will be handled. Consent is also a mandatory requirement for NYC DOE IRB.
Type of PII that the Entity will receive/access: Student PII. We may collect student, parent, or teacher names on consent forms. We may also collect student names for the purpose of focus group attendance lists. We will not, however collect student names that are attached to any academic or demographic data.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. The Entity selected “Other: We will remove all PII from any documents or digital files (consent form, survey responses, audio files, notes, transcripts) and replace this with an ID number assigned by the study team. The document linking IDs to PII will be stored in a password protected folder on an encrypted external drive, in a locked cabinet, accessible only by the principal investigator.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We will remove all PII from any documents or digital files (consent form, survey responses, audio files, notes, transcripts) and replace this with an ID number assigned by the study team. The document linking IDs to PII will be stored in a password protected folder on an encrypted external drive, in a locked cabinet, accessible only by the principal investigator.
Any PII will be kept secure and only used for study purposes, except as otherwise required by law. The study team will not disclose participant’s names or any personally identifiable information in any report or presentation.
De-identified consent forms, audio files, notes, survey data, and transcripts will be stored on a password-protected, encrypted cloud storage system accessible only by the project team.
After three years, we will delete and overwrite copies of all data and also wipe all blank space on the external hard drive to ensure there are no elements of the files retained on the drive.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Apptegy
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The PII we receive or access in connection with our services is either provided by a school (referred to as a “Client”) in order to create or manage users under a Client’s account or is provided by such users in the course of using our services. Thrillshare is a content management system that enables Clients to: update or share information via their website or social media; communicate with parents, students, or other stakeholders through a messaging feature that can send voice calls, text messages, push notifications, or emails (referred to as “Alerts”); or communicate directly with stakeholders via an online chat feature (referred to as “Rooms”). PII shared for these purposes may include: personal information shared by a Client in order to create accounts for administrators, teachers or other personnel; contact information shared for the purpose of sending Alerts; or any PII that a user may include in any messages sent via the Alerts or Rooms features. Apptegy only uses such information for the purpose of providing the services. For more information regarding the purposes for which Apptegy receives or accesses PII, please see the Apptegy Privacy Policy (“Privacy Policy”) (available at: https://www.apptegy.com/privacy-policy/).
Type of PII that the Entity will receive/access: Student PII. “How Clients use Apptegy’s services may change over time. In such case, the PII that Apptegy will receive/access in order to perform its services may change or be supplemented. This is at our Clients’ discretion. If a parent of a student or other individual wishes to review a list of PII accessed pursuant to the services, the parent or individual should contact the applicable Client to confirm. For a more generalized description of potential PII received/accessed, please also see our answer to Question 4 above and our Privacy Policy.”
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and
written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. As indicated, Apptegy uses Amazon Web Services (“AWS”) to host and operate our services, and to host and process Clients’ data. AWS supports more security standards and compliance certifications than any other hosting provider, including ISO, SOC2, NIST, GDPR, PCI-DSS, and others. Comprehensive information about AWS security practices and certifications is available at https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/. In addition to other means of ensuring privacy and security (including encryption, vulnerability monitoring and remediation, and Role-Based Access Control (RBAC) principles), Apptegy monitors and manages system access by AWS security groups and internal access controls. We review our AWS security group rules at least annually and update them as appropriate. Apptegy uses single sign-on (SSO) and HTTPS protocol where available and technologically feasible. Apptegy uses a virtual private network (VPN) for remote access to AWS and the parts of our services that contain Client data where available and technologically feasible. Apptegy has implemented multi-factor authentication for our production environment. Clients can choose to require multi-factor
authentication for end users. For more information on how we mitigate data privacy and security risks, please see our Privacy Policy.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Arete Education
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Areté Education, Inc. is an organization that provides a range of educational services to students, educators, and schools. Such programming includes, but is not limited to: afterschool enrichment services, which includes educational and recreational activities, tutoring, professional development, educational consulting and family help services. Our programming requires PII in the form of program enrollment, attendance tracking and record maintenance for possible review and report generation.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Cityspan Technologies Inc., Jotform and Google Drive.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Arete has several administrative, operational and technical safeguards and practices in place to protect the Protected Information that we receive under the contract. This includes, but is not limited to:
- Arete limits access to authorized personnel who have a legitimate need for such access.
- Physical Protected Information is stored in locked filing cabinets with limited access.
- Digital Protected Information is stored on password-protected laptops and/or password-protected encrypted data storage websites with limited access.
- Any personnel handling Protected Information signs a confidentiality agreement and agrees to abide by the Employee Handbook, which contains additional confidentiality provisions.
- Arete leadership provides in person training on handling of Protected Information to authorized personnel.
All confidential information will be returned or destroyed upon termination of services unless required to comply with grants.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."
ArtSmart
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ArtSmart provides tuition-free music mentorship by paid, professional artists to students in under-resourced communities across the US. Since 2018, ArtSmart has operated as a designated out-of-school time partner of the NYC Department of Education to provide these services at NYC Public Schools.
Through weekly sessions offered during the school day, ArtSmart students receive a level of music education and personal mentorship that would otherwise be inaccessible to them. We offer private voice and piano lessons through our One-On-One Mentorship Program as well as a group Vocal Theater Program. Our programs offer students barrier-free opportunities for skills training and personal growth through music education, with the goal of providing a pathway to academic, economic, and emotional stability.
ArtSmart uses student PII to track student enrollment in our programs, schedule classes/lessons and ensure that programs are optimized for student experience and outcomes.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google (GSuite), Airtable (Airtable), Resonance Network Company (ResonanceHQ).
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ArtSmart only allows data to be stored on NYC DOE approved, cloud-based platforms (GSuite, Airtable and Resonance). ArtSmart staff and contractors are expressly prohibited from storing any Protected Information on company or personal devices. All staff and contractor accounts have 2FA enforced, as well as specific password requirements to prevent the use of common/predictable passwords.
ArtSmart limits access to Protected Information to the minimum number of individuals necessary to process the information.
All individuals who have access to Protected Information receive training on IT security best practices and ArtSmart policies concerning data storage, transmission, and use.
Data that ArtSmart will collect and store is listed below. ArtSmart will collect this data through digital AirTable and/or Resonance forms.
- Student First Name
- Student Last Name
- Student Email Address
- Student Grade Level
- Student School
- Primary Language
- Student Age
- Student Survey Responses (non PII only) *Cannot be used for Marketing Purposes/SOPPA Prohibited*.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Asase Yaa Cultural Arts Foundation
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 1/2/2023 – 1/3/2028
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Asase Yaa Cultural Arts Foundation will use Personally Identifiable Information (PII) for evaluations and for program development for student workshops so it can be appropriate for grade and age levels. Workshops are offered in all of the disciplines offered to students including Drumming (Djembe, Conga, Drum Line); Dance (African, Ballet, Jazz, Hip Hop, Modern); Theater (Original Productions); and Visual Arts. Workshops can be scheduled when it best fits parents which includes am sessions and pm sessions. Sessions typically are 45 minutes to 90 minutes.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third parties.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We would only keep the information in a password protected drive that is accessible to program directors only and which will be discarded at the end of each school year. Additionally, all devices used to access the PII have virus scanners, as well as firewalls to ensure that the information is not compromised.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
ASPIRA of New York
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ASPIRA will manage and operate community schools contracts with the goal of fostering ongoing collaboration and common vision with the partner schools to provide students and their families with coordinated programming that targets their individual academic, social, emotional, and developmental needs. PII will be utilized to register program participants, communicate their academic and social progress with parents and allow for student choice when program planning through the utilization of participant satisfaction surveys.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ASPIRA will limit access to a minimal number of authorized personnel who have a legitimate need for such data access. Confidentiality agreements will be required for any personnel with access. ASPIRA will encrypt data in transit and storage, set access controls, and implement regular and encrypted backups. Data is entered into a password protected cloud based database. Policies for reporting security incidents to parents/guardians are in place. All security incidents will be communicated to parents/guardians and students.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Assessment Technologies Institute (also called National Healthcare Association)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor’s Services include the provision of learning content hosted on Processor’s platform and Certification examinations. End users create an account (or the school does so on behalf of each end user) that includes contact information and all data related to the interaction of the end user with the content is recorded by the platform and can be accessed by instructors and end users. Such data is PII. Additionally, certifications data (such as exam date, responses to exam questions, exam scores, pass/fail) is also PII in that it is linked a specific individual.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is encrypted at rest and in transit. Processor utilizes many controls and protections that includes but is not limited to: Network and Border Security, Endpoint Security, Email Security, Threat and Vulnerability Management, Access Management. ll critical and high risk vendors, is any, are reviewed annually as part of Processors Vendor Management Program. In addition, Processor completes an annual SOC 2 Type 2 assessment, which can be provided upon execution of a nondisclosure agreement.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
ASSISTments Foundation
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 8/1/2023 – 6/30/2028. This agreement covers work with Amistad Dual Language School, Mott Hall III, and New Venture School, however the start and end dates are consistent across the three schools.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ASSISTments will be used to support teachers with implementation of their High Quality Instructional Materials by allowing them to assign problems online. Students get immediate feedback on their answers and teachers get immediate data that they can use to modify instruction. In addition, ASSISTments will provide data on teacher and student usage of the platform to school administrators and coaches to help them better tailor supports that meet the needs of all teachers and student. Receiving student PII is necessary in order to carry out the work as described above. The student PII that is collected and stored within ASSISTments’ infrastructure is limited to name, email and student work on problem sets.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ASSISTments utilizes the following safeguards to mitigate data privacy and security risks while ensuring that PII will be protected:
- Administrative Safeguards: Established and follows comprehensive policies and procedures that outline best practices for data privacy and security including, but not limited to, background checks on TAF staff, personnel security and training, and the implementation of access control measures which limits who has access to data.
- Operational Safeguards: Comprehensive physical security measures, incident response and management procedures, and change management procedures.
- Technical Safeguards: Data encryption, network security controls (firewalls, intrusion detection, secure network configurations), secure development practices (SDLC, CI/CD), Single Sign On Authentication, regular auditing and vulnerability management.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Attainment Company
The exclusive purposes for which Protected Information will be used: Products provided include AAC applications & devices for student communication needs; student & teacher instructional applications/software for special education.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Attainment provides industry standard data protection and security; annually authorized staff are trained on the appropriate requirements of FERPA, COPPA & SOPPA.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Protected information is returned to the district & after 30 days purged from Attainment systems.
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All data is stored in the US with AWS certified protected industry standard practices.
How the data will be encrypted (described in such a manner as to protect data security): The transmission is controlled using TLS (Transport Layer Security) encryption for the browser to database connection. The data is encrypted between the client computer and Attainment’s servers. The Hub uses HTTPS (Hypertext Transfer Protocol Secure) over a secure SSL.
Avant Assessment
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 1/1/2022 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Student PII is needed to register individual test takers who will sit for the AVANT language tests using the AVANT online testing system and to match the test takers’ results/scores with individual students so that the DOE can update students’ academic records with results accordingly. Avant test scores are used to award students credit towards graduation and advanced academic credentials.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Avant assessment utilizes many techniques to ensure that PII is protected. First of all, our application requires secure connections with encryption, and all data collected is also encrypted at rest. If information needs to be transmitted outside of our application, we work with the appropriate people to make sure we authenticate requests, send only the data needed, and assure that data is sent encrypted using a secure transmission method. We utilize a trusted hosting company and have our cloud archetype reviewed to make sure that we are following best practices. Along with our treatment of data, we enforce strong passwords for all persons who need access to an organization’s data and implement two-factor authentication. We also do code review and use software analysis to make sure we use best practices when handling data inside our application. Lastly, we do continuous training for all of our staff to recognize security threats and report any issues or practices that they observe.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Avaya
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Avaya is providing contact center services to multiple business units at DOE. Some of these business units require Avaya to store call and screen recordings for playback for up to 90 days. Avaya has not confirmed the exact PII that could be received but these recordings may contain certain PII.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted solution.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Avaya protects and safeguards PII data by enacting the following measures and procedures:
Access control to premises. Avaya will prevent physical access to Personal Data processing equipment by unauthorized persons as follows:
- Avaya will implement and maintain physical security measures in order to prevent unauthorized access. This is accomplished by the following measures:
- an electronic access control system with a 90-day log retention;
- a 24/7 video recording of physical facility with 30-day log retention; and
- intrusion detection / burglar alarms, or engaging on premise security officers.
- Avaya will restrict the access to various zones at its premises based on roles, and periodically revalidate the access by owners.
- Avaya will have personnel and visitor security measures in place to prevent unauthorized access, which is accomplished by the following measures:
- Personnel must display IDs;
- Visitors must sign in;
- Visitors will be reasonably escorted by staff; and
- Visitors must wear a badge which easily identifies them as visitor.
Access control to use of system. In order to prevent logical access to its Personal Data processing equipment by unauthorized persons, Avaya will implement and maintain the following measures:
- Avaya will only grant individuals access to the Personal Data processing equipment with
- a unique user ID for access with formal authorization process, and
- a unique password with the following features:
- a complex password, consisting of eight characters and three of four character sets;
- a maximum password lifetime of ninety days; and
- an account lockout on failed logins.
- Avaya will grant the individuals access based on their job function with the following criteria:
- role-based access;
- least-privileged access; and
- access only on a need-to-know basis.
- The screen of endpoints will be automatically locked after 20 minutes idle time.
- Avaya will log access to the data processing equipment.
- Avaya will use a multi-factor authentication of Avaya’s virtual private network (VPN) for remote access.
- Avaya will implement and maintain a central user administration.
- Avaya will encrypt endpoints provided by itself.
Access control to Personal Data. Avaya will prevent logical access to Personal Data by unauthorized persons by implementing and maintaining suitable measures to prevent unauthorized reading, copying, alteration or removal of the media containing Personal Data, unauthorized input into memory, reading, alteration or deletion of the stored Personal Data. This will be accomplished by the following measures:
- Avaya will only grant individuals access to the Personal Data with:
- a unique user ID for access with formal authorization process, and
- a unique password with the following features:
- a complex password, consisting of eight characters and three of four character sets;
- a maximum password lifetime of ninety days; and
- an account lockout on failed logins.
- Avaya will grant individuals access to the Personal Data based on their job function with the following criteria:
- role-based access;
- least-privileged access; and
- access only on a need-to-know basis.
- The screen of endpoints will be automatically locked after 20 minutes idle time.
- Avaya will log access to the data processing equipment.
- Avaya will maintain access control lists (ACL).
- Avaya will conduct data backups and retrievals, using a secure storage of backup media and testing backups.
- Avaya will implement and maintain a formal access control change management program.
- Avaya will implement and maintain internal policies and standards comprising security policies and standards, both at a corporate and business unit level.
- Avaya will conduct periodic mandatory trainings with respect to protection of personal data, and will monitor and enforce the training participation.
- Avaya will implement and maintain anti-virus programs, which are centrally monitored and updated, and conduct regular anti-virus scans.
- Avaya will conduct a secure deletion and /or disposal of data.
Transmission control. Avaya will prevent any unauthorized access to Personal Data via implementation of secure communication channels and logging as follows:
- Avaya will use a VPN with a multi-factor authentication for remote access.
- Avaya will use firewalls with the following features and processes:
- stateful inspection;
- default denial access rules are implemented unless access rules are explicitly approved;
- role-based and least-privileged access on a “need to know” basis;
- logging and alerting of access; and
- annual review of firewall rules.
- Avaya will use encrypted email if the same has been enabled by Customer, using transport layer security (TLS) as the methodology.
- Avaya will implement and maintain security policies and standards both at a corporate and business unit level.
Input Control. Avaya will ensure the possibility to check and establish whether and by whom Personal Data have been put into, modified or removed from the Personal Data processing equipment as follows:
- Individuals accessing personal data will require a unique user ID and authorization for access.
- Avaya will implement and maintain security policies and standards both at a corporate and business unit level.
- The Personal Data processing equipment will have logging functionalities.
- Avaya will only grant individuals access to Personal Data based on their job function, with the following categories:
- role-based access;
- least-privileged access; and
- access on a “need-to-know” basis.
Organization control
- Avaya will ensure that in case of commissioned data processing, the Personal Data are processed strictly in accordance with the instructions of Customer.
- Customer will provide clear instructions to Avaya regarding the scope of the processing of personal data, and Avaya will adhere to these instructions.
Availability control. Avaya will prevent any accidental destruction or the loss of Personal Data by appropriate measures as follows:
- Avaya will implement and maintain uninterruptable power supply, fire and smoke alarms, fire suppression systems, generators, cooling systems and raised flooring.
- Avaya will implement and maintain a disaster recovery plan, and annually review and test it.
- Avaya will implement and maintain a backup strategy and backup procedures.
- Avaya will implement and maintain anti-virus programs and firewall systems.
Control of separation of data. Avaya will implement and maintain appropriate measures to allow the separate processing of data which have been collected for different purposes as follows:
- Avaya will separate different customers’ Personal Data by storing Personal Data in logically separated databases.
- Avaya will separate between productive and test data.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Babatek (also known as Impetus)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Babatek Inc d/b/a Impetus is serving DOE as an IT Professional Services provider. Babatek Inc provides IT application development and support services to DOE for a range of programs, including IT Staffing & System integration (SI) Contracts. Impetus will plan, design, execute and implement the new system while ensuring security protocols are being met while ensuring business deliverables are in accordance with generally accepted industry standards and best practices and those unique to the DOE. Babatek Inc will provide all technical resources necessary to support a successful completion.
We understand that the PII may be accessed when running reports, and developing analysis, and planning and executing projects.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII will be stored or hosted.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our consultants will not be storing, collecting, or otherwise using PII anywhere else but within DOE-owned or controlled networks, data systems, devices, or applications.
Babatek Inc will follow the industry standard practices as explained below which will simplify the process of implementing data encryption mechanisms.
Depending on our confidentiality agreement on the project, Babatek Inc will assign a project closure manager who will oversee all transitions of project documents and any client confidential documentation. The project closure manager will double check with a client representative all documentation files, notes, electronic information, and any other material deemed to be confidential. Upon request on need basis/ Project termination/ when data is no longer needed a formal acknowledgement will be given to client confirming that all materials have been returned or destroyed
Babatek Inc limit access to Confidential Information by the following methods:
- Not use Confidential Information for any other purposes than those authorized in our contract.
- Confidential information will never to be disclosed to anybody except fully authorized personnel. Proper approval process will be followed and agreed by both Babatek Inc and DOE in case a special needs and provisions for advance reporting or critical updates to be communicated for time sensitive scenarios.
- Maintain reasonable technical, administrative, and physical safeguards to protect Covered Confidential Information.
- Provide training on laws governing confidentiality to our officers, employees and assignees with access to such Confidential Information.
- Notify the DOE of any security breach resulting in an unauthorized release of Confidential Information, and promptly reimburse DOE for the full notification cost.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “No PII will be stored or hosted.”
Ballet Tech Foundation
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 9/1/2022 – 8/31/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The service provide is Dance Training at Ballet Tech. PII is required in order to take attendance and for grading.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Protected Information is stored in the US. Ballet Tech uses has various administrative, operational and technical safeguards in place in place to protect any Protected Information that it will receive under the contract – including training staff members as to best practices for data security and student privacy, the use of Google Drive and Gmail with their built-in data privacy protections, using an on-site physical server for day to day file storage, requiring strong passwords (and 2FA when available), and shredding any paper documents containing Protected Information.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Bank Street College of Education (for professional development)
Type of Entity: Institution of Higher Education
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.
- Bank Street College of Education is a partner in the Next Generation Community Schools project. Bank Street will be providing implementation support and coaching to facilitators in 20 Next Gen Community Schools to run High 5s Kindergarten Match Clubs. Math Mentor Coaches, who are employees of Bank Street, will visit each High 5s Kindergarten Match Club at the school site, to provide coaching support to the Facilitators. The High 5s Clubs may take place before, during or after school.
- Bank Street College of Education will work with the New York City Department of Curriculum and Instruction to provide in-school coaching support and district professional learning in Mathematics. Our coaches may access PII in order to understand the coaching supports teachers need in order to improve instruction in the classroom. Coaches and teachers may analyze student data together to inform instructional strategies.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Bank Street will not be storing, processing, or collecting PII.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by the Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Physical and technical safeguards: Identified project team members will receive training about data security and proper handling of student data prior to the start of the project(s), or shortly thereafter. The training provided is specific to Ed Law 2-D and data privacy and security protocols.
PII will not be stored or collected for the purpose of [these programs], only accessed.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Bard Early Colleges
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The network of the Bard Early Colleges works to increase access and success in higher education by providing students with a program of study that includes not only high school courses, but also college-level courses in the eleventh and twelfth grades. A core-component of the Bard Early College mission is its commitment to educating students from communities that have been historically underrepresented in higher education. To ensure that the Bard Early Colleges appropriately implement the early college model, the network routinely collects student PII. With this information - in particular, key demographic information such as race, gender, ability, and economic status and key academic performance measures such as course enrollment, letter grades, credits earned, and degree attainment - Bard is able to advocate effectively for resources on local and state levels and to deepen its understanding of student populations and learning needs.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Bard Early College Network uses Google Workspace for Education for email communications and data storage. All accounts associated with the Bard Early College Network are password protected and have multifactor (2-step) authentication in place. Additionally, all files that include PII require access as allowed by document owners.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Beable Education
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Beable provides literacy and test prep software to the NYC DOE. PII is collected for purposes of providing students with access to the system, and teachers with ability to monitor their progress.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services (AWS). Amazon Web Services (AWS) utilized are AWS RDS, AWS S3 and AWS Elasticache.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Beable employs a variety of administrative, technical and physical safeguards designed to protect PII in its custody from loss, misuse, unauthorized access, disclosure, alteration, or destruction. Our measures consider the sensitivity of the information we collect, use, and store and the current state of technology. Our security measures include data encryption, firewalls, data use, and access limitations for our personnel. Should we become aware of an authorized disclosure of your information and/or any data breach of our systems and information, we will notify NYCDOE promptly in compliance with N.Y. Education Law 2-d Requirements.
Beable has implemented a mandatory training program for its employees and contractors and clearly defined guidelines to which they are held accountable for collecting, storing, accessing, securely transmitting, interacting with, and destroying PII. Employees and Contractors are required to sign Confidentiality Agreements.
Beable’s application is hosted in AWS in our secured private network and leverages many of AWS’s broad range of cloud services.
Teachers have visibility into student-specific information via the application dashboards, reports or other features and can respond to parents who request access to their child’s records. Beable will support the teachers or other NYCDOE staff in responding to parent requests for data as necessary.
Administrative, technical and physical safeguards have been implemented to protect the security, confidentiality, and integrity of PII in its custody as summarized below:
- Administrative – Beable maintains user registration information within our AWS secure private network and limits accessibility to such information to only those few employees that have special access rights to production systems. Security training is conducted annually.
- Technical – Application is developed following Secure Coding Standards established for the team. Access decisions are based on the principle of least privilege meaning a user only has access and privileges which are essential to perform their intended function. Password requirements are strong and utilize multi-factor authentication. Data is encrypted in-transit and at rest and transmitted by Secure Socket Layer (SSL) technology. Workstations are hardened, patched and hard drives are encrypted. In addition to leveraging High Availability, redundancy and resiliency of AWS services, backups of all relevant systems are performed and the restore process is periodically tested. Records of change are maintained via audit logs. Penetration testing and security audits are run frequently and are a necessary part of Beable’s security posture.
- Physical – Beable’s solutions are hosted in the Cloud at AWS. All customer PII is stored within our AWS secured private network.
Beable is committed to comply with all state, federal, and local data security and privacy laws, and NYCDOE Information Security Requirements for vendors.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Beam Center
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/15/2022 – 7/14/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Beam Center school partnerships combine both professional learning opportunities for teachers with a wide range of direct services for students. Professional learning and DSS are woven together in a way that reaches students immediately and builds long-lasting skills for teachers.
- Fundamentals Projects are projects designed by Beam Center staff with the purpose of introducing students and teachers to basic skills in one or more making disciplines such as woodworking, programming, electronics, and digital fabrication skills.
- In-Class Collaborative Projects are co-designed by teachers from our 29 partner schools and Beam Center Project Designers for implementation in classrooms.
- PROFESSIONAL DEVELOPMENT
- Custom Project Development is a professional learning opportunity for teachers and administrators from Beam Center’s 29 partner schools. In this program, Beam Center Project Designers introduce educators to our practice of hands-on project design as well as various technical making disciplines. With guidance from our staff, teachers collaborate to design a custom project for their classroom that is aligned to the learning goals, standards, and/or curriculum that educators are working with in their classrooms. Educators produce project plans, materials lists, and day-by-day schedules for the collaborative projects that they design. Participants in this program spend 12-18 hours total on this process; these hours are eligible for CTLE requirements.
- Beam Center receives Student PII (names only) for the purposes of invoicing schools. We receive Teacher PII (names only) for the purposes of PD attendance sheet and for certifying CTLE credit.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Beam Center currently stores all student digital information (name, phone number, email address) on Google Suite documents that are accessible by only a restricted number of personnel directly responsible for managing the program covered by this contract, trained on DOE’s and Beam Center’s privacy and security policies and protected by secure passwords that are updated every 90 days. Beam Center does not collect student Social Security Numbers or OSIS numbers. If a school inadvertently shares OSIS numbers with Beam Center the documents are shredded or hard-deleted from digital storage. At this time, Beam Center uses no proprietary or in-house developed software applications or databases to manage participant data and if ever should do so, it will be developed to meet industry standards and best practices for security and privacy.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Bedford, Freeman & Worth Publishing Group
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Achieve is our next generation online learning platform. Achieve will replace LaunchPad and SaplingPlus as our single courseware solution for new and existing products for Fall 2024. Achieve is a one-stop shop where students can easily:
- Find their mobile-friendly and fully accessible e-book
- Increase their understanding with ready-made quizzes
- Complete online homework or exams
- And finally, monitor their progress with the included gradebook
In Achieve, students can stay organized and on schedule with a user-friendly interface that is as powerful at it is intuitive. All of this easily integrates with school’s LMS or rostering system for a seamless classroom experience.
BFW is committed to protecting the privacy and security of all PII that we process as a “data processor” or “service provider” to your school in order to provide the services to you and your school pursuant to applicable laws. The data we collect includes Student Name, Student Email Address, Teachers Name, Student Scheduled Courses, Student ID Number, Student Username, Student Password, Student responses to surveys/questionnaires, Student generated content, Student course grades and performance scores. If you use our products and platform in your courses at your school, we only use your PII as needed to provide the agreed upon services and for educational purposes only.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. BFW will:
- We would continue being SOC 2 certified
- Store PII on servers in a secured facility in the US operated by Amazon Web Services (AWS).
- Use infrastructure built on industry-tested technology and security practices.
- Take measures aligned with industry best practices and NIST Cybersecurity Framework Version 1.1. These measures include, but are not limited to disk encryption, file encryption, firewalls and password protection.
- Stored all data in a password protected database with strong password requirements.
- Run periodic penetration tests, then logs and resolves discovered issues
- Limit access to PII and application data to people who require access in the performance of their role in providing the service.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
BeeReaders
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. BeeReaders is engaged in providing an educational platform designed to enhance Spanish literacy skills among students. The platform utilizes Personal Identifiable Information (PII) primarily for creating personalized learning experiences, tracking student progress, and tailoring the content to meet individual learning needs. The purpose of accessing PII is to ensure the effectiveness of the educational services, facilitate progress monitoring, and support the educational goals of the schools or districts using the service.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. BeeReaders ensures the protection of PII through robust administrative, technical, and physical safeguards. Administrative measures include strict data access controls, policies and procedures, an incident response plan, and regular staff training on data privacy. Technically, data is protected through regular monitoring and review of logs provided by AWS and Google Cloud to quickly detect and respond to suspicious activities, multi-factor authentication (MFA) for accessing cloud services, ensuring that only authorized users can access sensitive data and critical infrastructure, end-to-end encryption for data at rest and in transit, using AWS and Google’s encryption capabilities to safeguard data against interception and unauthorized access, and regular vulnerability assessments and penetration testing to identify and remediate security vulnerabilities within your applications and infrastructure. These safeguards collectively mitigate risks, ensuring data integrity and confidentiality while These safeguards collectively mitigate risks, ensuring data integrity and confidentiality while maintaining a security posture that adapts to evolving threats without disclosing specific vulnerabilities.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Behavior Analysts
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 8/1/2022 – 7/31/ 2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Receiving access to PII as part of a commercial relationship wherein Vendor’s product provides the ABLLS-R Assessment for use by the NYC DOE.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Entity utilizes administrative, technical, and physical safeguards that are aligned with industry best practices to ensure the integrity and security of PII. Administrative safeguards include written policies and procedures, and training programs that ensure employees and contractors are properly prepared and understand their obligations in handling PII, as well as employee background screenings. Additionally, Entity leverages Amazon Web Services (AWS) Cloud Infrastructure to ensure the physical security of PII, while implementing technical safeguards, including full encryption of PII in rest and in transit, in this secure environment. Collectively, these policies and procedures allow Entity to mitigate data privacy and security risks.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Benchmark Education Company
The exclusive purposes for which Protected Information will be used: Benchmark Education Company collects personally identifiable information about you when you specifically and knowingly provide such information. For example, when you register, we collect such information as your name, email address, professional title, and school information. We use this information to customize the Site for your locale and to provide more relevant services. We may use the information that you provide when you register for Benchmark Universe to create your account. This allows your employees and students to log in, create a classroom within the product, and assign lessons to students.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Benchmark Education employees that are responsible for the onboarding and record-maintenance on behalf of school clients undergo through privacy and security training (FERPA, COPA), and sign a binding non-disclosure agreement.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: We do not retain your personal information for longer than is necessary to provide you with the features and services you have requested. When you request an account be deleted, we remove the data from our servers. At expiration or termination of an agreement, we remove data within 6 months from the termination date. At any time, you may request that we permanently delete personal information immediately by emailing us at techsupport@benchmarkeducation.com.
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor.
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All student data collected for Benchmark Universe is stored and backed up in Amazon Web Services (AWS). All AWS servers are located inside the United States. Benchmark Education follows industry best practices for network and physical security. All data is encrypted in transit and at rest.
How the data will be encrypted (described in such a manner as to protect data security): Pupil records are transferred to Benchmark Education via an OAUTH 2.0 over SSL security encryption. Pupil records are stored (data at rest) in a secure AWS environment and are encrypted. Benchmark Education utilizes standard SSL encryption and authentication mechanisms with sha256RSA Signature algorithms, sha256 Signature has algorithms, RSA (2048 Bits) Public Key.
- Server authentication (1.3.6.1.5.5.7.3.1)
- Client authentication (1.3.6.1..5.7.3.2)
Big Ideas Learning (for Myadamath.com)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Myadamath.com provides access to content, assignment features, and reporting features for students, teachers, and/or building leaders at myadamath.com for Grades Kindergarten-12th grade core mathematics.
Students can view curriculum content from Big Ideas Learning’s Math & YOU textbook program, complete practice activities, use math tools, and take quizzes and tests assigned by the teacher. While students can work independently for short periods, myadamath.com is designed for use as part of daily curriculum delivery under teacher supervision.
Teachers can assign practice activities, quizzes, and tests. Teachers can also view those results in reports. Student PII is used, to make student accounts, and allow teachers and admin to identify students within classes while viewing reports and allow teachers to assign activities, quizzes, and tests
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE's option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access to student information is limited to necessary personnel only. Yearly data privacy training must be completed before access is allowed. Access to databases is restricted through password protection which must be reset on a regular basis. Access is granted through a least privilege approach. PII is stored only where needed to serve users in Production environments. Data is only retained as long as required by law and/or legal agreement. Data is stored encrypted at rest and in transit in databases located in the United States in a secure datacenter. The minimum amount of data required to support the application is collected.
Application development is strictly controlled using version control, build/test/deploy controls, and vulnerability scanning against the code base, among other actions and tools.
Big Ideas Learning has explicit plans for business continuity and incident response with yearly reviews and implementation exercises to check readiness. Penetration testing is completed yearly by a third party.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Big Picture Learning (for ImBlaze)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2023 – 6/30/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ImBlaze is a Saas that enables schools to manage and grow their Work Based Learning programs. Educators can curate a database of internship opportunities, present these or pair these to students and then students can use ImBlaze to log attendance at their internship site. Schools can also track and monitor internship compliance paperwork. PII is used to create user accounts for students, educators and mentors so that student users can explore school-curated internship opportunities and log attendance. PII is also used to facilitate communication, as required, between educators, mentors and students.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. BPL/ImBlaze has comprehensive policies and procedures in place that mirror best practices for data security and privacy. BPL implements access control measures that include role-based access control measures that provide role-based access controls limiting access to PII to those required to have access, strong authentication mechanisms and permissions settings to ensure that only authorized personnel can access PII. BPL includes technical safeguards like data encryption, network security controls, application security measures and secure development practices to protect the confidentiality and integrity of PII.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Bloomz
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Bloomz is the unified parent-teacher communication app that increases parental engagement by connecting everyone with one easy-to-use tool. Bloomz handles ALL district, school, teacher, parent, student communication. Bloomz supports and translates into 109 different languages. Bloomz is a time saver for admins, a valuable tool for teachers, increases engagement and work ethic among students, and helps parents of all backgrounds engage in their children's education. Bloomz uses the core PII information in the following ways:
- PII is used to map relationships of and allow for communication between parents, students and staff for a specific class i.e. math for educational purposes for progress reports, homework or additional support required from a teacher/counselor. PII may also be used for attendance and grade support.
- Client data is handled with utmost care at Bloomz. Data is secured through role-based access. Data encryption is in place for data at rest and in motion. All the backups are encrypted by mongo and data in motion is secured through TLS based encryption. Within the application data security is ensured through role-based access restrictions and all the user passwords are stored encrypted. Customer data is never stored locally, and production access is restricted to staff with explicit approvals.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud and AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Bloomz employs a combination of administrative, technical, and physical safeguards to protect Personally Identifiable Information (PII) and mitigate data privacy and security risks. While I'll provide a general overview without compromising security, specific details are intentionally excluded to maintain the integrity of Bloomz' security practices and protocols.
Administrative Safeguards:
- Bloomz has established strict access controls and role-based permissions to ensure that only authorized personnel have access to PII.
- FERPA and COPPA compliance.
- Regular training and awareness programs are conducted to educate employees about data privacy and security best practices.
Technical Safeguards:
- Bloomz utilizes encryption protocols (TLS/SSL) to secure data during transmission, preventing unauthorized interception.
- PII is stored in encrypted format to prevent unauthorized access even if data storage is compromised.
- Firewalls, intrusion detection systems, and advanced threat detection mechanisms are implemented to safeguard against cyber threats.
Physical Safeguards:
- Cloud-Based Security:
- Data is entered into a password-protected cloud-based database that adheres to current industry standards for data security and privacy.
- Access Control:
- Access to Protected Information is restricted to a minimal number of authorized personnel who have a legitimate need for such access.
- Multi-tiered authorization is implemented for accessing cloud-based service logs, ensuring that only authorized personnel can view sensitive logs.
- Confidentiality Agreements:
- All personnel with access to Protected Information are required to sign confidentiality agreements to ensure they understand their responsibilities for maintaining data confidentiality.
- Personnel Training:
- Employees receive training on data security, privacy policies, and best practices to ensure they handle Protected Information appropriately.
- Regular Audits and Monitoring:
- Regular audits are conducted to monitor data access and usage to detect any unauthorized or suspicious activities.
- Logs of system access and changes are regularly reviewed for anomalies.
- Test environments used for development and testing purposes do not contain actual Protected Information, and they operate with separate security keys to prevent accidental exposure of sensitive data.
- Cloud-Based Security:
- Data is entered into a password-protected cloud-based database that adheres to current industry standards for data security and privacy.
Data Privacy and Security Risk Mitigation:
- Bloomz conducts regular risk assessments and vulnerability assessments to identify potential weaknesses in its systems.
- Ongoing monitoring and analysis of network traffic and system logs enable rapid detection of any unusual or suspicious activities.
- Incident response plans are in place to ensure swift and effective actions in the event of a security incident or breach.
While the above description outlines Bloomz' general approach to safeguarding PII and mitigating data privacy and security risks, specific details and methodologies are withheld to ensure that disclosure doesn't compromise the effectiveness of these security measures. Bloomz remains committed to maintaining a robust security posture while respecting the confidentiality of its security practices and protocols.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Blue Engine
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Blue Engine utilizes monthly data cycles to ensure the co-teaching model is being effectively implemented. We work with the district or school-based instructional coaches to embed effective co-teaching practices, approaches, and mindsets within coaches and teams of teachers. The student data collected (listed below) is used to measure student progress and allows Blue Engine staff to effectively support teachers in using data and facilitate data reviews with school administrators:
- Rosters for each classroom receiving services which list student names and ID
- Student standardized assessment scores/results
- Student demographics including grade level, gender, race/ethnicity, ELLs, and SPED status
- Student experience surveys
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. QuestionPro for secure uploads and Google Suite Spreadsheet for analysis.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Blue Engine uses Google’s G Suite for email and data storage. All student data will be maintained on the encrypted Google server in the US. Staff are only able to access the server using their organization accounts. All staff devices are password protected and only to be accessed by them. Two-factor authentication is required for all staff accounts. Student Data may only be shared with individuals within the Blue Engine account.
Blue Engine will respond to data privacy and security incidents in accordance with the following steps:
- Employees must report suspected incidents that threaten the confidentiality, integrity or availability of Blue Engine’s data systems or data to the Vice President of Impact, Learning & Design and their immediate supervisor or manager.
- If a critical incident is verified, the Vice President will convene a meeting with Senior Management.
- Where there has been a breach of Personally Identifiable Information (PII), the CEO will be notified and will coordinate the process of compliance with notification requirements.
For purposes of this policy, a breach means the unauthorized acquisition, access, use, or disclosure of student, teacher or principal PII as defined by Education law §2-d, or any Blue Engine sensitive or confidential data or a data system that stores that data, by or to a person not. authorized to acquire, access, use, or receive the data. Blue Engine will comply with legal requirements that pertain to the notification of individuals affected by a breach or unauthorized disclosure of personally identifiable information.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
bNapkin (also called School4One)
The exclusive purposes for which Protected Information will be used: The student data or teacher or principal data (collectively, “the Data”) received by The Vendor will be used exclusively with the purpose of distributing content to students, gathering evaluation data from students, distributing teacher feedback to students, providing data visualization to administrators in The School District.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The Vendor will ensure that all subcontractors and other authorized persons or entities to whom student data or teacher or principal data will be disclosed will abide by all applicable data protection and security requirements, including those mandated by New York State and federal laws and regulations, by not providing them with private data provided by The School District.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon termination of the Original Agreement, The Vendor will extract all data associated with the School District and deliver an archive including the database table content, table description, and associated files. This archive will be delivered by means preferred by The School District. All database records and files associated with the School District will be deleted from the production master database and all its replicas.
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. A parent, student, teacher or principal can challenge the accuracy of the Data received by The Vendor by contacting support@school4one.com. An audit of the challenge will be executed, and a report, accompanied with the raw data, will be produced within 14 days from the request.
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Refer above to Attachment B.
[The following is an excerpt from the vendor’s Data Privacy and Security Plan: “The School4One platform is hosted by one or more leading public cloud providers which operate data centers that are state of the art, utilizing innovative architectural and engineering approaches. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. Office Security Access to School4One’s offices in New York is controlled 24 hours a day by electronic key access. Building access is monitored 24 hours a day with staffed security during normal office operating hours. Remote Work Security Access to School4One’s servers and hosting services is controlled by a two-factor authentication, and only accessible using a secure VPN.”]
How the data will be encrypted (described in such a manner as to protect data security): Refer above to Attachment B.
[The following is an excerpt from the vendor’s Data Privacy and Security Plan: “AES-256 encryption is used for data at rest and stored in the DB.”]
Boddle Learning
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 3/18/2024 – 3/17/2027.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Boddle is a K-6 platform used as a supplement to address deficiencies in student abilities in math and ELA. Boddle personalizes student profiles to provide them with targeted support in identified areas of weakness, collects data to provide insight to teachers, and aligns with New York State Next Generation Learning Standards.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. To protect Personally Identifiable Information (PII), we have established a multi-layered security approach that includes the following measures.
- Administrative Safeguards:
- Regular training sessions are conducted for all executive-level staff to ensure they are aware of cybersecurity best practices and compliance requirements.
- Our Chief Technology Officer (CTO) oversees and ensures the implementation of all PII protection policies.
- Operational Safeguards:
- We have a data disposal policy that dictates the secure deletion of digital assets containing PII, aligning with the specific requirements of the applicable school district.
- Routine internal audits and reviews of our data protection practices are performed to ensure operational adherence to our security protocols.
- Technical Safeguards:
- Network segmentation is managed by our CTO to isolate and secure servers containing sensitive information.
- Multi-Factor Authentication (MFA) is mandatory for accessing financial accounts and crucial IT network accounts to prevent unauthorized access.
- Encryption is applied to all data at rest to protect PII from potential breaches.
- Data in transit is safeguarded through robust encryption protocols, ensuring PII is secure during transmission.
- We employ advanced server-side systems to provide denial-of-service attack protection and continuous monitoring for malicious activities, ensuring that threats are detected and mitigated promptly.
These safeguards are systematically reviewed and updated to adapt to emerging threats and to align with industry standards and regulatory requirements.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Boom Learning
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Boom Cards are used as digital learning resources. Schools use Boom Cards to support learning and intervention. Educators who elect to collect Student Data will collect student performance data (correct/incorrect answers and time to answer) which is associated with a username, which may be pseudonymous. The purpose of the data collection is to evaluate student progress towards mastery.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., MongoDB on AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity of a data breach, Boom Learning has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by exposure of the User Data to unauthorized persons. Safeguards include:
- Privacy and Security by Design
- Data Minimization
- Data Deletion Practices
- Adoption of the NIST Cybersecurity Framework
- Need-to-know access
- Annual or more frequent training for employees and vendors
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Brainfuse
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2024 – 6/30/20209.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Brainfuse is a high-quality tutoring provider for K-12 students. Brainfuse tutoring services are structured with research-backed practices to increase student learning gains and the overall efficacy of the tutoring program. Brainfuse provides live tutoring in one-on-one and small group settings, virtually or in-person, for K-12 schools. Brainfuse offers live tutoring support in all core subjects and can provide services to students of all skill levels. Brainfuse will provide high-impact tutoring for students with the following dosage:
- 3 small group (up to 4 students) tutoring sessions per week, based on a personalized learning plan targeting student needs
- 30 to 35-minute tutoring sessions, for a total of 90 to 105 minutes of tutoring per week
- 12-week program, for a total of 36 tutoring sessions and 18 to 21 hours of tutoring \
The Brainfuse application includes the following titles:
- HelpNow: HelpNow provides students and teachers a platform to access content, track progress, and provide feedback.
- BoostHDT: BoostHDT provides students and teachers with a dashboard to track their scheduled tutoring sessions, access content, monitor program progress, and provide feedback.
- Flashbulb: Flashbulb provides an innovative study tool that enables students to easily create or share flashcards or access library flashcards. Each flashcard set can be converted into various study options, including study tables, games, quizzes, and more. •
- Whiteboard: Our proprietary whiteboard provides students with a work environment for homework and questions on their tablet, laptop, or desktop computer using intuitive and powerful tools, including a graphing calculator, file/image editor, and more. The whiteboard is automatically recorded, allowing students to rewatch their previous work in a format that maintains the order of the steps completed.
- Flashbulb: Flashbulb provides an innovative study tool that enables students to easily create or share flashcards or access library flashcards. Each flashcard set can be converted into various study options, including study tables, games, quizzes, and more.
- LEAP: LEAP offers unlimited access to online assessments to help students identify strengths and weaknesses in various academic skills. Our system automatically generates a unique learning plan based on the student’s performance to help them develop academic skills and monitor their progress as they work towards mastery.
- SkillSurfer: SkillSurfer contains hundreds of lessons, captioned videos, and practice tests in core academic subjects to encourage student-guided review and strengthen skills. These lessons, videos, and practice tests are aligned with New York State Next Generation Learning Standards.
- eParachute: eParachute provides a self-discovery tool to help students identify academic majors and career options that are well-suited to their self-selected skills and interests.
PII is used to provision user accounts for access to Brainfuse, which enables scheduling student tutoring sessions, tracking attendance, monitoring progress, adjusting individual learning plans, reviewing tutoring session notes, and accessing all titles noted above.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Evoque Cyxtera.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- External Soft Threats: Brainfuse utilizes a multi-layered approach to ensure the confidentiality of student information. Brainfuse follows strict standards to ensure that the software does not have open venues for hackers. Our network undergoes various penetration and application testing to ensure that no security issues would allow hackers to get into the network. The Brainfuse application is protected by a gateway firewall and IPS software to ensure intrusions are automatically detected and blocked.
- Physical Security: Brainfuse physical security at the production level is handled by our hosting facility. Biometrics and identity verification are required before access to the facility is granted. All information is encrypted, and we adhere to a strict media destruction protocol to ensure data security. Internally, Brainfuse employees must adhere to the IT Information Security Policy, which mandates best practices in security.
- Internal Soft Threats: Brainfuse utilizes a “need to know” approach. All Brainfuse vendors and employees have access only to the information they need to perform their duties. Additionally, all employees and vendors must adhere to password, antivirus, and antispam requirement policies, as indicated in the Information Security Policy.
- Authorization of Third-Party Access To / Use of Data: Brainfuse never authorizes third parties to access user data.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
BrainPOP LLC
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. BrainPOP is an online educational product for k-12 students. Animated movies, interactive learning activities, and educational games allow students to explore concepts through numerous modalities and participate actively in their learning. Activities like Make-a-Movie and Make-a-Map help students grow from content consumers to content creators, building critical higher-order thinking skills across the curriculum and adding to their academic portfolios. In addition, playful formative assessments inside and outside movies provide teachers with actionable insights to track students' growth and performance.
Our standard-aligned topics cover academic subjects, which include English Language Arts (ELA), Social Studies, Science, Math, Engineering & Tech, Health, Arts & Music.
Teacher and Student data is collected for the purposes of creating individual accounts to track student learning.
Teacher names and emails are collected for the purposes of creating “classrooms” to track student learning. Emails are used to send product use recommendations and product updates, password recovery information, effectiveness and efficacy data.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Servers are located in a secure, locked and monitored environment to prevent unauthorized entry or theft and are protected by a firewall. We apply a Secure Sockets Layer (SSL Or HTTPS) encrypting technology to encrypt data in transit between the server and the browser remains encrypted. We also encrypt data at rest. Governance policies and access controls are in place to ensure that the information of the BOE is separated and all subscribers can only access their own data. Only limited personnel have access to the data and can only access it when necessary to provide the services. Personnel pass criminal background checks and undergo periodic privacy training. We follow standardized and documented procedures for coding, configuration management, patch installation and change management for all applicable services and we have a third party audit our practices at least once a year.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Braintrust Tutors
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide live, synchronous, high dosage academic tutoring services for students in Grades K-12, either one-on-one or in small groups of 2-4 students, both in person and online, primarily focused on accelerating foundational reading and math skills. We collect limited student PII in connection with the delivery of our services, including student name, email, and grade.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Pencil Spaces.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Braintrust Tutors limits the collection of personally identifiable information ("Student PII") to ensure the privacy and protection of each student we serve. Braintrust Tutors stores Student PII in databases and on servers powered by Amazon Web Services ("AWS"), one of the leading and most secure cloud computing environments, behind multiple layers of electronic safeguards. Braintrust Tutors protects Student PII in the course of business through various means, including by implementing secure user authentication protocols, secure and limited access control measures, data encryption on public networks, and more. Braintrust Tutors restricts access to NYCDOE Student PII other than to NYCDOE, and Braintrust Tutors employs various encryption techniques for NYCDOE Student PII provided to NYCDOE (e.g., password protection, exclusion of student last names, etc.).
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Branching Minds
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Branching Minds Platform (the “Platform”) is a web application for use by teachers and administrators. The Platform supports all aspects of a district’s Multi Tiered System of Supports intervention work and system. The Platform helps teachers follow the best practices of problem-solving work efficiently, effectively, and collaboratively from the start, saving time and effort while improving outcomes for all students.
PII collected on the Platform is used solely:
- To provide contracted educational services. For example, the Platform collects information about a student’s English language proficiency in order to determine the best learning interventions to recommend for that student.
- To conduct statistical research. Any data used for this purpose is de-identified (made anonymous by removing all personally identifiable information). This research helps us evaluate the effectiveness of the Platform and improve our product.
- For compliance and protection reasons. We may need to use data to comply with applicable laws, our internal policies.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All information collected on the platform, including Student Personally Identifiable Information, is safeguarded through administrative, operational and technical safeguards around the AICPA Trust Service Principle Security as part of the System and Organization Controls (SOC) 2 Report, under the direction of a dedicate Director of Security Operations. Safeguards include:
- Software Security: We implement privacy and security practices which are compliant with FERPA and COPPA. Our Districts and their users, however, must use secure practices to help achieve comprehensive protection of student personal information as well.
- Data encryption: We encrypt personal information in transit and at rest.
- File transfer protocol: We use File Transfer Protocol (FTP) over secure (SSL/TLS) cryptographic protocol to transfer personal information.
- Firewalls: We utilize stateful firewalls, network access control lists, subnetting and virtual private cloud networks to segment and protect our information resources.
- Proactive Defense: We utilize antivirus software, intelligent threat detection, and enhanced detection and response software to protect our systems. Policies prevent users from disabling antivirus and enhanced detection & response software on company computers.
- Data storage provider: We store all our data and host the Platform at off-site facilities which are managed by Amazon Web Services (AWS) at their United States data centers. AWS secures our data using a variety of measures, including: (a) housing the data centers in nondescript facilities; (b) strictly controlling physical access both at the perimeter and at building ingress points by professional security staff utilizing video surveillance; intrusion detection systems, and other electronic means; (c) requiring authorized staff to pass two-factor authentication a minimum of two times to access data center floors; (d) requiring all visitors and contractors to present identification, sign in, and be continually escorted by authorized staff; (e) limiting access and information to employees and contractors who have a legitimate business need for such privileges; (f) revoking access privilege when an employee no longer has a business need for these privileges; (g) logging and routinely auditing all physical access to data centers by AWS employees; (h) encrypting all access to the information within the Platform stored on these servers; (i) encrypting user passwords; and (j) securing all data stored with AWS behind a firewall.
- Security audits: We conduct internal and third party security audits and code reviews.
- Secure programming practices: Our software developers are aware of secure programming practices and strive to avoid introducing errors in our application (like those identified by OWASP and SANS) that could lead to security breaches.
- Account protection and identity verification: We support account authentication and identity verification exclusively through single sign-on technologies and protocols, such as SAML.
- Facility security: Our facilities are located in the continental United States. Physical access to our facilities is protected by electronic access devices, with monitored security and fire/smoke alarm systems.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Breakout
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Breakout EDU Educational Gaming Platform and Kits. Our online platform intended for teachers and students will provide access to academic and teambuilding games designed for learners of all ages. We also sell the Breakout EDU Kit which provides tools which teachers can use in conjunction with our digital platform to turn their classroom into immersive learning centers. We only collect basic PII (student first name and last initial, password, username (non-email), email for teachers, email is only gathered for students if an SSO option is used such as Google Classroom) necessary in order to deliver the service.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. At Rest, all data is stored on secure AWS RDS instances and S3 buckets. Passwords are stored using MD5 and all tokens are stored using AES-256-CBC. There is no way of accessing the data without the encrypted key.
In Motion, all data sent over internal APIs using HTTPS. It is decrypted on the application backend and is only sent when authorized via token. In addition, any employee with access to any database has undergone both a background check and cyber security training to ensure proper handling of all data. We also have the entire site security checked to ensure any risks are mitigated each year.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Broadway for Arts Education
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Broadway for Arts Education provides arts education programming for the purposes of developing social-emotional skills and technical skills in the performing arts. The services include in school and after school instruction in dance, music, theater, and visual art, employing the tenets of project-based learning, and producing events for the school community. Broadway for Arts Education collects data to evaluate how its program services affect attendance/engagement rates, general attitudes towards school, family engagement, skill development progression, social emotional development progression. It is necessary to track PII to compare data year-over-year on a student, class, school, and district level.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive and Salesforce.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our staff interact with students/DOE staff/parents at this site, and are trained to not disclose any PII information, but to refer any requestor (parent or eligible student) to a trained & authorized administrator for access to any PII as required by FERPA. All PII is stored in a password protected, encrypted database, inaccessible to unauthorized personnel. PII can only be accessed from a computer that is password protected and located in an office that is locked to the public and monitored by a security camera. PII is only accessed on devices using networks that are protected by a firewall, and databases are protected with multifactor authentication and only accessed on browsers that always use secure connections. Authorized administrators are trained on these policies and procedures. All staff must sign Child Protection Policies (a policy document developed by the Processor), which forbid unauthorized staff members from collecting, accessing, or disclosing any PII. We will provide training to all employees to help them understand their responsibilities when handling data.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
BronxWorks
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. BronxWorks provides services to the DOE as part of the community schools, Learn-to-Work, and early childhood learning centers programs. In order to provide these services, BronxWorks’ access to PII is necessary for the following purposes:
- Enrollment of students into BronxWorks programs;
- Supports to improve school attendance such as attendance monitoring, calls to students, home visits, regular attendance meetings with students, provision of incentives, referrals to additional services, and parent engagement activities;
- Career counseling, academic advising, college readiness supports, and assistance with applications to colleges or trade schools;
- Operational supports to the school such as hallway patrol, attendance at administration meetings with school staff, in-classroom assistance;
- Connecting students with internship opportunities at external employers, and paying students for internship work using program funds;
- Provision of wrap-around services to help students overcome barriers that have posed challenges in traditional school settings; and
- The provision of full-day childcare and pre-school education serving children ages 3 – 5 years old, with a heavy emphasis on age-appropriate learning and social skills development to prepare children for elementary school.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365/Sharepoint, Salesforce, ADP.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. To ensure the protection of student PII and mitigate data privacy and security risks, BronxWorks has implemented a comprehensive set of administrative, technical, and physical safeguards, including those listed below.
Administrative Safeguards:
- Data Access Controls: BronxWorks has implemented strict access controls to limit access to PII only to authorized personnel. This includes unique user accounts, role-based access privileges, and two-factor authentication.
- Data Minimization and Anonymization: BronxWorks follows the principle of data minimization, where only the necessary minimum PII is collected and retained.
- Privacy Policies and Procedures: BronxWorks has documented privacy policies and procedures that outline how PII may be accessed, used, stored, and transmitted.
- Employee Training and Awareness: BronxWorks conducts regular cybersecurity training sessions and awareness programs to educate employees about data privacy and security practices.
- Regular Risk Assessments: BronxWorks conducts periodic risk assessments to identify potential vulnerabilities and threats to PII. These assessments help in proactively addressing any security gaps and implementing necessary controls.
Technical Safeguards:
- Encryption: BronxWorks encrypts PII during storage and transmission. This ensures that even if unauthorized access occurs, the data remains unreadable and unusable.
- Firewalls and Intrusion Detection Systems: BronxWorks employs firewalls to safeguard its network infrastructure from unauthorized access. Intrusion detection systems are also employed to identify and respond to any suspicious activities in real-time.
- Continuous Monitoring: BronxWorks employs monitoring and intrusion-prevention tools and technologies to detect and thwart any unusual activities or security breaches. Real-time monitoring enables timely response and remediation of any potential threats.
Physical Safeguards:
- Device Security: BronxWorks ensures that all devices used for processing and storing PII, such as servers, laptops, and mobile devices, are protected with appropriate security measures, including encryption, authentication requirements, and regular security updates.
- Physical Files: Physical files containing PII are stored in locked file cabinets and in offices that are locked when not in use.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Brooklyn Bureau of Community Service (also called Brooklyn Community Services)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: Extension is from 7/1/2023 – 6/30/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The LTW program provides student support, guidance, evaluation, assessment, and planning. As such, the program needs to be able to access PII for the purposes of registration and enrollment, attendance and other tracking, communication, and associated needs.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Apricot 360.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We will follow our HIPAA and DOE’s guideline policies and procedures to safeguard the data. We do not store student data in Google drive. We use https to connect to our data. We use secure VPN to access data. All computers and laptops are encrypted. All documents are sent encrypted with strong passwords.
Student PII collected by LTW on enrollment is:
- State or school ID
- Social security card and/or number
- Birth certificate
- Tax information, financial information (i.e. for direct deposit)
- Address and contact information
Student information collected during the course of student time with the program:
- Grades and academic status
- Interaction and case notes
- Medical information in select cases, e.g. a doctor's note to excuse absence
- Timesheets and attendance
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Brooklyn Center for Psychotherapy
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Brooklyn Center is currently in three high schools providing Mental Health expertise to the PIP school contract. While present in the schools, there are conversations that occur between the DOE staff and BCP staff. Information is shared on students that will be referred for treatment or those in crisis.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Every user that has been screened and allowed access must also use MFA security (Multi-Factor Authorization) to gain access to the data and email environment. The MFA utilizes the Microsoft Authentication security package. Only approved employees with the proper security clearance and MFA setup are allowed access. The Processor will manage data security and privacy incidents that implicate Protected Information by preventing removal, download, and data transfers. All data is locked down for access in the secure environment. Unexpected data movement is monitored, and alerts are set for immediate action if a breach, hack, or unauthorized access has occurred. This information, once verified, is immediately reported to appropriate personnel and authorities and if appropriate to NYC DOE.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Brooklyn College Community Partnership
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2022 – 6/30/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Community schools collaborate with Lead Community-Based Organization (CBO) partners to create welcoming, supportive environments that help students navigate barriers and build on strengths so that every student can thrive academically, socially, and emotionally.
Community School Lead CBOs use student level data to ensure the right students are getting the right services at the right time. Through collaborative leadership between schools and CBOs, the information is utilized to support family engagement, expanded learning time and wellness and integrated student supports such as mental health services.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Rackspace cloud services provider.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data at rest remain stored under secure conditions at all times, All electronically stored data reside on a password protected area of our server, which is backed up regularly. The server is protected by 15 separate firewalls, and is continually scanned by malware protection software. When in transit, confidential data are encrypted and transferred using secure File Transfer Protocol (FTP) account. Upon disposal, printed materials are shredded and electronic files are securely deleted.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
buildOn
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 9/1/2023 – 9/1/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. buildOn will work with partnering schools providing year-round specialized service learning programming, including during school breaks and summer vacations. Program activities include in-class service projects, after-school, weekends, school holiday programming, as well as school-wide service days. All programming follows buildOn’s IPARD service-learning framework: Investigation, Preparation, Action, Reflection, and Demonstration.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. buildOn implements and maintains reasonable physical, administrative, and technical safeguards designed to safeguard PII in accordance with applicable law and the NIST Cybersecurity Framework. These safeguards include asset management, access controls and identity authentication, encryption, personnel training, and least-privilege functionality. buildOn engages in a risk assessment in accordance with the NIST Cybersecurity Framework to identify areas of improvement to improve its security posture to ensure PII is adequately protected. buildOn also maintains a written information security program and incident response plan to provide clear guidance to personnel.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Business U
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. BusinessU is a standards-based curriculum platform with full-year high school business courses, which is designed to be used in-classroom by teachers, for/with students. While not required to use BusinessU, PII is used to enable the use of our LMS integrations, which allows teachers to roster students, sync assignments, and pass-back grades. It also allows for student single-sign-on, which is easy to use and the most secure method of accessing the BusinessU platform.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS (API Gateway & Lambda, RDS, ElastiCache).
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. BusinessU prioritizes security and privacy. We only collect minimal student information, such as first name, last name, and email address from teachers, with strict limitations. Students cannot provide additional personal information, customize profiles, or upload avatars. Our data is securely stored in AWS RDS, encrypted at rest and during transit, within a VPC, and not publicly accessible online. We use a multi-tenant database model with strict permissions to safeguard data. Data access is controlled via temporary credentials and restricted to our engineering team. Authentication is handled via SSO with Google Workspace, ensuring robust security measures. We maintain staging environments for testing, scrubbing customer data before use. Background checks are conducted for personnel with administrative access. PII data is processed internally for generating reports, and some data is double-encrypted with regular key rotation. All BusinessU employees use 2FA for their Google Workspace accounts. Passwords are securely hashed, and sessions are protected with JWTs. User authorization follows a strict ownership-based model, with no cached permissions. Users can log out and are not allowed to share accounts. All credentials and customer data are encrypted in transit and at rest.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
CAMBA, Inc (Community Schools)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term:
- PS 306 and PS 1998: 7/1/2021 – 6/30/2024
- Forsyth Satellite Academy: 7/1/2022 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.
PS 306 and PS 1998: CAMBA’s Community Schools program helps students succeed by offering academic enrichment, along with programs to improve school culture, engage families, and connect students with other nonprofit and public support services to ensure their success. In order to assist these students, CAMBA collects PII to better understand student needs, to stay in contact with the student, and to track outcomes of CAMBA’s work. CAMBA uses the collected data to provide academic and student support, social and educational development, middle school advising and preparation, skills development, and alumni services. CAMBA also uses the data to conduct follow up with graduates after graduation to assist them in maintaining their continuing success, and provides DOE with historical information on outcomes to further improve the on-going services.
Forsyth Satellite Academy: CAMBA’s Community Schools program helps students succeed by offering academic enrichment, along with programs to improve school culture, engage families, and connect students with other nonprofit and public support services to ensure their success. In order to assist these students, CAMBA collects PII to better understand student needs, to stay in contact with the student, and to track outcomes of CAMBA’s work. CAMBA uses the collected data to provide academic and student support, career and educational development, college advising and preparation, work preparation, skills development, alumni services, and paid internships. CAMBA also uses the data to conduct follow up with graduates after graduation to assist them in maintaining their continuing success, and provides DOE with historical information on outcomes to further improve the on-going services.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
If granted permission by DOE, CAMBA will remove any identifiers from student data making it no longer PII, and maintain the de-identified data in order to continue reporting on historic outcomes and tracking outcomes for improvement of on-going services.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Eccovia Solutions, Inc, and using an Entity-owned and/or internally-hosted solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAMBA’s polies are designed to ensure that PII is protected. All student files are maintained in locked filing cabinets in the program offices. Access to student files and information is limited to staff with a need to have such access. Electronic PII is kept in a secure database that is segregated from CAMBA’s agency-wide client management system, and only staff with specific permission can have access to information in the database. Mandatory training is provided to all staff on the requirements and importance of the agency’s confidentiality policy. Student information, records, and data are not disclosed by CAMBA to any person, organization, agency, or other entity except as authorized by law or appropriate consents. CAMBA’s database management systems supports the creation of user accounts, roles, user group security, and permissions based on programs’ protocols. CAMBA maintains student data confidentiality by creating the specific workgroups and security organizations in database systems. CAMBA practices Universal Precautions/Standard Protocol & Procedures and compliances with any and all Federal, State, City, and CAMBA confidentiality, privacy, and security laws. CAMBA uses appropriate safeguards to prevent us or disclosure of the PII and implements administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PII.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
CAMBA, Inc (Learning to Work)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2023 – 6/30/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAMBA’s Learning to Work program helps to re-engage students who have dropped out or fallen behind in credits to graduate high school. In order to assist these students, CAMBA collects PII to better understand student needs, to stay in contact with the student, and to track outcomes of CAMBA’s work. CAMBA uses the collected data to provide academic and student support, career and educational development, college advising and preparation, work preparation, skills development, alumni services, and paid internships. CAMBA also uses the data to conduct DOE-directed follow up with graduates a year after graduation to assist them in maintaining their post-secondary plans, and provides DOE with historical information on outcomes to further improve the on-going services.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. “If granted permission by DOE, CAMBA will remove any identifiers from student data, making it no longer PII, and maintain the de-identified data in order to continue reporting on historic outcomes and tracking outcomes for improvement of on-going services.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an entity-owned and/or internally hosted solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAMBA’s policies are designed to ensure that client information is protected. All client files are maintained in locked filing cabinets in the program offices. Access to client files and information is limited to staff with a need to have such access. Electronic information is kept in a secure database that is segregated from CAMBA’s agency-wide client management system, and only staff with specific permissions can have access to information in the database. Mandatory training is provided to all staff on the requirements and importance of the agency’s confidentiality policy. Client information, records, and data are not disclosed by CAMBA to any person, organization, agency, or other entity except as authorized by law. Our database management systems supports the creation of user accounts, roles, user group security and permissions based on programs’ protocols. We maintain clients’ data confidentiality by creating the specific workgroups and security organizations in database systems. We practice Universal Precautions/Standard Protocol & Procedures and comply with any and all Federal, State, City and CAMBA confidentiality, privacy, and security laws, specifically including, but not limited to, HIPPA. We use appropriate safeguards to prevent use or disclosure of the PII and implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentially, integrity, and availability of the electronic PII.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Canva
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 6/12/2023 – 6/1/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Canva for Education – an online design tool used by students, teachers, and staff to design a wide array of products, including presentations, posters, websites, videos, and much more. The software allows an authorized user to create from scratch or use a library of templates, photos, videos, and other media, through the use of digital design tool elements. Basic user information, including PII such as the user’s first and last name, plus District-issued email address, is required for SAML-based Single Sign On (SSO); allowing the District to centrally control and manage access.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Measures of pseudonymization and encryption of personal data: Canva encrypts Data transmitted between customers and the Canva application over public networks using TLS 1.2 or higher. Customer Data stored on Canva’s servers is encrypted using AES 256 or stronger.
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: Canva has personnel responsible for oversight of security and privacy. It has appointed Heads of Security, Privacy and Data, together with an Information Security Committee that meets quarterly to discuss privacy and security risks managed in its risk registers.
- Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: In order to support availability of the service, Canva utilizes Amazon Web Services (AWS) auto scaling, AWS availability zones, extensive application and infrastructure monitoring, and 24x7 application support rosters. Canva maintains backups of the data stores, including Customer Data, that support the core functionalities of the Canva application. Backups are stored in a location geographically-separated from the primary data storage location. Canva maintains a security incident response capability that includes a documented Personal Data Incident Response Plan for security incidents involving Data. This defines how we contain, respond, assess, communicate incidents, as well as roles and responsibilities of Canva personnel and a requirement for post-incident reviews.
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing: Canva engages a specialist third-party security tester to perform an annual penetration test of its application and infrastructure. Canva also employs a third-party application vulnerability scanning service and runs a public bug bounty program.
- Measures for user identification and authorization: Where a Customer’s account contains a password for authentication, Canva stores the password salted and hashed using an industry-standard password hashing function. Canva supports Single Sign On (SSO) integration with a customer identity provider using Security Assertion Markup Language (SAML).
- Measures for the protection of data during transmission: As per item 1, Canva encrypts Data transmitted over public networks between customers and the Canva application using TLS 1.2 or higher.
- Measures for the protection of data during storage: As per item 1, Customer Data stored on Canva’s servers is encrypted using AES 256 or stronger.
- Measures for ensuring physical security of locations at which personal data are processed: The service is hosted and Data is stored within data centers provided by Amazon Web Services (AWS). As such, Canva relies on the physical, environmental and infrastructure controls of AWS. Canva periodically reviews certifications and third-party attestations provided by AWS relating to the effectiveness of its data center controls.
- Measures for ensuring events logging: Canva maintains application and infrastructure security audit logs. Audit logs are analyzed to detect anomalous activity.
- Measures for ensuring system configuration, including default configuration: Canva hardens its server infrastructure using a hardening standard based on a common industry standard. Canva applies security patches to its servers in accordance with its Vulnerability Management Procedure.
- Measures for internal IT and IT security governance and management: Canva staff access to Customer Data is role-based and follows the principle of least privilege. Staff are only provided with sufficient access to Customer Data to be able to discharge their responsibilities effectively. Remote network access to Canva systems requires encrypted communication via secured protocols and use of multi-factor authentication. Canva has established and will maintain procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
- cryptographically protecting passwords when stored in computer systems or in transit over the network;
- altering default passwords from vendors; and - education on good password practices.
- Staff access to production infrastructure requires multi-factor authentication (MFA). Canva staff are subject to confidentiality obligations and a Personal Data Handling Policy. Canva requires its staff to undergo information security awareness training, both at the commencement of their employment and then annually thereafter. Canva also requires its staff to undergo privacy law training annually (including to comply with COPPA and FERPA in respect of student data). Canva has implemented privacy by design, including but not limited to, privacy impact assessments.
- Measures for certification/assurance of processes and products: Canva will maintain an ISO 27001 certification, undergoing periodic external surveillance and recertification audits to ensure that its Information Security Management System (ISMS) meets the requirements of this standard. Canva will maintain an information security policy that meets the requirements of the ISO 27001 standard, an internal audit program that assesses Canva’s ISMS and information security controls, and a management committee that is responsible for oversight of Canva’s Information Security Management System (ISMS).
- Measures for ensuring data minimization: Canva allows visitors to use certain functionalities of its platform anonymously and minimizes the Data it requires from Customers to only what is necessary to provide the service requested.
- Measures for ensuring data quality: Canva ensures the quality of its data through verification of emails that sign up to the canva.com platform. Canva also allows users to update the information in their accounts themselves or via requests to its customer support function, the Customer Happiness Team.
- Measures for ensuring limited data retention: Canva maintains a Data Retention Policy setting out the retention periods for various types of data based on legal requirements, justified interests of Canva and the purposes of collection.
- Measures for ensuring accountability: Canva has designated local representatives in Europe and the United Kingdom. Canva’s local representative in the European Economic Area is European Data Protection Office (EDPO) with registered address at Avenue Huart Hamoir 71, 1030 Brussels, Belgium. Our local representative in the United Kingdom is European Data Protection Office UK (EDPO UK) with registered address at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom. Data Protection Impact Assessments are carried out for high risk processing activities and Canva maintains records of its processing activities.
- Measures for allowing data portability and ensuring erasure: Canva has an automated process for deleting Customer Data on request within 28 days and enables the download Customer Data to provide to alternative service providers.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Canvas Institute
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 1/15/2023 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This program will deliver Compassionate Systems tools and Practices to students including social emotional learning and well-being education/guidance.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Vendor selected “Other: No PII will be stored in a database. Any information such as surveys will not have students full name, address or personal information that can compromise their identity.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The program is taking place in person. No personal information will be uploaded or stored in any data base. Any surveys that administration will have access to will not have any student identifiers on them that can pose a security risk to the students or the school.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
CAPIT Learning
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAPIT Reading provides teachers with a lesson plan and a phonics curriculum that teaches students to read and spell. [Information collected: Student first name, last name, username, password, student ID, grade, class, teacher, school, and district.]
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CAPIT collects only the information necessary to deliver its services and ensure students learn to read. This data is never stored on personal devices, never emailed or sent from one user to another, or made accessible to anyone other than those who are directly involved in delivering or aiding in the delivery of student instruction. All data is encrypted and stored on AWS cloud services. All CAPIT employees and subcontractors are made aware of our security and privacy practices and must agree to abide by them.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Carahsoft Technology Corp (reseller of Salesforce)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.
This agreement covers all Salesforce products made available to the Board of Education of New York City [including but not limited to the ECMS project described below].
The New York City (NYC) Department of Education (DOE) provides free, early childhood education for students ages six (6) weeks to four (4) years old enrolled in Pre-K for All, 3-K for All, and Early Learn programs. The Division of Early Childhood Education (DECE) is responsible for making sure programs are providing high-quality early childhood care and education services giving 60,000+ children a strong start in school and in the future.
Currently the Pre-KIDS (Pre-K Integrated Data System), a web-based application, helps the DECE to process enrollment, attendance, budgets, and invoicing for approximately 1,200 service providers The current system relies on legacy technology that is outdated and unable to support current business rules, processes and security standards The new Early Childhood Management System (ECMS) Project will create an application platform that serve a single portal for all user needs covering:
- View Enrollment
- Attendance Management
- Budget Management
- Invoice Processing
- Developmental Student Screening Survey
- Incident Reporting Management
- Site contact Management
- Coaching Log Management
- Instructional Data and Monitoring
High-Level Project Goals:
- Improved user experience for parents, teachers and administrators
- Enhanced functional capabilities making the system very efficient in supporting DECE business processes
- Facilitate end-to-end business functions for early childhood education service providers
- Ensure compliance with all relevant regulations and standards, including data privacy laws and educational standards.
- Ensure high quality of data to support data driven business decisions
- Develop reporting platform to support business and compliance needs
- Integrate with other enterprise systems used by NYC Public schools and other City agencies
- The Division of Instructional and Information Technology (DIIT) will spearhead this initiative and manage the day-to-day activities for this project. DIIT will work with the vendor to ensure all in-scope requirements are successfully achieved.
- This project is expected to span up to 14 months and begin around November 2023.
The new ECMS will provide users with a more user-friendly platform to support day-to-day business needs. Leveraging the latest technology will allow users to be able to customize views based on their authorization and access within the new ECMS. This project is also intended to provide the following benefits to the DOE:
- Reduces the use of legacy technology systems.
- Improvements to data quality to allow for a better utilization of data
- Reduces the effort required in collecting data from schools/field.
- Improves access to data via dashboards and user-friendly reporting.
- Improves our ability to manage and maintain a safe, clean, and comfortable environment for students, teachers and employees.
The purpose of Salesforce receiving any PII is at the sole discretion of the customer and Salesforce employees will not physically access said data.
Type of PII that the Entity will receive/access: Other: “The PII that is received by Salesforce is contingent on what the customer inputs, which may include student PII.”
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall:
Return of Customer Data
Within 30 days post contract termination, customers may request return of their respective Customer Data submitted to the Covered Services (to the extent such data has not been deleted by Customer, or if Customer has not already removed the managed package in which the Customer Data was stored). Salesforce shall provide such Customer Data via downloadable files in comma separated value (.csv) format and attachments in their native format. The foregoing return of Customer Data for managed packages may not be available if the packages were removed prior to contract termination, as removing the package may begin the deletion process for associated Customer Data.
Deletion of Customer Data
Except as otherwise stated below, after termination of all subscriptions associated with an environment, Customer Data submitted to the Covered Services is retained in inactive status within the Covered Services for 120 days, aer which it is securely overwritten or deleted from production within 90 days, and from backups within 180 days. Physical media on which Customer Data is stored during the contract term is not removed from the data centers that Salesforce uses to host Customer Data unless the media is at the end of its useful life or being deprovisioned, in which case the media is first sanitized before removal. This process is subject to applicable legal requirements.
Without limiting the ability for customers to request return of their Customer Data submitted to the Covered Services, Salesforce reserves the right to reduce the number of days it retains such data after contract termination. Salesforce will update this Salesforce Security, Privacy and Architecture documentation in the event of such a change.
- Day 0, subscription terminates
- Day 0 - 30 Data available for return to customer
- Day 30 - 120 Data inactive and no longer available
- Day 121 - 211 Data deleted or overwritten from production
- Day 121 – 301Data deleted or overwritten from backups
For Salesforce Maps and Salesforce Sales Planning, all Customer Data submitted to AWS (with the exception of CSV files uploaded by Customer via the Salesforce Maps Custom Data Source Portal (“Custom Data Sources”)) is retained in AWS for 90 days, after which it is securely overwritten or deleted. Custom Data Sources submitted to AWS are converted into data layer files, and the original CSV files are deleted after 90 days. Any Custom Data Sources returned pursuant to the “Return of Customer Data” section will be in the form of a converted data layer file, not the original CSV file.
For Salesforce Field Service, any Customer Data submitted to AWS as part of the optional FS Optimizer or Enhanced Scheduling & Optimization functionality is retained in AWS for 30 days, after which it is securely overwritten or deleted.
For Insights Platform, all Customer Data submitted to AWS is retained in AWS for 30 days, after which it is securely overwritten or deleted, and all Customer Data submitted to Heroku is retained in Heroku for the duration of the applicable subscription term, then securely overwritten or deleted 30 days after termination of the applicable subscription term.
For Sandboxes, as part of its system maintenance, SFDC may delete any Sandbox that 22 Customer has not logged into for 150 consecutive days. Thirty or more days before any such deletion, SFDC will notify Customer (via email, unless Customer opts out) that the Sandbox will be deleted if Customer does not log into it during that 30-day (or longer) period. Deletion of a Sandbox shall not terminate Customer's Sandbox subscription; if a Sandbox is deleted during Customer's Sandbox subscription term, Customer may create a new Sandbox.
The foregoing deletion of Customer Data for managed packages may not be available if the packages were removed prior to contract termination.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS GovCloud.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Government Trusted Security and Infrastructure
Salesforce understands that the confidentiality, integrity, and availability of our customers’ information are vital to their business operations and Salesforce's own success. Salesforce uses a multi-layered approach to protect that key information, constantly monitoring and improving our application, systems, and processes to meet the growing demands and challenges of security.
Independent audits confirm that our security goes far beyond what most companies have been able to achieve on their own. Using the latest firewall protection, intrusion detection systems, and TLS encryption, Salesforce gives you the peace of mind only a world-class security infrastructure can provide.
Third-party validation
Security is a multidimensional business imperative that demands consideration at multiple levels, from security for applications to physical facilities and network security. In addition to the latest technologies, world-class security requires ongoing adherence to best-practice policies. To ensure this adherence, we continually seek relevant third-party certification, including ISO 27001, the SysTrust audit (the recognized standard for system security), and SSAE 16 SOC 1 audit (an examination and assessment of internal corporate controls, previously known as SAS 70 Type II). SOC1, SOC2 and SOC3 audits are performed by a third-party auditor annually at a minimum. Additional audits and certifications include: CSA ‘Consensus Assessments Initiative’, JIPDC (Japan Privacy Seal), Tuv (Germany Privacy Mark), and TRUSTe.
Protection at the application level
Salesforce protects customer data by ensuring that only authorized users can access it. Administrators assign data security rules that determine which data users can access. Sharing models define organization-wide defaults and data access based on a role hierarchy. All data is encrypted in transfer. All access is governed by strict password security policies. All passwords are stored in SHA 256 one-way hash format. Applications are continually monitored for security violation attempts.
Protection at the network level
Multilevel security products from leading security vendors and proven security practices ensure network security. To prevent malicious attacks through unmonitored ports, external firewalls allow only http and https traffic on ports 80 and 443, along with ICMP traffic. Switches ensure that the network complies with the RFC 1918 standard, and address translation technologies further enhance network security. IDS sensors protect all network segments. Internal software systems are protected by two-factor authentication, along with the extensive use of technology that controls points of entry. All networks are certified through third-party vulnerability assessment programs.Trust.salesforce.com is the Salesforce community’s home for real-time information on system performance and security. On this site you'll find:
- Up-to-the minute information on planned maintenance
- Phishing, malicious software, and social engineering threats
- Best security practices for your organization
- Information on how we safeguard your data
These papers further explain the technology that makes the Salesforce Platform fast, scalable, and secure for any type of application:
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
CareerSafe
The exclusive purposes for which Protected Information will be used: Student name and course completion information is used to process course completion wallet card from the U.S. Department of Labor, OSHA.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: As an OSHA-Authorized Provider, CareerSafe is required to provide student data to OSHA. We are contractually obligated to provide student name and course completion information to OSHA for the purpose of providing students with an OSHA completion card. OSHA, as part of the U.S. Department of Labor, complies with Federal data security standards. No student data is shared with any other organization or individual.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Student completion records will be maintained for five years, after which, CareerSafe will destroy and delete all the data in its entirety in the manner that prevents its physical reconstruction.
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: In accordance with their contract, CareerSafe will work with the NYC DOE in processing challenges to the accuracy of student data in CareerSafe’s custody.
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All at rest data is FIPS 140-2 compliant / certified process used to encrypt the student data while at rest on the application database. Student data is stored in/on an application database, located in the Amazon Web Services hosting facilities. The back-up data is presently stored on site in a secured storage unit. No data is store outside of the US. All data is fully encrypted to an AES 256 bit standard at rest and while in transit. All network devices and storage units are restricted to only be access by administrators.
How the data will be encrypted (described in such a manner as to protect data security): All data is fully encrypted to an AES 256 bit standard at rest and while in transit.
CareerWise
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CareerWise New York is a youth apprenticeship system based in New York City. CareerWise New York offers a three-year applied-learning environment for high school students and an innovative talent-acquisition strategy for businesses. With apprenticeship, students earn debt-free college credit and nationally-recognized industry certifications through their work experience in fields such as IT, financial services, and business operations…all while graduating high school on-time.
We are trying to offer youth apprenticeships in high growth areas such as health care and technology to high school aged students. We hope to use this software to facilitate the hiring of students into apprenticeships.
We use this software as a means of managing our youth apprenticeship programming such as supervisor training, apprentice training, recruitment, and hiring. We also use this software for case management, relationships management, and communications management. It is what allows us to be an effective intermediary between industry and education. Through this system we can post available apprenticeships, recruit students, and communicate to both employers and school staff where students are at in the process. Students can create profiles, search through job descriptions and apply. They can also see how close an apprenticeship is to their home or school. Teachers and counselors can manage a caseload of students who are interested in apprenticeship, provide feedback on their profiles and applications, and have the final say in terms of approving students and ensuring that they are eligible to apply. CareerWise staff can use the system to provide feedback, offer application support and interview preparation to students. We can use this information to track progress on a school by school basis which allows us to assist schools at an individual level.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Salesforce & Google Cloud Products.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII information is only accessible to the staff that need access to the information. Any staff who do not need to see the PII information for their jobs will not be able to access this information through encryption and access restrictions.
CareerWise has implemented data security measures to monitor the data on a regular basis to ensure the data is protected from unauthorized users. For any incident that is reported CareerWise has an incident response coordinator to assemble the data that is affected and communicating to specific parties and incident response handler to analyze evidence so the incident can be resolved. CareerWise will manage incidents with phases defined in NIST SP 800-61 of preparation, detection, containment, investigation, remediation, and recovery.
If someone requests the deletion of PII information, CareerWise will take the proper steps in deleting all personal information from our cloud based Customer Relationship Management software, cloud storage, back ups, and the learning management system.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
CareMonkey
The exclusive purposes for which Protected Information will be used: CareMonkey is used by schools to send consent and other school forms and collect responses from parents/guardians and/or staff members. It is also used for internal approval processing such as a field trip being approved. PISI is used to know who to send notifications to, e.g., an email notification to a parent to tell them there is a new consent form they need to sign, or an email notification to a school principal informing them there is a field trip to approve. The system uses basic information about students, parent contacts, classes (roster) and staff so that forms can be delivered to the right people or parents of a class.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Note, we have no sub-contractors. Our support services are provided by our own team.
- CareMonkey follows the principle of “Least Privileged Access” whereby user accounts are provided the most restrictive access necessary to perform the required business function.
- Access to data is restricted depending on job roles and all access is tracked.
- As part of our Information Security Program we maintain a systems access register.
- Access to sensitive data is restricted to those few with a need to know and must be approved by management.
- Access accounts have username and passwords with Two Factor Authentication (2FA).
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: The NDA will apply for each school upon signing up to CareMonkey. The NDA will end for each school when they close their CareMonkey account. Schools can close their account and delete their data at anytime. The data is immediately no longer available after deletion. Backups are retained for three years. Note that after closing their accounts schools can choose to retain their data in archive only mode for as long as required. [NYC DOE comment: The current agreement became effective starting on August 6, 2019 and terminates when all NYC DOE schools and/or offices cease using CareMonkey Inc’s products/services. The terms of the agreement remain effective through the period during which CareMonkey Inc. possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. However, please note, that the data is entered by the parent (re parent forms) and entered by the staff member (re staff forms) so this type of scenario is unlikely. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): CareMonkey’s physical infrastructure is hosted and managed within Amazon’s secure data centers, utilizing Amazon Web Services (AWS) technology.
- AWS data centers are state of the art, utilizing innovative architecture and engineering approaches. AWS provides a highly reliable, scalable and secure infrastructure platform that powers hundreds of thousands of businesses in 190 countries across the world.
- Your data is stored on servers in your region and will never be stored outside of that region. Hence, United States User data is stored in the United States.
How the data will be encrypted (described in such a manner as to protect data security):
- CareMonkey uses the highest standards in Internet and data security.
- Data is always encrypted at rest and in transit.
- Our security layers include strong cryptographic implementations (such as 256 bit encryption, 128 bit data encrypted SSL systems using Advanced Encryption Standards) and defensive-in-depth network protection (with multiple firewalls, intrusion prevention appliances, and active monitoring systems).
Castle Software
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Very basic student and teacher rostering information is collected by the Castle Learning application for establishing logins to the application and to securely link students to the appropriate teachers/classrooms. The application provides test item content and supplemental content teachers may assign to students for student learning and assessment for academic progress in core subjects.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The data is stored in SOCII compliant data centers within the US. All data in transit is encrypted to industry standards (TLS 1.2), sensitive data is encrypted at the column level in the database, only authorized staff with a need to access the data to provide the service have access and the network environment is scanned weekly using a third party scanning service. Additionally, Castle Learning uses a Web Application Firewall to further protect the system.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Catholic Charities Community Services, Archdiocese of New York
Type of Entity: Community Based Organization
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CCCS’ Learning to Work (LTW) program and Community Schools Services is an intensive student support services program designed to assist students in overcoming obstacles that impede their progress toward earning a high school diploma. CCCS’ LTW team is integrated into the school community to provide students individualized support to earn a high school diploma, prepare for college and lead them toward rewarding employment and educational experiences after graduation. Our program offers academic support, career and educational exploration, work preparation, skills development, and internships to over-age, under-credited students who are at risk of not graduating from high school.
LTW and Community Schools staff receive and access student PII to 1) provide intensive support services to students to improve attendance and reduce absenteeism, 2) assist students with college and scholarship applications, as well as working papers for summer jobs and internships, and 3) document permission to attend field trips and emergency contact information.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. All data will be destroyed after the contractually agreed upon retention period ends.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CCCS’ data security policy requires that all PII is kept confidential and used only for the purposes for which it was collected. CCCS safeguards the privacy of students’ educational records by limiting access to such records strictly to authorized persons with direct involvement with the program. Reasonable physical, electronic, and procedural safeguards are maintained to protect students’ educational records from unauthorized access, loss, misuse, disclosure, or alteration.
All hardcopy records containing student PII (e.g., DOE release forms, etc.) are securely stored in locked cabinets and are shredded in accordance with CCCS’ record retention policies. These cabinets are locked after hours and on weekends. All staff are notified that they are required to preserve client confidentiality. Shredders are used to dispose of papers that contain PII.
Secure passwords are required for access to CCCS computer systems. The passwords of departing staff members are deleted from the system. CCCS’ databases are secured through WatchGuard Firewall (an upgradeable VPN endpoint and firewall security appliance that provides full, centralized management, logging, and historical reporting for securing telecommuter and remote offices); Secure Socket Layer (uses a cryptographic system to transmit private documents via the Internet); and VirusScan. In addition, CCCS has implemented DUO two-factor authentication for staff logging-in remotely through VPN and provided a platform for end-user cyber security training and education. CCCS mandates that all staff participate in an annual Data Security Awareness Training, which is offered by the Archdiocese of New York’s vendor, KnowBe4, an industry leader in user awareness education services.
Electronic documents containing student PII are securely stored by staff in their individual Microsoft 365 OneDrive accounts, which are password protected, require multi-factor authentication, encrypted on Microsoft servers (at rest and in transit), and accessible to the individual account user only.
Data is encrypted at rest and in transit. When data is in transit, all SSL connections are established using 2048-bit keys. Encryption at rest includes two components: BitLocker disk-level encryption and per-file encryption of our data content. Data that is no longer needed or required is marked for deletion and destroyed at the appropriate time.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
CCI Learning Solutions Inc (Jasperactive)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 3/2022 – 3/26/2026
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Jasperactive is a web-based learning product designed for Microsoft Office with tailored exercises for Word, Excel, and PowerPoint, Outlook and Access. Students are delivered a Benchmark, Lessons and Create Exercises. The primary purpose of Jasperactive is to teach the students the required fundamentals to pass the Microsoft Office Certification exams.
Type of PII that the Entity will receive/access: Student PII
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. The vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request.All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CCI Learning Solutions Inc. is committed to protecting users’ privacy and PII and developing technology that gives users’ the most powerful and safe online experience. We safeguard PII through a combination of policies, procedures, training, segregation of duties and robust systems, security and technology. We mitigate data privacy and security risks by following and adhering to industry protocols, standards and practices, employing up to date technology, training and segregation of duties and user access controls.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. The vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Cengage Learning
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. For school educators, we develop essential, curriculum-aligned content that empowers educators to solve curriculum challenges, keep students engaged in learning, and help schools curate a virtual eBook library. Today, this includes supporting distance and social and emotional learning (SEL) as well as equity and inclusion goals. We support multiple curriculum areas, like Science, Social Studies, and English Language Arts, as well as multiple grade levels, inclusive of K- 12. PII is used on the educator side for creating user accounts and authentication, as well as connecting educators to students so that formative assessments can be assigned, and results tracked.
Student PII is not necessary for all use of Gale platforms, but can be used to provision and authenticate access to services on the platform such as enabling logging in, saving materials to a Google and/or Microsoft account, and accessing and completing formative assessment assigned by educators.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Okta, AWS, Google, Microsoft.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Cengage Cybersecurity Technology Risk employs dedicated teams for IT Governance, Compliance, and IT Risk programs.
- Cengage utilizes the NIST frameworks of IT controls over infrastructure in Cengage.
- We complete and perform risk based assessments and report accordingly to teams and management for addressment as required.
- There is a dedicated Engineering Security team with best-in-class tools and industry recognized practices in place.
- There is a dedicated Application Security team which completes assessments and reviews of SaaS products with a Gap register and remediation program.
- Cengage Security includes Operational Security best practices, inclusive of proactive response plans, IT Automation and workflow, and Operational Risk reviews.
- Administrative safeguards include establishment of formal IT Policy and IT Security Guidelines, provided to all employees.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Center for Educational Innovation (CEI)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2022 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CEI supports school leaders and educators collaboratively with community members, families, nonprofit organizations, and students to implement the community school model as an equity strategy. CEI’s team of experts provides technical assistance, capacity building, family engagement, and youth development programs in the arts, STEM education, Esports, academic support, character education, and the early stages cultural experiences under our signature program Project BOOST(Building opportunities and options for students). PII is necessary to track attendance in CEI programs and activities, including mental health support.
Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data)
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: CEI is not storing data, therefore no data needs to be destroyed.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CEI Community Schools Directors will use locked offices and file cabinets, when possible, to ensure that hard-copy documents containing PII are protected. At no point will the hard-copy documents leave the school site, in an effort to minimize risk of unauthorized disclosure. Access to PII will be limited to the CEI Community School Directors.
Any data used for analysis by CEI Community School Directors (CSD) shall be viewed, processed, and stored on NYCDOE provided devices and cloud storage under the purview of the NYCDOE’s acceptable use policies and requirements. At no time will any CBD transfer, share, submit or provide access to any data that is located on NYCDOE devices or cloud storage.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Center for Family Life in Sunset Park
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Center for Family Life’s comprehensive, school-based integrated services include whole classroom work to support students’ social emotional development; crisis intervention, counseling, case management and access to a full range of additional supports and referrals to community-based services; professional development and training for school staff; and support for school-wide, community-building initiatives engaging students and families. Our current program models for collaboration with DOE teachers and students during the school day include: 9-11 advisory & 12th grade internship programs at Sunset Park High School; interdisciplinary arts/social emotional learning at MS 136/MS 821; and success mentoring/attendance improvement initiatives. We are receiving or accessing PII so that we may effectively assess and appropriately respond to student needs. Additionally, PII enables us to provide comprehensive supports and services to the students and families in our partner schools, as needed.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft 365 – OneDrive/SharePoint.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Microsoft Defender for Office 365 has been configured to provide secure use of all email communications. OneDrive and SharePoint services provide both at-rest and in-transit data protection.
- Multifactor Authentication is enabled on every account. Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user's identity for a login.
- N-Able Remote Monitoring and Management allows us to remotely monitor desktops, laptops, and servers across a variety of operating systems. We can monitor network devices, switches, firewalls, routers, and more using SNMP. This also assists in preventing cyberattacks, perform routine maintenance, and update devices remotely with automated patch management. The managed antivirus features allow us to remotely push out and protect our devices against known viruses and malware. BitDefender Antivirus works against all e-threats, from viruses, worms and Trojans, to ransomware, zero-day exploits, rootkits and spyware.
- CFL assures all physical devices used for transmitting confidential data are always in a secure location.
- Security Breach Response
- Notify Center for Family Life Response Teams
- Engage Tech Alliance, outside IT Security Consultant, if needed, depending on severity
- Secure network, computer and cloud solution systems
- Determine the nature, content and extent of the breach – (I.e., exactly what was breached)
- Update all data breach protocols
- Test to make sure new cybersecurity defenses work
- Let CFL's employees (& Clients if applicable) know about the data breach
- Notify the NYC DOE of any breach or unauthorized release of PII in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of such breach
- Cooperate with the NYC DOE and law enforcement to protect the integrity of investigations into the breach or unauthorized release of PII
- Pay for or promptly reimburse the NYC DOE for the full cost of parental notifications, where a breach or unauthorized release is attributed to the TPC
- As a DOE partner, Center for Family Life will comply with all provisions of the Data Privacy/Security Policy for Schools and Offices as posted on the DOE website, including Compliance with Law and Policy, Restrictions on PII Use, and Data Privacy and Security Practices
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Center for Supportive Schools
The exclusive purposes for which Protected Information will be used: Center for Supportive Schools (CSS) serves as a Lead CBO under the Community School initiative to provide community school services at awarded partner schools. In addition, CSS under a sub-contract agreement with the Board of Education of the City School District of the City of New York also supports the NYS Integration Project – Professional Learning Communities (NYSIP-PLC).
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In entering data agreements with schools and school districts, CSS agrees and adheres to the below general protocols:
- Receive data through secure sites, as requested by the partner school and/or district.
- Maintain data security throughout use, by restricting data access to vetted individuals and keeping data stored on password protected devices. CSS will communicate with the appropriate parties within 24 hours should a breach occur.
- Maintain additional server security through a partnership with SureTech/IVIONICS, a cloud IT service company that provides data and hardware security through anti-virus protection software, Total Network Defense (TND) and SNAP Monitoring (a malware and instruction monitoring and alert system).
- Destroy any data within an agreed upon/appropriate timeline.
- Share only aggregate reports of non-identifiable data with staff and external audiences.
- Community with data sender post-analysis, if requested, to share analyses.
- Review these protocols annually to ensure proper adherence and adjust where necessary.
- Maintain team awareness of applicable federal and state laws that govern the confidentiality of personally identifiable information.
- Remain subject to any applicable law, most prominently, FERPA and HIPPA regulations.
In addition to the above safeguards in place, CSS also commits to managing its authorized users (including subcontractors) as follows:
- Timely and appropriate training for any and all authorized users to understand CSS data protection policies and NYC DOE contractual requirements. Consideration is being offered to the Board that all authorized users sign a training document that ensures understanding and compliance.
- The Director of Contracts & Compliance will work with the IT/System Administrator to ensure compliance of data protection and security.
- Access to the raw data is restricted internally at CSS to members of CSS’s Evaluation Team, the Regional Executive Director, and the CEO. Only these individuals will have access to the credentials that will allow them to access the data files and they will use the data files only on their password protected computers.
- Data will only be sent through the secure FTP site (Box.com). All transmission of data via the FTP site will be encrypted.
CSS acknowledges the responsibility to ensure compliance with the confidentiality provisions of the Family Educational Rights and Privacy Act of 1974 (FERPA 34 CFP 99) and the Code of Maryland Regulations (13A.08). CSS acknowledges that any unauthorized disclosure of confidential student information is a violation of FERPA and shall not be permitted to occur.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon completion, and/or termination, of this agreement with NYC DOE, CSS shall certify that Protected Information has been surrendered or destroyed in accordance with this Rider via the "Certificate of Records Disposal" form attached to this Rider as Exhibit D. Any and all measures related to the deletion, destruction or disposition of Protected Information will be accomplished within 90 days upon expiration of the agreement. CSS agrees to utilize an appropriate method of confidential destruction, including shredding, burning or certified/witnessed destruction of physical materials or verified erasure of magnetic media using approved methods of electronic file destruction.
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, CSS will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests will be directed to studentprivacy@schools.nyc.gov.
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): No Protected Information will be stored outside the USA. CSS policies ensure that secure data is housed on protected and secured platforms. All computers that host these platforms are protected through passwords and a secure and virus protected network. CSS understands the importance of data security. We do not request data that is not necessary for our work and when we do, it is housed appropriately. PII data is NEVER stored on personal equipment.
How the data will be encrypted (described in such a manner as to protect data security): CSS understands that data encryption helps to keep data safe and compliant and provides extra security against unforeseen mishaps. CSS has hired a full-time IT System Administrator that has begun reviewing data management policies and identifying a high-quality data encryption strategy which identifies data needed to manage encryption keys and block unauthorized access to company data.
When data is stored or when accessed (by authorized staff) it is done securely within the Data Protocol Framework which includes: data management, ethical walls, privileged user monitoring, sensitive data access auditing and secure data trail tracking.
CSS utilizes a complex cipher to make data unreadable to third parties. The encryption strategy incorporates technologies that defend data in all three of its states:
- Data at Rest: this is data located in data storage areas or within various devices, including authorized CSS and school staff.
- Data in Motion: this is data that is being transmitted from one endpoint to another across a network. This includes local LAN and WWW.
- Data in Use: this is when data is being actively accessed by a credentialed user.
CSS understands that developing a solid encryption strategy is a long-term, collaborative process that includes IT, operations, and management stakeholders. CSS continuously identifies high-value data and regulatory requirements and has processes in place to identify and prioritize the most sensitive or valuable data for encryption. A new IT Director is in place to ensure critical data security, implement access controls and properly train all staff on data security policies and procedures. CSS also works with a cybersecurity firm to ensure data lifecycle management.
Central Family Life Center
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The Central Family Life Center will be conducting services associated with Project Pivot, which will include counseling, mentorship, mediation, and restorative services for students. As such, it is reasonably expected that PII will inform select activities, practices, and approaches implemented through the work of counselors, mentors, and mediators serving on the Project Pivot contract.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted solution.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CFLC will collect and disclose students’ PII only as necessary and only for educational purposes. The organization commits to ensuring that all administrative files and protected documents are stored and protected by password protection, and any physical files containing information will be stored securely in a locked filing system. The organization further commits that access to any/all files containing PII is restricted and made available to only those staff and/or affiliates who have a need for utilizing such data/information in the course of their implementation of program activities. All staff and affiliates, including subcontractors, if/as applicable, will receive comprehensive training in data privacy and security, including applicable laws, policies, and safeguards associated with industry standards and best practice; the policies, practices, and protocols of the organization; and all policies and regulations established by DOE and the related/relevant contract.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
CEV Multimedia
Type of Entity: Commercial Enterprise
Contract / Agreement Term: September 2023 – September 2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. NYCDOE is using iCEV CTE curriculum to prepare students for taking certification exams in several subjects. Including pre-med electives: medical terminology, anatomy & physiology, and medical assisting. The district will provide basic roster related PII as they need to manage their classroom roster and records in the solution. This includes at the district’s discretion PII such as the teacher and student first name, last name, email address or UPN.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Simpatico Systems US based and certified data centers in Dallas and Los Angeles.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administrative access to PII is limited to named privileged authenticated users required to support the services that the DOE has contracted. NIST CSF policies and procedures are followed to provide the service. Sharing of PII is limited to what is required to provide the services and confidentiality agreements are in place to protect DOE data. Team members are provided cybersecurity and data privacy awareness training throughout the year with training. Systems are hosted in US based, certified, and secure hosting environments.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."
Changing Perceptions Theater
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Participants learn to write and perform original dramatic works such as monologues, short plays and full length-plays for their school community and families. Participants will see professional plays performed in New York City. PII will be utilized to contact parents regarding trips, emergencies, program updates, invitations to events and to keep enrollment or attendance lists, and progress reports.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYCDOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Cloud and "if there are physical attendance sheets they will be kept in a locked and secure space at the school that is agreed upon by the school administration and CP.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- A child’s PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with state and federal law.
- A centralized staff person is responsible for supervision and monitoring appropriate safeguards, policies, and practices in place to protect the data.
- Staff will participate in mandatory 2-part training about applicable laws, policies, and safeguards associated with industry standards and best practices; consistent with NYC DOE’s data security and privacy policy.
- Encryption, firewalls and password protection will be mandatory for all emails and cloud usage to electronically transmit sensitive PII information.
- CP will not maintain copies of participant’s PII once PII is no longer needed for the educational purpose/ for which the DOE has disclosed PII to CP.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Charmtech Labs (also called Capti)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 8/1/2023 – 7/31/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our product, Capti Accommodate, is used by teachers to support reading for students with learning and print disabilities. The PII includes the email and First and Last Name of the student, which are used to facilitate user management and log in to access Capti Accommodate services.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is protected by enforcing a need-only role-based access control, encrypted in transit and at rest, and protected by firewalls, MFA, and passwords. PII is never shared with unauthorized users and protected in public reporting. PII is destroyed no later than 60 days from contract termination or when it is no longer needed for the purpose for which it was disclosed. Our policies include a comprehensive incident response plan, mitigating risks both in case of security incidents and natural disasters.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
The Child Center of NY (Community School Services and Learning to Work)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The services being contracted are to provide Community School services at the designated site. At minimum, services include:
- Facilitate the OCS Assets and Needs Assessment using the Assets and Needs Assessment Tool for Collaborative Planning in NYC Community Schools.
- Establish a Community School collaborative leadership structure that includes the voice and leadership of multiple stakeholders, including students and families.
- Host three Collaborative Planning Meetings per school year. These meetings are facilitated by the CSD or other CBO staff determined by the CBO supervisor. Attendees include School Staff (Principal, Teachers, Admin Staff) and CBO Staff (CSD, Supervisor, CBO Fiscal Point), and whenever possible at least one student representative (for middle and high schools), and one family member of the SLT.
- Facilitate weekly attendance team meetings.
- Implement a Success Mentor Program.
- Implement a family engagement strategy that adheres to the principles of the Dual Capacity Building Framework for Family-School Partnerships.
- Host an annual Community School Forum.
- Ensure that afterschool and summer programming are available, aligned with school goals, and incorporate anti-racism into program design, behavioral systems, and curricula.
- Implement and/or coordinate comprehensive social emotional learning programs aimed at strengthening a supportive environment. Coordinate the day-to-day functioning of mental health services in the school using the three-tiered public health framework. If the school hosts an Article 31 clinic, the Lead CBO is required to dedicate funding to maintain the Article 31 clinic.
- Work with the school to ensure school-wide vision screenings.
- Facilitate the completion of the Community School Section of the CEP.
- Ensure that all staff members have a commitment to anti-racism and have the tools necessary to develop and provide anti-racist programs and services within the school community.
- CBO supervisor meets with principal and CSD at least quarterly to share feedback and align on goals and expectations for the CSD role and the partnership.
- CBO supervisor coaches CSD to use data during collaborative planning meetings and weekly attendance team meetings.
- CBO supervisor provides or coordinates training opportunities for CSD that support the development of the CSD Leadership Competencies and the CSD’s successful implementation of the core features of a Community School.
- Community Schools emphasize family engagement, characterized by strong partnerships and additional supports for students and families designed to counter environmental factors that impede student achievement. We collect PII from DOE, such as basic demographics, including student name, DOB, gender, address, contact information, parent/guardian information. We also collect from DOE academic data, such as grades and attendance.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is securely stored in Microsoft. These systems protect all information entered and has safeguards in place to minimize security risks such as monthly password changes, individualized dual-factor authentication by user, and user security access levels. Any paper files are kept in locked cabinets and locked offices.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
The Child Center of NY (School Based Mental Health Program)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2023 – 6/30/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Child Center of NY’s School Based Mental Health Program will receive Personally Identifiable Information (PII) from school administration and staff on students that are referred for targeted and selective services (including, but not limited to, assessment, individual treatment, crisis intervention, individual or group supportive counseling and classroom observation). The PII includes the student’s name, date of birth, and demographic information including parent/guardian name(s), contact information, address(es), and telephone number(s) in addition, school records such as report cards and Individualized Education Plans, when needed.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. PII, including PHI, for targeted services, are securely stored in an Electronic Medical Record system, Welligent. The EMR meets applicable federal, state, and local standards and also in compliance with the NYS Office of Mental Health for the licensed Mental Health satellite clinic located in the school building. Retention and destruction of records will comply with applicable regulatory timeframes and guidelines.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Welligent and Microsoft 365.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII, including PHI, is securely stored in Microsoft 365 application for Universal and Selected Services; and in our Electronic Medical Record system, Welligent, for targeted services. Both systems protect all information entered, and has safeguards in place to minimize security risks such as monthly password changes, individualized dual-factor authentication by user and user security access levels. The EMR meets applicable federal, state, and local standards and also in compliance with the NYS Office of Mental Health for the licensed Mental Health satellite clinic located in the school building.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Child Mind Institute
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2023 – 6/30/2024.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Child Mind Institute’s School and Community Programs will continue to deliver evidence-based prevention, intervention, and capacity-building mental health services to more than 1,000 students, parents, educators, and school mental health professionals at NYC DOE schools. Services will include (1) evidence-based trauma treatment groups, mood disorders treatment groups, behavioral challenges treatment groups, and reading remediation groups, in addition to preventative Mental Health Skill-Building workshops and support for over 700 students; (2) Capacity-building trainings for 100 educators and mental health providers to build school capacity to deliver evidence-based services independently; (3) Psychoeducational workshops for 200 parents and educators.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Microsoft.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Child Mind Institute is dedicated to keeping its solutions and customers secure. We strive to follow industry best practices and standards throughout all phases of our software development lifecycle (SDLC). We adhere to all federal, state, and local regulatory requirements related to information privacy and security. Child Mind Institute classifies all its systems and information into four primary security classifications and systems are assigned a sensitivity level based on the type of information that is stored within those information systems. Privacy and security controls are implemented for each system based on that systems classification. All baseline standards align with industry best practices and standards such as NIST 800-53 and ISO 27001.
Child Mind Institute, including any subcontractors or vendors that store, transmit, process or are otherwise responsible for the protection of sensitive information contained in its information systems, must adhere to all Child Mind Institute’s organizational policies, procedures and processes and contractual obligations. CMI employs the least privilege principle and enforces user access through multi-factor authentication. Encryption processes for data at rest and in transit follow guidance set forth in the National Institute of Standards and Technology (NIST) document Security Requirements for Cryptographic Modules (FIPS 140-2).
CMI has implemented a comprehensive risk management program to identify and remediate security vulnerabilities and threats to its information systems and information technology infrastructure. Systems are reviewed for risk and vulnerabilities on an annual and ongoing basis. Endpoint devices are protected by an enterprise-wide antivirus and enhanced detection and response system.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Children’s Aid Society
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2022 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. In accordance with FERPA, Children’s Aid agrees that to the extent that the services provided relate to the processing of protected information, the services are for Children’s Aid to perform an institutional service or function for which the BOE would otherwise use its employees.
The services being provided are the continuation of Community School services previously funded through 21st Century Community Learning Center grants that expired on June 30, 2022. Community Schools emphasize family engagement, characterized by strong partnerships and additional support for students and families designed to counter environmental factors that impede student achievement. While some of the specific attributes of a community school program vary based on the needs of its respective community, all Community Schools share three foundational pillars:
- A rigorous academic program with strong supports to prepare all students for college, careers, and citizenship, and that supplements quality curriculum with expanded learning opportunities that keep students engaged, coupled with high levels of accountability for results;
- A full range of school-based and school-linked programs and services that, based on a needs assessment of the community, address the comprehensive needs of students and their families and that work with families as essential partners in student success; and
- Partnerships that demonstrate collaboration with the local community, including by engaging families and other community stakeholders and drawing on a broad set of resources, incorporating local and State government agencies, non-profit service providers, institutions of higher education, and the philanthropic and business communities in order to extend the impact and depth of services and programs.
It is important to emphasize that Community Schools do not seek to duplicate effective services that already exist in their communities; rather, through partnerships, these schools leverage existing high quality programs and assets by linking them to the school and providing robust services to students and their families.
Children’s Aid uses protected information to provide the following required Expanded Learning and Enrichment Activities:
- in coordination with the Principal, SLT and CST, determine the focus, content and manner of expanded learning and enrichment programming to be provided at the school(s), considering the needs and expressed interests of students at the school(s) in alignment with the grant(s). Children’s Aid shall work with existing after school and expanded learning providers at the school(s) to align their work with the school’s instructional focus in order to provide more opportunities for personalized learning for as many students as possible. Children’s Aid shall also consider student and parent input via the community school planning process and use such input to inform the selection of specific activities to be offered, and such input must be reflected in the CS plan.
- ensure that expanded learning and enrichment programming delivered at the school is tailored to the needs of the school(s) and its student population, and is in alignment with the goals and objectives of the grant(s).
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Children’s Aid employs administrative, operational, and technical safeguards including policies regarding the protection of confidential information, policies regarding the acceptable use of technology resources, training, and data system monitoring.
Confidential data is protected and only used in accordance with state and federal laws, rules and regulations, and Children’s Aid policies to prevent unauthorized use and/or disclosure. Staff must obtain written consent prior to the disclosure of personally identifiable information, except in those instances specifically allowed for by law. These include disclosure pursuant to a valid court order, or lawfully issued subpoena, a request for disclosure by authorized representatives of the officials or agencies headed by State or local educational authorities, a health or safety emergency where disclosure of PII is necessary to protect the public health of the student or others, and reason permitted by law.
Education records may be released without consent after the removal of all personally identifiable information provided that a reasonable determination that a student’s identity is not personally identifiable (whether through single or multiple releases, and considering other reasonably available information) has been made.
Reasonable methods must be used to identify and authenticate the identity of parents, students, school officials, and any other parties to whom PII in education records is disclosed.
Violation of the Children’s Aid policies by staff is grounds for dismissal. Staff agree to abide by the rules covering the maintenance and use of mobile equipment assigned to them. All devices and accounts are subject to inspection without user permission. Handling of protected information must be exclusively for the conduct of job-related duties and may not include dissemination of confidential information for unauthorized purposes nor any commercial uses. Use of technology and devices must incorporate use of strong passwords, dual authentication when required, protection of unique passwords, physical security of devices, and safe practices that protect systems from viruses and spyware. Use of technology and devices must not include any effort to circumvent data protection configurations, decrypt intentionally secure data, or copy data to non-secure devices for any purpose.
Children’s Aid utilizes subcontracted systems that demonstrate Systems and Organizations Controls (SOC) through SOC 2 audit reports based on the Auditing Standards Board of the American Institute of Certified Public Accountants' Trust Services Criteria (TSC). The purpose of the SOC 2 is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy. These reports are intended to provide detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Security principles within the fundamental designs of the systems permit users to access information they need based on role while restricting them from accessing information not needed for the role. Encryption technologies protect data at rest and in transit. Subcontractor information security and availability policies define how systems and data are protected. These include policies around how the service is designed and developed, how the systems is operated, how the internal business systems and networks are managed, and how employees are hired and trained.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Chinese American Parents Association Inc
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2022 – 6/30/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Chinese American Parents Association will be providing after school academic support as well as providing extracurricular activities. The Chinese American Parents Association will be providing after school academic support and non-extracurricular activities. CAPA also provides family workshops, State Testing Prep, Middle School Registration, ETC. PII is required for student registration for programs as well as to monitor attendance, track academic progress, and communicate with families.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- All electronic data is stored in Google drive, and is password protected with access limited.
- All physical data is kept in a locked cabinet.
- Staff receive data privacy training and must abide by policies including clean desk, no personal devices, and remote work requirements.
- All staff must request authorization from the Director prior to being given access to information with PII.
- All computers and laptops have firewall and anti-virus protection.
- All employee accounts are password protected.
- Data is encrypted in motion and at rest.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Chinese American Planning Council (Community Schools)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2021 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The services we provide are in alignment with the needs assessment based on the school population. Our food panty aims to reduce food scarcity for families in need with our high need families being able to utilize our food panty every 2 to 3 weeks and our low need families a couple of times per year. Our afterschool program aims to reduce the number of students in of afterschool services. We work with the other CBOs in the building along with the school leadership team to identify and prioritize students and families that are in need of after-school services. We meet with the school leadership team formally on a quarterly basis as well as keeping an open line of communication in terms of highlighting new needs that the school community may need, for example offering workshops on topics such as identify theft. We determine the effectiveness of such services by eliciting feedback from the school leadership team as well as the school community itself. The PII which we have access to are necessary for student identification, family communication, and record keeping purposes for the services we are providing.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft 365 Enterprise.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CPC uses Microsoft Office 365 Enterprise. Microsoft 365 Enterprise’s data at rest is located in the United States. It also has inherent high-quality security protections. For example, in the event a staff member sends an email or shares a file through email containing personal information, Office 365 uses DLP policies to protect the information. For emails it will encrypt the message so that only the receiver can read it. A link and a pin will be sent to them to open the email. File sharing also uses the same verification method.
CPC inherits the same Data Encryption provided by Microsoft on their Office 365 Enterprise platform. All sensitive information is given an extra layer of encryption, as part of CPC multifactor authentication (MFA). The user login is paired with a password and an SMS code to verify the login. CPC and our technology vendors maintain encryption, firewalls, and password protection protocols. CPC staff also participate in an annual cyber security training to ensure staff are aware of digital threats to privacy such as malware and phishing.
Physical copies of community member information such as intake forms will be filed into participant folders and kept under lock and key in a file cabinet with only designated staff access (Program Director, Program Aide, and if appropriate Division Lead and Chief Program Officer). Staff are trained during onboarding not to leave files out in the open and to return files to the cabinet as soon as possible.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Chinese American Planning Council (Project Pivot)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 11/1/2022 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The services and activities are aligned with violence prevention by providing the following: specialized and intensive academic coaching supports for students who need to be reengaged in the schooling and learning process; targeted and tiered supports to improve student attendance in school; engaging and connecting families to resources; classroom focused behavioral services and strategies to ensure students are able to get the most out of each lesson, remain on task, and meet the learning objectives for the day; and offering in‐school and after school tutoring. CPC will be evaluating the program through participant’s daily attendance, report cards and feedback through surveys and weekly evaluations. The PII shared with CPC will be student names, student ID, addresses, phone.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity‐owned and/or internally hosted‐solution.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII will be maintained and tracked at the school level and store in a secured filing cabinet. Attendance and Email correspondence with students are kept on Office ‐ OneDrive & Outlook. Our Office Suite includes Two‐factor authentication (2FA), which is an identity and access management security method that requires two forms of identification to access resources and data. This safeguards our most vulnerable student data information
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Chinese American Planning Council (Project Reach)
Please include a brief description of the product(s) or service(s) being provided, and the exclusive purposes for which Protected Information will be used, collected or otherwise processed: The Chinese-American Planning Council, Inc. (CPC) Project Reach program will provide Department of Education (DOE) funded MTAC R1155 for Components of 1) Social Emotional Learning, 2) Respect for Diversity and 3) School Culture and Climate/Approach to Establishing and Sustaining a Positive School Culture as part of the services to promote safe and supportive school communities. DOE Principals, through this contract, request CPC Project Reach staff to provide workshops and trainings to support and enhance safe school cultures for youth, families and staff of DOE schools.
While it is not the policy of CPC to retain protected information, identifiable information may be kept in certain records required to work with the DOE, such as sign-in sheets showing attending students' names which are generally collected to verify that workshops were provided.
CPC Project Reach, to evaluate its own services, shares an anonymous survey at the end of a workshop for students, family members and/or school staff. No identifiable protected information will be requested and any results reported in the aggregate.
Occasionally, CPC staff, usually by request of city or state agencies, may ask for student or staff home zip codes to better understand where in NYC Project Reach has had a possible impact. This information is collected but only shared in the aggregate.
How you will ensure that the subcontractors or other authorized persons or entities that you will share Protected Information with will abide by data protection and security requirements required by your agreement with the NYC DOE: Any CPC subcontractors, authorized persons or entities will adhere to the protocols and protections set forth in Education Law § 2-d.
CPC uses several services such as internet providers like online Microsoft 365 Enterprise services and some technical vendors who support our program administrations/operations. Any technical vendors CPC retains will honor those protections for students and participant information to meet the standards of the Education Law § 2-d.
CPC has insurance in place and follows a yearly review of IT and technical processes agency wide to ensure best practices are continuously reviewed, monitored, and improved annually.
When your agreement with the NYC DOE starts and ends, and (ii) what happens to Protected Information upon expiration of the agreement: Upon expiration of the DOE-funded MTAC R1155 program, or upon request by the DOE, CPC can provide the appropriate certification that destruction of data related to any protected information is completed. In general, CPC's current practices involve maintaining data for the prescribed period of time per the requirements of the funder, City, New York State or federal guidelines. After this, CPC destroys all paper documents on-site or through a third-party vendor specializing in this process/activity. Digital records are deleted and servers scrubbed.
If and how a parent, student, eligible student, teacher or principal may obtain copies of, and challenge the accuracy of, the Protected Information in the custody or control of the Contractor: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov.
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and (ii) the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): CPC uses Microsoft Office 365 Enterprise. Microsoft 365 Enterprise's data at rest is located in the United States. It also has inherent high-quality security protections. For example, in the event a staff member sends an email or shares a file through email containing personal information, Office 365 uses DLP policies to protect the information. For emails it will encrypt the message so that only the receiver can read it. A link and a pin will be sent to them to open the email. File sharing also uses the same verification method.
How the data will be encrypted (described in such a manner as to protect data security): CPC inherits the same Data Encryption provided by Microsoft on their Office 365 Enterprise platform. All sensitive information is given an extra layer of encryption, as part of CPC multifactor authentication (MFA). The user login is paired with a password and a SMS code to verify the login. CPC and our technology vendors maintain encryption, firewalls, and password protection protocols.
Circle Blocks EDU (also called PlaBook)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. PlaBook is an innovative reading technology platform designed to assist children in developing their reading skills. Leveraging artificial intelligence, natural language processing, gamification, and speech recognition, PlaBook offers a range of services to make the learning process engaging and effective. Our platform provides interactive reading exercises, personalized assessments, and adaptive learning experiences tailored to each child’s needs. Through a combination of AI-driven feedback, gamified elements, and speech recognition features, PlaBook helps children improve their reading fluency, comprehension, and vocabulary, fostering a love for reading while enhancing their overall literacy skills.
While PlaBook may collect Personally Identifiable Information (PII) from users, it is solely for the purpose of delivering personalized and tailored learning experiences. PII helps us create individual profiles, track progress, and provide targeted recommendations to optimize the learning journey for each user. However, PlaBook ensures that all collected PII is securely stored, encrypted, and handled in compliance with privacy regulations. User consent and data transparency are fundamental principles that guide our approach to maintaining the privacy and security of PII within the PlaBook program.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS S3 storage, AWS RDS Database, AWS Redis caching, Cloudflare firewall and SSL protocol.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. No one has access to AWS server other than the applications. Caching server and DB is only allowed from approved IPs. Database and caching server password rotation every 6-9 months. We are using Cloudflare firewall protection for DDOS attack and other known attacks. Application is using token authentication for api protection.
- Data Encryption: All personal data will be stored and transmitted using strong encryption methods to prevent unauthorized access or interception. All data is encrypted at rest and in transit.
- Access Control: Implement strict access controls based on the principle of least privilege, ensuring that only authorized personnel can access and manage sensitive data.
- Data Encryption at Rest: Use encryption mechanisms to encrypt PII stored in databases, file systems, and backup archives. Employ native encryption features provided by the database or storage systems.
- Data Encryption in Transit: Utilize secure communication protocols like SSL/TLS for encrypting data in transit between systems and during data transfers.
- Access Control and Authentication: Implement strong authentication mechanisms, such as multi-factor authentication (MFA), to ensure that only authorized users can access PII.
- Security Audits: Regular security audits and vulnerability assessments will be conducted to identify and address potential weaknesses in our systems.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Circles Learning Labs
The exclusive purposes for which Protected Information will be used: Our goal is to provide an easy, fast and reliable meeting platform. For this reason, we ask for and store minimal information; first name, last name and email. Your information is stored in a safe and protected environment (encrypted at rest and in motion).
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: We do not share data with external parties. Employees of Circles are required to sign a non-disclosure agreement when starting their work agreement with Circles.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All meeting data is stored for 2 hours after the end of the conference, after which it is deleted. During this time, any user can choose to download the chat from the meeting room should they wish to save the data. Additionally, a user can make notes during a meeting and share these with others later. Participant attendance to a meeting is recorded, as is the duration (much like you’d expect from a phone call record.)
Action items are stored on the local server so they can be used in the next meeting. This data is private between you and circles only. It is never given or sold to a third party.
Troubleshooting data to help detect and resolve technology problems is stored for 30 days, and automatically deleted after. This may contain user identifies such as names/system ID’s to help the support and operation teams, but no other personal information.
Upon termination of the contract all data is automatically deleted from our database. Anonymized feature data is retained to enable us to improve services by helping us understand which features of the system are most used, and which are not.
[NYC DOE comment: The current agreement became effective starting on July 31, 2020 and terminates when all NYC DOE schools and/or offices cease using Circles Learning Labs, Inc’s products/services. The terms of the agreement remain effective through the period during which Circles Learning Labs, Inc possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All our data centers are based in the US in the amazon cloud; and as such benefit from all the encryption and security measures that AWS provides.
How the data will be encrypted (described in such a manner as to protect data security): All information and data is stored in a safe and protected environment (encrypted at rest and in motion).
City Year New York
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/01/2022 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Data will be used to monitor progress and complete compliance reports regarding attendance rates, academic outcomes in math and ELA courses, and behavior.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Under federal law, due to our AmeriCorps grant, City Year is required to retain student data for 7 years. At the end of the retention period the data will be deleted.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. City Year has a comprehensive security program documented in our Written Information Security Program (WISP). We require all staff and ACMs to read and attest to following our data security and breach policies. Furthermore, we provide annual cybersecurity training and student data protection training. Access to any data requires a password and multi-factor authentication. We have a security incident process. We have selected high-quality IT cloud vendors to manage our systems with PII.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Claire Weisz Architects LLP (also called WXY)
Type of Entity: Commercial Enterprise
Contract Start Date: 9/1/2021
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. WXY will lead in development of a comprehensive review of the status of each recommendations presented in the D15 Diversity Plan. WXY will primarily use interviews and stakeholder meetings, combined with data analysis to report on how relevant stakeholders in the D15 community have approached implementation in the three years since the plan’s release.
In the Spring of, 2021, WXY conducted an initial review of the status of the Plan’s implementation and synthesized the findings into a presentation Superintendent Anita Skop delivered to the CEC on April 29, 2021. WXY will expand on that initial presentation and will conduct interviews and analysis with the D15 leadership, the DOE offices responsible for implementing recommendations, and with the wider D15 community to compile a more thorough progress update. Additionally, WXY will conduct a wide range of data analysis in support of District 3 and District 13’s New York State Integration Project grants including the analysis of student level data.
WXY will support D14’s District Equity Initiative. WXY will take responsibility for organizing and performing all work in a timely manner and ensure the various elements effectively build on one another. WXY will introduce the process to up to six identified stakeholders, collect reflections and input, and share out with D14 leadership. WXY will work closely with D14 leadership to establish a D14 Equity Working Group, comprised of stakeholders from across District 14, as deemed appropriate by the DOE. WXY will conduct data research on Equity Audit best practices and precedents. WXY will conduct data analysis in support of a district wide equity audit.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Established data management workflows will be employed when transferring, storing, and using the data. Clear roles within the Processor organization will be established at the outset of the project, distinguishing responsibilities for obtaining, analyzing, and deriving insights from the datasets. Furthermore, raw data will be formatted, analyzed, and presented using industry-standard conventions and best practices. Each of these responsibilities will be allocated based on the Processor’s policies governing confidentiality and prior experience interacting with sensitive information. Any identifiable information linked to the datasets that is unnecessary to perform the stated scope of work will be erased. Any derived products will be de-identified and presented at a resolution that is consistent with the Processor’s standards as well as the BOE’s requirements for internal use and for external publication. Clear communication channels between analysts, communications managers, project managers, and the public will be clearly identified to interface between the Processor and BOE. These functions address the Control-P and Communicate-P functions of the NSIST Privacy Framework.
Access to the raw data will be limited to personnel identified to the BOE. Each personnel will receive an overview of this document, the sensitivity of the Protected Information, and the repercussions of violating local, state, and federal privacy laws before finally being introduced to the dataset. The Processor intends to limit the number of personnel interacting directly with the data to the bare minimum.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Class Act Photographers
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Class Act Photographers is a school photography company providing graduation, outdoor, and senior portraits as well as yearbooks, panoramas, mosaics, composites, and ID cards. PII is to distribute school photos for IDs and yearbooks.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Class Act Photographers acknowledges that student information, including name, address, identification number, and any other personally identifiable information, is confidential under federal and state law. We agree to maintain student information provided to us in a secure chain of custody and limit access to the information to only authorized persons within our organization having a need for the information. Student data will be transferred to Class Act Photographers via our secure Class Act Photographers portal which uses the latest SSL encryption and offers the security of a complete chain of data custody from point of submission, to receipt, to import. We acknowledge that the student information has been provided to us solely for student yearbook portraits, portrait package purchasing, student photo identification cards and for the purpose of communicating picture day details. We further agree not to disclose any student information to a third party without the prior written/digital consent of the parent of the student or, if 18 years of age or older, the student. We agree not to retain student identification numbers assigned by the District after completing our services relative to student identification cards. All data will be wiped from our database at the expiration of the portrait services agreement.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Class Companion
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 10/3/2023 – 10/3/2026
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Class Companion is an educational software that enables teachers to give instant, high-quality feedback on written assignments that the teacher can customize and control. The result of this feedback is that students receive unlimited, low-stakes practice without overburdening the teacher. Districts use Class Companion in order to: reduce student fear of failure, increase student engagement, accelerate the pace of learning, increase the energy teachers can spend on instruction and discussion, and reduce teacher burnout. Class Companion will be provided for any teacher who would like to incorporate it into their classroom workflow.
Class Companion is a two-sided web application. Teachers create accounts first. Teachers may then invite students to create accounts. Teachers have full visibility and control over how students use the platform. Teachers add assignments, students complete assignments on the platform, and students receive instant AI-generated feedback based on the teacher’s rubric and assignment design. Teachers can override any AI feedback, and students can dispute the feedback to initiate dialogue with teachers.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Render.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Render hosting provider encrypts all sensitive data, both at rest and in transit. The underlying services automatically use industry standard AES-256 encryption for storage. All endpoints support TLS 1.2 and above for encryption in transit with an A+ grade from SSL Labs. Vanta automated security and compliance platform is used to ensure continuous security compliance for all employee devices.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Class Technologies
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. For the provisioning of the Class virtual classroom SaaS offering to the NYC DOE.
Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Critical, confidential, and sensitive client information and information processing systems must be physically protected from unauthorized access, damage and service disruption. Such protection will be in accordance with the physical security policy and the information classification policy.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
ClassDojo
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ClassDojo is a school communication platform that helps bring teachers, school leaders, families, and students together. Among other things, ClassDojo provides the following services through its platform:
- Communication tools to help teachers, students and parents connect with each other
- A way for teachers to give feedback and assignments to students, and other classroom management tools
- A way for teachers to share photos, videos, files, and more from the classroom for parents and students to see
- A way for parents and students to post comments and “likes” on Class Stories and School Stories
- Student portfolios, where students can share their work with teachers and parents
- Activities and other content that teachers or parents can share with students.
- A way for school leaders to see how connected their school community is, and also to communicate with parents and other teachers and school leaders
- “Dojo Island”- a virtual playground for kids and their classmates where they’ll explore a variety of activities focused on creativity and collaboration to explore, build, and live in a world with their classmates.
It’s important to note that this document does not apply to any services or products that you may use for non-school related services (i.e., ClassDojo services you use at home and not related to school).
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
“It’s important to note that this does not apply to any services or products that you may use for non-school related services (i.e., ClassDojo services you use at home and not related to school).”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud, AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Consistent with industry standards, ClassDojo shall employ the following administrative, physical, and technical safeguards:
Infrastructure Security
- Encryption at Rest and In Transit
- Access to the ClassDojo Service occurs via encrypted connections.
- (HTTP over TLS, also known as HTTPS) which encrypt all data before it leaves the ClassDojo Service's servers and protects that data as it transits over the internet. All of our Services are in Amazon Web Services (AWS) and served from either Cloudfront or Elastic Load Balancer (ELB). We use HTTP Strict Transport Security to ensure that pages are loaded over HTTPS connections and our TLS configuration receives an A+ from Qualys SSL Labs.
- Student Data is stored at our Service Provider, AWS, and the following applies to their technical and organizational measures. In addition, we secure decentralized data processing equipment and personal computers. All personally identifiable information is encrypted at rest using modern encryption algorithms. In AWS S3, we use AES-256 with AWS managed keys, in Aurora (MySql) we use AES-256 with customer managed keys and in Redshift we use AES-256 with AWS managed keys. Additionally, we use MongoDB with AES-256 with keys managed by AWS.
Network Security
- The ClassDojo Services use AWS, to host the infrastructure. AWS undergoes strict ongoing security assessments from external audit firms to ensure compliance with security standards including ISO 27001, SOC 2, PCI DSS Level 1, and FISMA. See https://aws.amazon.com/compliance/programs/ for more details.
- Network access to the ClassDojo Services infrastructure is highly restricted. AWS hosted infrastructure resides in a dedicated Virtual Private Cloud (VPC) which is designed to ensure that only authorized traffic over approved ports is allowed. We use ThreatStack to monitor for suspicious activity.
Patching
- We use automated processes to regularly install security updates on the infrastructure that powers the ClassDojo Services, these processes include:
- AWS Managed Services (e.g., Relational Database Service):** AWS proactively notifies our engineering team when updates are available and we apply them in a timely fashion.
- AWS EC2:** All EC2 instances are monitored by ThreatStack and AWS inspector and updates are applied in a timely fashion
- Classdojo Application:** Monitored by Snyk.io and Github for vulnerabilities and they are updated in a timely fashion.
Backups and Availability Control
- We have a data backup and recovery capability that is designed to provide a timely restoration of the ClassDojo Services, with minimal data loss, in the case of catastrophic failure. These backups are encrypted and stored in multiple availability zones. Additional technical and organizational measures to ensure that Student Data are protected against accidental destruction or loss (physical/logical) include:
- Uninterruptible power supply (UPS);
- Remote storage; and
- Firewall systems.
- Note: Student Data is stored at our Service Provider - currently AWS - and the above applies to their technical and organizational measures as well as any other relevant such as MongoDB. In addition, we have a disaster recovery plan in place.
Physical Security
- Physical Access Controls
- Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Student Data are Processed*, include:
- Establishing security areas, restriction of access paths;
- Establishing access authorizations for employees and third parties;
- Access control system (ID reader, magnetic card, chip card);
- Key management, card-keys procedures;
- Door locking (electric door openers etc.);and
- Surveillance facilities, video/CCTV monitor, alarm system.
- Note: The ClassDojo Services are currently hosted in AWS and Student Data is stored at our Service Provider - currently AWS – which employs industry- leading physical security measures to protect their data centers and the above applies to their technical and organizational measures. These security features are regularly audited by third -party auditors.
Virtual Access Control
- Technical and organizational measures to prevent data processing systems used for Student Data from being used by unauthorized persons include:
- User identification and authentication procedures;
- ID/password security procedures (special characters, minimum length, change of password); and
- Encryption of archived data media.
- Data Access Control
- Access to the ClassDojo Services infrastructure is highly restricted. We limit access to individuals who need access to do their jobs such as engineers, data scientists, product managers, and support personnel. All access to our infrastructure is logged. All access to our infrastructure requires the use of strong passwords and multi-factor authentication.
- Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Student Data in accordance with their access rights, and that Student Data cannot be read, copied, modified or deleted without authorization, include:
- Internal policies and procedures;
- Control authorization schemes;
- Differentiated access rights (profiles, roles, transactions and objects);
- Monitoring and logging of accesses;
- Disciplinary action against employees who access personally identifiable information without authorization;
- Reports of access;
- Access procedure;
- Change procedure;
- Deletion procedure;
Disclosure Control
- Technical and organizational measures to ensure that Student Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Student Data are disclosed, include:
- Encryption/tunneling;
- Logging; and
- Transport security.
Entry Control
- Technical and organizational measures to monitor whether Student Data have been entered changed or removed (deleted), and by whom, from data processing systems, include:
- Logging and reporting systems; and
- Audit trails and documentation.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Clever Prototypes (also called Storyboard That)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Storyboard That Education Edition for Teachers and Students. Storyboard That is a web-based product for teachers and students. With our Award-Winning Storyboard Creator, teachers and students can create storyboards, graphic organizers, comics, and powerful visuals to enhance their learning in all grades and subjects. We have over 5,000 resources for teachers to easily integrate Storyboard That meaningfully into their curriculum. PII Collected: IP Addresses of users, use of cookies, students school of enrollment, student grade level, student scheduled courses, teacher names, student app username, student app passwords, student name first and/or last, student generated content such as writing and pictures.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Privacy-centered design means that students can use Storyboard That with as little PII as possible. Student accounts and all relevant personal data may also be deleted at any time.
- To keep your personal data secure, all data is encrypted in transit and at rest.
- Data is stored in access-controlled data centers with 24/7 monitoring by Microsoft Azure, an industry-leading provider.
- Employee access to personally identifiable information is provided on an as-needed basis, to provide customer support for example.
- Employees with access to personal data are required to undergo background checks, sign a nondisclosure agreement.
- Storyboard That has signed the Student Privacy Pledge.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Clickview
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ClickView is an educational video platform specializing in K-12 video resources. ClickView lets teachers find and share video that engages students in a format they understand. The ClickView platform also lets teachers transform videos into interactive quizzes with formative assessment tools to show evidence of learning and engagement. ClickView receives PII to enable it to provide the platform to students, teachers and school or district administrators.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Administrative safeguards include the documentation of policies and processes, the allocation of roles and responsibilities, training, risk management, human resources security, asset management, access management, system hardening measures and data logging. Physical safeguards include physical security systems, entry controls, equipment maintenance, equipment security, controls against physical damage and environmental controls. Technical safeguards include encryption, firewalls, antivirus, intrusion detection system and intrusion prevention system, authentication, data retention and database separation.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Code.org
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Code.org® is a 501(c)(3) nonprofit that provides an online curriculum for teaching computer science and an online learning platform to support that curriculum. Access to its CS education platform and curriculum for free. For more information please visit https://code.org. The PII processed by Code.org is necessary in order to provide the service and retain student progress (e.g., teachers may enter a student name in the teacher’s section so the teacher can identify the student’s progress vs. that of other students).
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
“The Services are intended for use both within schools (i.e., as part of classroom sections established by teachers in the K-12 setting) and outside of school (i.e., for use at home and not for K-12 school purposes). Upon the NYC DOE’s request, following a process outlined between the DOE and Code.org, Code.org will ensure the deletion of all Code.org student accounts enrolled in a DOE’s teacher’s section In the absence of a deletion request by the teacher, the DOE, or student (as the case may be), the Code.org Personal Data Retention and Deletion Policy provides for automatic deletion or de-identification of Code.org student accounts after five (5) years of inactivity.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Platform hosting: Amazon Web Services (AWS); Other service providers used for internal operations: AnswerDash; Atlassian; Dropbox; Google (G-Suite); Honeybadger; Slack; Tableau; Trevor; Twillio; and Zendesk.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Code.org employs a mix of physical, administrative, operational, and technical safeguards designed to reasonably protect the confidentiality, availability, integrity, and security of Student PII and Protected Information. These safeguards include, for example:
- Data Minimization. Code.org follows strict data minimization standards in order to collect and process as little Personally Identifiable Information as necessary to provide the underlying services and measure.
- Encryption of data in transit. Code.org employs industry standard encryption technology to protect information and data transmitted over the internet or other public networks.
- Encryption of data at rest. Code.org employs industry standard encryption technology to protect personal information in storage (at rest) and other non-PII in storage when commercially feasible.
- Data storage and server hosting. Code.org utilizes a leading cloud services provider - Amazon Web Services (AWS) data centers located in the United States – to host the Code.org services and relies on AWS for server and datacenter security, including restrictions on physical access to the datacenter.
- Data access control. Code.org uses role-based security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources or user data. Internal asset owners are responsible for granting access based on the users’ role, and access is reviewed periodically.
- Employee Background Checks and Non-Disclosure Agreements. All Code.org employees must sign a non-disclosure agreement and pass a background check.
- Employee Privacy and Security Training. All Code.org employees are required to complete privacy and information security awareness training upon hire and periodically thereafter. Such training covers applicable federal and state privacy laws, security risks and practices, and other related information.
- Vulnerability and Patch Management. Code.org uses a variety of tools, practices and procedures to monitor and protect our data and systems. Code.org maintains a vulnerability disclosure program that fields reports from security researchers, and reports are promptly triaged, prioritized and addressed according to their severity.
- Periodic Risk Assessments. Code.org conducts periodic risk assessments and remediates identified security vulnerabilities in a timely manner.
- Data Backup and Disaster Recovery. Code.org regularly backs-up production data so that it can be restored if necessary, and maintains a disaster recovery policy and process.
- Information Security Incident Response. Code.org maintains an incident management plan for data security and privacy incidents that may affect the confidentiality, integrity, reliability, or availability of systems or data.
- Passwords and Two-Factor Authentication. Code.org secures usernames, passwords, and other access means using industry standard methods, and most internal systems utilize two-factor authentication as an additional access control.
- Risk Management. Code.org employs a cross-functional risk management process to identify and manage strategic, operational, and compliance risks. A variety of methods are used to assess and manage risk, including policies, procedures, and use of industry standard tools to monitor and protect data and systems.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
CodeCombat
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CodeCombat provides a web-based computer science curriculum platform for NYC DOE schools. A minimal amount of student PII is collected in order to provide authentication, rostering, and classroom management features to students and teachers. For example, when not using an SSO provider, students are asked for usernames and passwords to provide authentication, and optionally an email address for password resets. Similarly, student first name and last initials are requested so that teachers can associate student progress to students on the web dashboard. Student PII is never used for marketing or commercial purposes.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CodeCombat Inc. agrees to abide by and maintain adequate data security measures consistent with industry standards and technology best practices, to protect PII from unauthorized disclosure or acquisition by an unauthorized person. Contractor shall secure usernames, passwords, and any other means of gaining access to PII, at a level suggested by the applicable standards, as set forth in Article 4.3 of NIST 800-63-3. Contractor shall only provide access to PII to employee or contractors that are performing Services. Employees with access to PII shall have signed confidentiality agreements regarding said PII.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
CodeHS
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CodeHS is a web-based platform that provides coding curriculum, teacher tools and resources, and teacher professional development. Student data is accessed in order for teachers to determine student accounts using our platform. Students complete assignments relating to their computer science courses.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We use several techniques to ensure that PII is protected at all times. First, we use industry standard encryption for all data at rest and in transit using AES-256, TLS 1.2, and HTTPS. All data is stored securely in AWS - employees are only able to access data within AWS if they have the necessary permissions and authorization. To minimize access, we use the Principle of Least Privilege. Additionally, data access within the app is separated from data of other clients using logical controls and user-based permissions. To mitigate further security risks, we require MFA when available, strong passwords, and hold regular security training and reviews for all employees. We also have a data deletion plan that will dispose of all PII at its "End of Life" according to our Date Deletion Plan.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
CodeMonkey Studios
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Student PII is used in order for the student to login to its individual account and for the system to identify and monitor the student's progress.
Type of PII that the Entity will receive/access: Student PII. “We do not require the name of the student, each student will use an alias and/or the system will assign the student a unique identifier. In addition, students who are signing in through a single sign on, i.e. Clever, CodeMonkey will receive the email of the student.”
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII information is accessible only to a handful of individuals within the company. Those individuals receive a bi-yearly review by our Security and Privacy officers and update on privacy and security related issues. There are also mechanisms in the system that do not allow un-authorized personnel to enter PII, which is reviewed and updated periodically.
From a technical level, we comply with all data and privacy related matters, whether we are COPPA compliant, the data is encrypted in both motion and rest, we have systems in place to monitor threats and mechanisms to deal with it, a firewall being one of them. Additionally, we constantly improve our system best to industry standards, we have processes in place to deal with attacks/threats/downtime etc.
From the human side of things, we have a security officer and a privacy officer that each conduct a bi-yearly training to all employees, regardless if they have access to PII or not. Furthermore, as mentioned only a handful of people have access to PII. All these policies are in place and constantly being updated.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
College Board (for BlueBook Application, PSAT and SAT Tests)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. College Board’s testing application, Bluebook™, and College Board’s test day toolkit are used by NYC DOE and its students in connection with the delivery of College Board’s SAT® Suite of Assessments and related score reporting.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Vendor selected Other: “College Board will destroy all PII upon termination of services except that which is necessary to provide students and state education authorities and the NYC DOE continued access to assessment scores and related information.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor and using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. College Board takes protection of personal information seriously College Board follows industry standard security practices to protect the personal information submitted to us, both during transmission and once it’s received. College Board is certified by third-party auditors annually, provides annual SOC 2 reporting on our information security program, and is PCI compliant. These practices help us proactively manage risks and controls. College Board never asks students, parents, or other individuals to send credit card, bank, or password information over the phone or by email.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
College Board (AP Exams)
The exclusive purposes for which Protected Information will be used: Students who choose to take College Board’s standardized national AP exam provide PISI to College Board for the AP exam. College Board uses the PISI in connection with the provision of the AP exam to NYC students. Data is used exclusively in the registration, delivery of score reports to students and schools, and test security processes associated with each of the assessments.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: All College Board vendors are required to complete our Data Security questionnaire to identify the security controls that they have in place. After a risk assessment of each vendor is completed, any remediations are provided to the organizations. Furthermore, each vendor that stores PISI on behalf of College Board is required to agree to College Board Data Security Requirements and, in most cases as applicable, provide evidence of their compliance via a SOC 2 report.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: At the end of the agreement, PISI collected from the students, or data that is connected to the student accounts, is retained by College Board on behalf of the students, for legitimate educational purposes including but not limited in order for students to continue to access their assessment scores and related data from assessments. This allows students to send scores to colleges and other programs, as well as use the information to support students direct contact with College Board. The data continues to be protected via College Board information security management system.
[NYC DOE comment: The current agreement became effective starting on July 1, 2018 and terminates when all NYC DOE schools and/or offices cease using College Board’s products/services. The terms of the agreement remain effective through the period during which College Board possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI collected through this agreement is stored within the United States. College Board does make use of cloud service providers but restricts this data to US-based regions.
College Board maintains a comprehensive, layered security program that is based upon the ISO 27001 framework. Wherever possible, it also uses the NIST Cyber Security Framework and the CIS benchmarks as guideposts for standards. The security program, which is evaluated annually by third party audits, consists of physical, network, system, data, and application security-related components. College Board maintains ISO 27001 and SOC 2 certifications, as well as PCI DSS compliance. It has a comprehensive set of policy controls, awareness training for all users who interact with PISI, and third-party risk management programs. In addition to its annual compliance audits, it engages multiple third parties to conduct assessments and penetration tests to continually evolve.
How the data will be encrypted (described in such a manner as to protect data security): All PISI data is encrypted at rest and in transit using industry standard or better practices. In transit, the College Board uses TLS 1.2 as its standard, and at rest data, it uses multiple industry standard formats such as AES-256 or better. In cases where data cannot reasonably be encrypted, a wavier and evaluation process exists, and additional mitigating controls are put in place to ensure the security of the data.
CommonLit
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.
- Software as a service: online digital reading and writing lessons
- Professional development for teachers
- Access to assessment series
- Canvas integration (rostering, grade passback, CommonLit lessons available to students on Canvas)
- Rostering support options with Clever rostering, ClassLink rostering and Google Classroom
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Amazon Web Services.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CommonLit encrypts data at rest and in motion; administrative operational, and technical best practices are followed; staff receive training on data security and privacy and best practices. Access to facilities is limited by physical security measures (locks, etc.) and virtual assets are tightly controlled by a limited policy that’s limited to engineering and user support teams, with user support receiving less access than engineers. Credentials are regularly rotated, including upon termination or departure of any member with access.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Community Counseling and Mediation Services (CCMS)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CCMS offers educational support to socially vulnerable students and their families, helping them stay on the path to a successful future. Services are provided at the Humanitarian Emergency Response and Relief Centers, where CCMS counselors assist families in emailing their children in school, scheduling vaccine appointments, and navigating other NYC agencies. To provide these services, CCMS uses PII to directly assist with busing, school enrollment, vaccine appointments, and more.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Drive.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Community Counseling and Mediation Services (CCMS) is committed to protecting the privacy and security of Personally Identifiable Information (PII) in compliance with NYC DOE requirements. Below is a description of the administrative, technical, and physical safeguards we will implement to ensure the protection of PII and to mitigate data privacy and security risks.
Secure Storage: Store personal data in secure systems with appropriate technical and organizational measures to prevent unauthorized access, loss, or destruction.
- Technical Safeguards
- Encryption: Utilize advanced encryption technologies for data at rest and in transit.
- Multi-factor Authentication: Implement multi-factor authentication for systems accessing protected information.
- System Updates: Regularly update and patch software to protect against vulnerabilities.
- Administrative Safeguards
- Training: Conduct regular training sessions for all employees on data privacy and security protocols.
- Access: Implement strict access controls (e.g. MFA, Role-based access control, principle of least privilege) to ensure only authorized personnel can access PII.
- Policy: Develop and enforce a comprehensive data privacy policy that includes guidelines for handling, storing, and disposing of PII.
- Security Training and Awareness
- Employee Training: Provide annual training to all employees on data privacy and security practices, and their responsibilities under this policy.
- Policy Awareness: Ensure that all personnel are aware of this Data Privacy and Security Plan and understand their roles in protecting personal data. Provide ongoing education to keep staff updated on the latest security protocols and threats.
- Mitigation of Data Privacy and Security Risks
- Risk Assessments:
- Regular risk assessments to identify potential threats to data privacy and security.
- Implementation of mitigation strategies based on risk assessment findings.
- Continuous Improvement:
- Regular audits and reviews of security measures to identify areas for improvement.
- Adoption of new technologies and practices to enhance data protection continuously.
- Vendor Management:
- Ensuring third-party service providers comply with our data privacy and security standards.
- Regular assessments of third-party providers to ensure ongoing compliance.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
The Community Initiatives of NY
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 1/2023 – 6/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Our organization (TCIONY) focuses on teaching Social Emotional Learning inside the classroom by preparing and developing the self-awareness, self-control and interpersonal skills that are vital for school, work and life in the student’s. Some of the topics the students will explore are: decision making, conflict resolution, positive self-image, peer-mediation, mentoring, mental health, communication skills, leadership skills, entrepreneurial workshops, behavioral management, social awareness, relationship skills, self-care, job readiness and much more. We do this by facilitating small student workshops in the classroom - usually 12-15 students as well as 1:1 mentoring. In addition to our social emotional curriculum, our organization also has a Community Engagement Team who are a group of credible messengers, therapists, social workers, retired Law Enforcement and educators working to bridge the gap between law enforcement, school safety and the youth. This team focuses on the youth who are at higher risks of failing academically, falling behind due to attendance, or are at a higher risk of behavioral or social issues on school campuses. The team aims to help change the students behaviors through mentoring, evidence based workshops and supporting them in their decision making. We also work closely with NYPD Options in facilitating Emotional Intelligence through Virtual Reality. We have facilitators that are retired NYPD officers as well as on our board. We are deliberately seeking to bridge the gap between law enforcement and the community, especially the youth.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Sheets.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The safeguards that TCIONY uses to ensure all PII data will be protected are as followed: 1.) We encrypt any sensitive/PII information that must be transmitted 2.) Failed logons to our internal server will lock accounts after 2 failed attempts. 3.) Any personal computer used to access information will require anti-virus software and patch levels on their machines. 4.) Authentication will be required for all user machines at startup 5.) Account termination with 2 hours of employee being terminated, staff change, suspension or change of job function. 6.) Guest access will not be allowed under any circumstance!
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Community Software Solutions, Inc
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2022 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CSS provides software to NYC DOE internship program. NYC DOE utilizes the software to manage the internship program. The PII that is processed by CSS and the DOE internship application is necessary for hours entry, payment processing, distribution, tax payments and reporting.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, i.e. Microsoft Azure Cloud.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our management team works with out information technology and risk compliance team to implement administrative, technical and/or physical safeguards to ensure PII will be protected. These administrative, technical and/or physical safeguards include:
- Implementation of policies and procedures that govern human resources, information technology, information security, incident management, and data management practices performed within the company.
- Implementation of people, processes, and technology that support the implementation and operation of established policies, procedures, and practices established by management to protect customer data and PII.
- Execution of contractual obligations with third-party vendors and sub-contractors to communicate their commitments for security, confidentiality, and privacy and bind them to these commitments.
- Performance of periodic risk assessment and internal audit activities to evaluate the state of business operations and their alignment with the policies, procedures, and the protection of customer data and PII.
- Performance of period risk assessment and internal audit activities to evaluate third-party contractor services and practices for security, confidentiality, and privacy.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Community Studies
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2021 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CSI provides school support to 34 DOE schools, including curriculum and resource creation, professional development, and classroom coaching for school staff. PII of individual students is received in the course of communication and discussion with teachers and school leaders about school and instructional improvement efforts.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All CSI employees and contractors receive training on ensuring the confidentiality of student PII that they may receive during their work. All email communication and documents shared between employees and DOE staff are managed via cloud services platforms, which use TLS encryption. Files uploaded or created in Google Docs are encrypted in transit and at rest with AES256 bit encryption.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
COMPanion Corporation
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Alexandria Library automation will be implemented at a number of schools within the DOE to manage and maintain library and curricular resources for teachers and students. COMPanion Corporation does not collect any PII for company purposes, other than patron first and last names. Patron first and last names are required to enter a patron into Alexandria Library automation to create a patron record. This information is used to identify a student or teacher for circulation purposes only. The system can assign a patron number that is not related to any patron personal information, so student PII such as school ID number or social security are not required. Our customers determine what they require for the management of their individual libraries. The DOE has the flexibility to share whatever PII information they choose with Alexandria, but as noted above, only the first and last name are required.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using an Entity-owned and/or internally hosted-solution.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. COMPanion does not sell customer data or make available to 3rd party companies for commercial purposes. Any data shared with sub-contractors will be authorized by the customer. Our hosting services run on secured private networks running all current security protocols. All outside connections are secured connections protocols (HTTPS) and no outside access to internal Data is permitted. Every customer database is stored separately from all other customer databases for added security.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Comprehensive Youth Development
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CYD functions as an embedded service provider within the contracted school to provide individual college and career advisement services to students information is utilized to manage who is served and units of services provided to each student. It is necessary to accurately identify the student to record and report back to the school administration the specifics of the services provided and the student’s progress within the scope of the contract. Beyond providing real-time data to the school, and providing data to the National Student Clearinghouse on behalf of the contract school, no PII is necessary or employed for outward facing reporting. Such reporting is restricted to PII-blind, cumulative data.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Symantec. Symantec Endpoint Protection is employed on DOE workstations used by CYD staff.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All staff will be using multi-tiered authorization to access cloud based service logs. All public facing reporting is summary data and does not include PII.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
The Core Collaborative
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. TCC coach/employees provide professional learning on the formative practices and effective teaming protocols for educators. Our coaches will teach educators protocols to analyze data (numeric scores, numeric grades, assessment item responses) to understand their professional impact on student learning, and determine instructional next steps. NYCPS educators will look at their classroom data reports using their assessment systems and written student work without names. TCC Coaches will ask intentional questions to guide analysis of NYC educators getting at the root cause of student performance.
TCC coaches/employees may potentially access PII during our process but we do not collect, process, or transmit data from the NYCPS systems or assessment platforms.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: TCC does not store or receive PII data. TCC only accesses/may access PII, therefore there is no need to delete or destroy.
Challenges to Data Accuracy. The Core Collaborative is not storing PII.
Security and Storage Protections. Describe where PII will be stored or hosted. The Core Collaborative is not storing PII.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All Core Collaborative coaches and employees are trained in federal and state requirements concerning privacy and data security annually. TCC may access student PII during our process but does not collect or receive PII data. If there is a breach or unauthorized disclosure, we will contact the district superintendent and principal within 24 hours as required by regulations. Upon detection of a potential incident, TCC will assemble a response team comprised of IT security professionals, legal advisors, and relevant stakeholders to address the situation. To prevent further disclosure, immediate actions will be taken, such as suspending access to affected systems, implementing additional access controls, and patching security vulnerabilities. At the NYCPS's direction, we will notify affected individuals such as students and parents/guardians about the incident, its impact, and the steps being taken to address it. We will cooperate fully with any investigation with the NYCPS and law enforcement.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. No PII will be stored or hosted by Entity.
Coughlan Companies (for Buncee)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Buncee is a K-12 creation and communication tool that allows students, educators, and administrators to create and publish original and authentic content. This platform is delivered through Buncee for Schools & Districts or Buncee Classroom. These products do have individual student accounts. Buncee for Schools & Districts accounts can be created by syncing Google Classroom or Microsoft 365 roster data with Buncee, or manual upload via CSV. Buncee Classroom accounts can be created by manual entry or manual upload via CSV. The Vendor will provide an access point for students to create projects that are student friendly. Students can easily use interactive content that supports accessible reading experiences. Buncee is a web-based application that can be used on any device.
The purpose of data processing is to allow Vendor to provide the requested Services to a school and perform the obligations under the Agreement. More specifically, the purpose of processing data is to enable school oversight and ensure appropriate structure and interaction within a school account. The processing of data enables the interaction, communication, creation and sharing within the classroom/school/district account; allows educators and/or administrators to monitor accounts, set permissions and deliver educational content; allows educators to differentiate and personalize a student’s educational experience; and provides the administrator-educator-student hierarchy within the account. Vendor requires data capture and use for the following reasons:
- To confirm the identity of students and educators/administrators
- To provide educational services and content
- To allow subscribers to create and manage classes, personalize and differentiate instruction, and monitor and assess student progress
- To allow subscribers to monitor and safeguard student welfare
- To allow subscribers to set creation and sharing permissions and privacies schoolwide
- To inform existing subscribers about feature updates, site maintenance, and programs/initiatives (does not include student subaccounts).
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
Only those who need it to perform their duties should have access to data.
- Training and guidance is provided to all employees that will be accessing and handling data (including more specifically, student data)
- Background checks are performed on all employees
- NDAs are signed by employees at the start of employment
- All access to systems and data is revoked upon employment termination
- All data stored electronically is kept secure by taking the following precautions:
- Use strong passwords that should never be shared
- Servers are protected by security software and a firewall
- Backup data frequently
- Never disclose PII to unauthorized people within or outside of Capstone
- Routinely monitor systems for security breaches and attempts of inappropriate access.
Measures to Protect Data: Capstone Digital Products use HTTPS connections to secure transmissions. A combination of firewalls, security keys, SSL certificates, and non-default username/password credentials secure data access. Additionally, the Buncee application has the following preemptive safeguards in place to identify potential threats, manage vulnerabilities and prevent intrusion:
- All security patches are applied routinely
- Server access logging is enabled on all servers
- Fail2ban (an intrusion prevention software framework that protects servers from brute-force attacks) is installed on all servers and will automatically respond to illegitimate access attempts without intervention from engineers
- Our database servers are not publicly accessible via the internet.
- SSH key-based authentication is configured on all servers
Capstone Digital Products use HTTPS connections to secure transmissions. The HTTPS you see in the URL of your browser means when you go to the website, you're guaranteed to be getting the genuine website. With HTTPS in place, all interactions with Capstone Digital Products will be undecipherable by an outside observer. They are unable to read or decode data. HTTPS is the same system that many sensitive websites, like banks, use to secure their traffic.
Capstone Digital Products use SSL security at the network level to ensure all information is transmitted securely. All content (i.e., photos, video, audio, and other content added to your Buncees in PebbleGo Create and the Buncee products) is encrypted at rest. All passwords are encrypted using modern encryption technologies.
Account information is stored in access-controlled VPCs operated by industry leading partners. All user information is stored redundantly and backed up in geographically distributed data centers. We utilize multiple distributed servers to ensure high levels of uptime and to ensure that we can restore availability and access to personal data in a timely manner.
The Buncee application is hosted on cloud servers managed by Amazon Web Services, who is compliant with security standards including ISO 27001, SOC 2, PCI DSS Level 1, and FISMA. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels. These data centers are staffed 24/7/365 with onsite security to protect against unauthorized entry. Each site has security cameras that monitor both the facility premises as well as each area of the datacenter internally. There are biometric readers for access as well as at least two factor authentication to gain access to the building. Furthermore, physical access to our servers would not allow access to the actual data, as it is all protected via encryption.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Council for Aid to Education
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CAE develops assessments that evaluate critical thinking, problem solving, and effective written communication. CAE also provides online delivery of a pre-designed College and Career Readiness Assessment (CCRA+) for students grades 6 through 12, which is delivered online through CAE’s administration platform. Results are analyzed and reported at multiple levels including student, classroom, institution, and district.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. For the unique student identifier and associated assessment scores, the following safeguards are in place and continuously assessed:
- Administrative - access controls, data security training
- Technical – encryption, firewalls, intrusion detection
- Physical - secure facilities, access control to equipment.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Counseling in Schools
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Counseling In Schools provides services to students, students’ family members and school staff that support emotional well-being and social skill development. Before any student can receive the services of one of our programs, we must receive contact information for students’ parents/ guardians so that we may inform them of our services and request their consent for the student to participate in our services. As part of the request for consent, we explain to parents/ guardians that indicators of our impact will include attendance, academic and behavioral data collected by the Department of Education. If consent is received, in order to track progress against the above identified indicators, we request the students provide us with their Student ID, otherwise known as their OSIS number (Office of Student Information System).
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Citrix: Sharefile and YouthinMind: SDQ SCoring” and “Using an Entity-owned and/or internally hosted-solution,” and “Other: Physical records are stored in locked cabinets in the schools we serve.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Counseling In Schools only uses software that holds PII that is FERPA compliant. All staff are informed of our data security policies and trained in how to keep information secure. In addition, we have engaged a data security consultant that reviews our data security systems and provides on-going security training of staff and monitoring. Any potential breaches or unauthorized attempts to access data we store are quickly reported and responded to by this consultant.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Coursemojo
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 9/16/2024 – 6/26/2025.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.
- Coursemojo's product “Mojo,” is a web-based, curriculum-aligned, AI-powered tutor that helps educators differentiate instruction by diagnosing gaps for each student and then providing them with targeted, Socratic, one-on-one and small group support. Mojo helps teachers and all students (including multilingual learners, students with IEPs, struggling readers, and advanced students) be successful with your district’s chosen ELA texts and writing assignments. In addition to direct support for students, Mojo provides grading support and generates reports for teachers, enabling them to be more targeted and effective in their facilitation of class discussions.
- Provide licenses and support for the implementation of Mojo, an AI-powered assistant teacher.
- We will access and collect the following (shared via Clever, and interactions with the product): Identifier and Enrollment Data, such as name, email, school / state ID number, username and password, grade level, homeroom, courses, teacher names
- Most of Coursemojo’s Products require some basic information about who is in a classroom and who teaches the class—student or teacher Identifier and Enrollment data. This information is provided to Coursemojo by our School Customers, either directly from the School Customer’s student information system or via a third party with whom the School Customer contracts to provide that information.
- Upon expiration or termination of the Agreement, Coursemojo will destroy/delete all PII. While the Agreement is active, Coursemojo will store PII in a separate table, isolated from all other datasets.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Coursemojo maintains a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of students’ personally identifiable information against risks—such as unauthorized access or use or unintended or inappropriate disclosure— through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.
We perform regular internal and external security scans. In addition, Coursemojo will periodically perform additional penetration testing and/or other relevant threat assessments and will perform subsequent remediation efforts based on the findings of these assessments.
We use industry standard encryption technology to protect data transmitted over the internet.
The Coursemojo website is hosted on Amazon Web Services (AWS), and we rely on Amazon for server and datacenter security. All data on AWS is encrypted at rest in accordance with Amazon’s security practices.
Coursemojo uses role-based permissions to limit access to sensitive data and systems to our personnel who need it for a legitimate business purpose.
We follow industry best standard practices in developing our software.
Laptops provided to our employees for work purposes are managed to ensure that they are properly configured, regularly updated, and tracked. Our default configuration includes full-disk encryption of hard drives, on-device threat detection and reporting capabilities, and lock when idle for a specified amount of time. All laptops are securely wiped before we re-issue or dispose of them.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Creative Connections
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Creative Connections provides critical wrap around Community School services and student supports intended to serve the whole child. Services focus on the four pillars: Collaborative Leadership & Practice, Family & Community Engagement, Expanded Learning Time, and Wellness & Integrated Support through the following programs:
- COLLEGE CONNECTIONS 1 (CC1): CC1 is a beginner’s exploration of the college process. CC1 helps students identify the initial steps in planning for their educational future.
- COLLEGE CONNECTIONS 2 (CC2): CC2 is a detailed exploration of the college application process. It is designed to help 11th and 12th grade students apply to colleges and secure loans and scholarships.
- CAREER CONNECTIONS (CC): CC guides students through activities and experiences that help them explore what their strengths and passions are, and how they connect to an exciting career choice.
- ELEMENTARY & MIDDLE FUTURE CONNECTIONS (EFC / MFC): EFC & MFC engage students through interactive activities that are designed to give them a practical insight into careers while learning how to create a vision for their future.
- BOYS & GIRLS CONNECTIONS (BC / GC): BG & GC empower students through social and emotional learning to develop skill sets such as conflict management, self reflection, and relationship building.
- FINANCIAL CONNECTIONS (FC): FC is a middle and high school program that addresses the fundamentals of basic personal financial planning and money management.
- TEEN ENTREPRENEUR CONNECTIONS (TEC): TEC introduces students to the exciting world of the entrepreneur, by having students create and run their own small business.
- FINANCIAL CONNECTIONS (FC): FC is a middle and high school program that addresses the fundamentals of basic personal financial planning and money management.
- ART CONNECTIONS (AC): AC introduces students to the exciting world of art, and connects them to possible future careers.
- PROFESSIONAL DEVELOPMENT WORKSHOPS: Goal oriented, interactive workshops centered around goal setting, team building, managing change, developing leaders, and more.
- PARENT WORKSHOPS: Parents will learn about financial aid, the college process, and more.
It is necessary for the Entity to receive or access PII, such as the student's name, personal identifiers, the student number, the student's date of birth, etc., to conduct the services in order to effectively communicate with all relevant stakeholders (in the mode most conducive to them), track/document/update improvement metrics, and drive tangible outcomes.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google and/or Microsoft cloud.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Creative Connections and any subcontractors and/ or affiliates will (at all times during the Term) use encryption to protect personally identifiable information in its custody while at motion or at rest and implement appropriate safeguards to protect the Personal Information that are no less rigorous than accepted industry practices (such as ISO 27002, ITIL or COBIT or other industry standards of information security), and will ensure that all such safeguards, including how Personal Information is processed, comply with applicable data protection and privacy law and comply with the terms of the contract.
- Creative Connections shall implement and maintain a written information security program, including appropriate policies and procedures that are reviewed for new risk assessments at least annually. Such obligation shall continue throughout the contract term.
- At a minimum, Creative Connections’ information safeguards shall include: (a) secure business facilities, data centers, paper files, servers, back-up systems and computing equipment including, but not limited to, all mobile devices and other equipment with information storage capability; (b) network, device application, database and platform security; (c) secure transmission, storage and disposal; (d) authentication and access controls within media, applications, operating systems and equipment; (e) encryption of Personal Information; (f) encryption of Personal Information when transmitted over public or wireless networks; (g) access controls, including logging of all access and exfiltration, and retention of such access control logs for a period of no less than one (1) year; (h) conducting external and internal penetration testing and vulnerability scans and promptly implementing a corrective action plan to correct the issues that are reported as a result of the testing; and (i) limiting access of Personal Information, and providing privacy and information security training to staff.
Creative Connections and its employees will adopt the following measures:
- Employees will not at any time during or after affiliation Creative Connections (CC) disclose CC Confidential Information to which they have or had access in any form (i.e., electronic media, paper, verbal etc.) to any unauthorized individuals.
- Employees will not access any record(s) they are not authorized to, including but not limited to the student or family records of any program member or co-worker.
- Employees will utilize and access only the minimum amount of information necessary for performance of their duties.
- Employees will not access or request data on students for whom they have no professional relationship and/or legitimate CC related purpose. If a given employee has reason to believe that the confidentiality of his/ her user log-in has been compromised, he/ she will immediately ensure that the password is changed.
- Employees will respect the confidentiality of any reports and handle, store and dispose of these reports when necessary.
- Employees will not install or operate any non-licensed software on any CC computer.
- Employees understand it is against CC policy to electronically communicate student information to others outside of the CC/ school network.
- Employees are responsible for all e-mail messages generated from their e-mail accounts.
- Employees understand that the use of e-mail is for business purposes, however limited personal use is acceptable.
- Employees understand that the e-mail administrator may monitor CC e-mail if non-compliance with the electronic messaging policies is suspected.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Creative Response to Conflict
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 5/1/2023 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Creative Responses to Conflict (CRC) will provide services through the community schools program. CRC will provide workshops in conflict resolution, restorative practice, problem solving, and mediation and training for students, staff and parents. PII is needed to track attendance and communicate programmatic information.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- All data will be kept in a secure location with limited access to employees with a legitimate need. Physical files will be kept in a locked office/cabinet.
- All documents will be reviewed at the end of the day to ensure that nothing is missing or has been tampered with.
- CRC will keep the least amount of data needed for the functioning of the program.
- All communications will be handled through DOE managed channels.
- All staff will be trained in security best practices to ensure that data is always handled appropriately.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “No data is being stored electronically by CRC.”
The Crenulated Company
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2023 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Crenulated Company Ltd will provide Community School services to the DOE School Community at Claremont International High School. Services will include mental health advisement, community events, legal support, etc. The Crenulated Company Ltd. needs to access PII so that we can communicate and provide services to our students and their families and accurately track our work and report on student outcomes.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce as a cloud service provider.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Crenulated Co. Ltd. will use industry standard data encryption technology to ensure PII will be protected. We will use all reasonable, appropriate, practical and effective security measures to protect important processes and assets in order to achieve its security objectives of confidentiality, integrity, and availability of information. In order to ensure PII will be protected, New Settlement shall limit information system access to authorized users and encrypt student data in our password protected Salesforce data system. Additional safeguards include but are not limited to:
- Use of a firewall to protect access to our system
- Data Encryption
- Regular security audits
- Regular updates to our operating and security systems
- Use of a mobile device management system
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Curriculum Associates (for i-Ready)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.
- i-Ready Assessment: Designed to give a full picture of student performance and growth in Reading and Mathematics by giving deep insights into student needs to connect instructional resources to classroom action.
- i-Ready Personalized Instruction delivers powerful online lessons that motivate students on their path to proficiency and growth. Driven by insights from the i-Ready Diagnostic, i-Ready’s lessons for Grades K–8 provide tailored instruction that meets students where they are in their learning journey and encourages them as they develop new skills.
- Toolbox: A flexible digital collection that gives teachers the tools they need to implement whole class, small group, and individualized instruction that meets the needs of all learners
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Access to production servers is limited to a small, identified group of operations engineers who are trained specifically for those responsibilities.
- The servers are configured to conduct daily updates for any security patches that are released and applicable.
- The servers have anti-virus protection, intrusion detection, configuration control, monitoring/alerting, and automated backups.
- Contractor conducts regular vulnerability testing.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Currier, McCabe and Associates (also called CMA Consulting Services)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 8/1/2023 – 7/31/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. CMA proposes to implement a custom software solution to modernize and streamline disparate and dated legacy systems utilized by the Office of Pupil Transportation to support its critical mission of safely and effectively transporting 150,000 student riders annually. This new system will improve scheduling, communication, specific requests from parents, necessary passenger accommodations and better provide for the current and emerging needs of the diverse population it serves.
To achieve this objective, CMA will require access to student PII data to ensure the unique identification of individual students. Specifically, this information is needed in order to properly identify students – as simple as use of first and last names are often not enough. Where this is the case, access to and use of parent names, address and other factors is necessary. It is key to uniquely identify each student in order to provide the best alternatives and service needed for their safe and proper transportation.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CMA will encrypt PII in transit and at rest. Data will be stored in a physically secured Data Center with environmental controls and backup power. Data will be backed up to secure disaster recovery site in Forest Hills, NY. IT staff’s access will be role based and the least privilege needed to perform their tasks will be assigned to them. IT staff receive training on security and privacy awareness. HR conducts background checks of IT staff prior to employment. The application environment is monitored to ensure the system is available as required, access to the data is controlled and restricted by user need to know. Networks are secured and monitored for inappropriate activity.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Custom Computer Specialists, LLC and Infinite Campus, Inc
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Custom Computer Specialists will provide implementation and support services for a product called Infinite Campus. Infinite Campus is a student information system used to track data related to students and student learning. This includes student demographics, schedules, attendance, grades, and other student related information. During the implementation and in supporting a school, employees from Custom Computer Specialists will have access or in some cases view data classified as PII.
Type of PII that the Entity will receive/access: Student PII, APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data)
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected Other: “Neither Custom Computer Specialists or Infinite Campus will share PII with subcontractors, outside persons, or third party entities. Custom Computer Specialists and Infinite Campus (two organizations) both have access to PII as a function of our relationship. Infinite Campus develops software and hosts the data. Custom Computer Specialists implements, supports, and provides the services for the software.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII and “allow NYC DOE to download a copy of the data before secure deletion, or a flat file can be provided at Entity’s then current price.”
In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: “The parent, student, eligible students, teachers, or principals may seek copies of their PII, or challenge the accuracy of the PII by contacting their local education agency, which is responsible for the data.”
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution, and “If selected by an LEA, the data may be stored in an authorized cloud provider in the future.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Please see https://www.infinitecampus.com/policies/ferpa-compliance-and-student-data-privacy-policy.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Cypress Hills Local Development Corporation (CHLDC)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2021 – 6/30/2024, extended to 6/30/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The project that CHLDC conducts is identifying high school students from disadvantaged backgrounds with potential for education at the postsecondary level and encourage them to complete secondary school and undertake postsecondary education. This project is funded by the federal Department of Education via a five-year grant. CHLDC does not conduct any evaluation or research that is not required by any government funder. Instead, the exclusive purpose for receiving or accessing PII is in order to prepare aggregated and de-identified performance reports required by funders in order to share results on desired short-term outcomes of the program. On an annual basis to comply with stipulations of the grant, we report on the number of students served through an aggregated report of participant demographics (eg, age and race / ethnicity), secondary school persistence (eg, grade promotion from one school year to the next), secondary school graduation (eg, discharge data), and postsecondary enrollment of the participants. There is no individual PII shared with a funder.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted-solution.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. CHLDC has created a “CHLDC Data Privacy and Security Plan” that states the steps taken to maintain appropriate administrative, technical and physical safeguards in accordance with industry best practices and applicable law to protect the security, confidentiality and integrity of Protected Information in our custody. It is a plan to adhere to BOE Information Security Requirements. Our administrative practice is to only request data from NYC DOE that is essential for meeting the reporting requirements of restrictive grants that provide the funding for services to students. The request is made only by the Division Program Director or higher. The information provided by NYC DOE will only be shared with CHLDC’s Director of Evaluation via encrypted email. CHLDC uses the Software as a Service (SaaS) relational database Efforts to Outcomes (ETO) licensed by Social Solutions Global (SSG). As per SSG, the ETO is “built to handle multiple partners, high volumes of programs, advanced security protocols, and multifaceted reporting and analytics initiatives.” One feature is it is compliant with HIPAA, FERPA, HUD, Fedramp and NIST. Each year, CHLDC asks authorized ETO users to sign a “Database Access and Confidentiality Agreement” as a pledge and nondisclosure agreement in their engagement with the data in the database. CHLDC never sells or releases any of our program data for any commercial purposes. None of the required program reports we submit to funders would include any itemized data nor would include any hint of PII. We destroy any files of PII data shared by NYC DOE once we have updated our records.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
D2L
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2021 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Provision of a Learning Management System and related services to NYC DOE.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII; and Make all PII available for retrieval by NYC DOE.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is hosted in secure facilities operated by Amazon Web Services. All data in transit is protected using TLS 1.2 protection. All data at rest is encrypted with AES256 at file object level.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Dare to Revitalize Education thru Arts & Mediation! (DREAM!)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Restorative Practices training for parents. Upon service delivery DREAM! Requires participants to fill out pre-training and post-training evaluation forms which include the borough they reside in, their ethnicity, sex, and age. This allows us to track whom we are serving and having the most impact with.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Hard copies stored in secured office and secure file cabinet.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. DREAM! has a process in place to help make sure that staff who have access to PII agree to comply with the law and help protect the information by 1) signing an agreement with data privacy and security requirements; and 2) keeping PII in designated physical locked cabinet and office area; not to be shared or copied, sold or released for any marketing, or other commercial purposes, or any purposes at all.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Only physical records will be stored.
DataClassroom
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. DataClassroom is an online web application for teachers and students to work with scientific data, for example that produced in lab experiments during school work. The only PII DataClassroom needs is for authentication (so the users can log in) and is limited to that exposed by the LMS in use. (If individual user accounts are created, then a name and email address are required). Rostering information (class membership) can also optionally be imported from the LMS or typed in manually.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Information can be either securely destroyed or transferred as requested by the customer
when it becomes applicable.” In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. All data is stored encrypted on infrastructure maintained and held secure by our cloud storage provider, Amazon Web Services (AWS) in a location in the USA.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access to the cloud infrastructure containing customer data and administrative access to the same information is limited to specific trusted employees of DataClassroom Inc. Access is revoked on termination, and all new employees must read and sign a declaration that they will abide by the company data security strategy, including non-disclosure of customer data. MFA authentication is mandatory. Employee hardware such as laptops must be fully updated with security patches and industry-standard anti-malware/firewall software. Access to the physical storage locations is protected by the cloud service provider AWS.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
David Kestenbaum (also called Color Keys)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our Learning Management System (LMS) software enables teachers to manage the assignment of educational content to students. Students get instant feedback, leading to formative assessment and providing the ability to correct their mistakes. Teachers are able to view rich analytical data to drive instruction and provide personalized support. Teachers are provided tools in the platform that enable them to individualize the students’ classroom experience and work at their own guided pace. The LMS application is used to manage 2 student-facing products:
- Thumbprint: The Thumbprint product provides modules for language learning, multiple choice, and other task types organized into assignments that are sent to students. Included in the product are thousands of premade tasks and assignments that teachers can leverage. Regarding PII –
- Name: allows the teacher to know which student they are interacting with.
- Email: used for password reset, account recovery, and other access related communications
- Student ID: System ID used for integration between data and our application and school systems
- ColorKeys: Our music software enables students to learn the pedagogy of music playing while having an interactive and personalized experience along the way. Students have their own accounts, saving their materials from week to week. Students watch animated videos, play interactive games, engage in multiple choice quizzes, and practice and play songs. The program allows each student to move along at their own pace. Students come out learning how to play and understanding the fundamentals of music theory. Regarding PII –
- Name: allows the teacher to know which student they are interacting with.
- Email: used for password reset, account recovery, and other access related communications
- Student ID: System ID used for integration between data and our application and school systems
Our Professional Development division provides general PD to teachers in an array of areas. We provide PD to teachers using our proprietary software (thumbprint) and train them as more updates are created. We also provide PD in teaching methodologies and strategies, including but not limited to Blended and Personalized Learning, stressing diversity, equity, and inclusion in all our offerings.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subtractor, i.e. AWS RDS.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The product features an authorization and role-based permissioning system that carefully limits a user’s access to PII. For example, a teacher may see PII for their students, but not students in the same school that they do not have a teaching relationship with. Within our working environment; All PII data is encrypted in motion and at rest, all credentials are encrypted and protected with 2FA where available, antivirus and logging are used to prevent and detect malicious activity and the network is secured by numerous policies and procedures to contain PII to the smallest portion of the network possible. All staff are vetted and trained to avoid accidental or malicious disclosure of PII and company policies and software are designed to prevent such disclosures as well.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Davis Publications
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Davis Digital is a cloud-based platform that provides access to our rich, meaningful instructional materials, lessons, and teaching resources. The Davis Digital platform allows students and teachers remote or in-class access to eBooks, fine art images, videos, and Portfolios from any computer or tablet with an Internet connection. The platform allows the option of working from home, the classroom, a computer lab, or any combination. With added features and flexibility, our comprehensive platform is designed specifically for K-12. In addition to the K-12 eBooks for students and teachers, the Davis Digital platform provides full access to thousands of fine art images from around the world. You’ll also enjoy tools for lesson planning and delivery, and online portfolios to showcase student work.
PII is used to create user accounts for students and teachers in Visual Art. PII is also used for troubleshooting and debugging purposes when responding to user support requests.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- SSO/Oauth2 integration with the Davis Digital Platform.
- Stored user data encrypted at rest with AWS KMS keys, including backups, read-replicas and snapshots.
- SSL/TLS encryption in transit between client and DBN instances.
- Database endpoints are NOT publicly accessible. Security and firewall rules to allow connections only from within the internal VPC.
- Master credentials stored securely in password manager vault requiring 2FA authentication.
- Access to production infrastructure is privileged, and only accessible from within the internal network.
- As an additional precaution, all sensitive data within the system is salt hashed.
- AWS maintains all virtual and physical server that contain PII.
- Davis employees have been trained annually in working with PII, signed confidentiality agreements, and have passed criminal background checks.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Delightex GmbH (for CoSpaces Edu)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Delightex GmbH is a software company that has developed the platform CoSpaces Edu for use in education by stundets and teachers. Adaptable to any age or subject, CoSpaces Edu lets students build their own 3D creations, animate them with code and explore them in captivating ways, including Virtual and Augmented Reality.
Working with CoSpaces Edu develops digital literacy and 21st Century learning skills such as collaboration and coding, which prepare kids for their future while empowering them to become creators. The platform can only be used with an account. PII is used to create these user accounts and to track and store student content within their accounts.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. How we keep your students’ data safe:
- We use SSL security for safe transmission of your data and AES-256-GCM for data at rest.
- Passwords are salted and hashed using PBKDF2.
- We do routine security audits and monitoring to ensure security and system integrity.
- User data is stored and backed up in geographically distributed servers operated by industry leading partners. Data will be stored according to the user’s respective location on servers located either in Europe, the United States or Asia Pacific.
- Access to personally identifiable information is restricted to specific employees only.
- All employees undergo a background check and sign a non-disclosure agreement before beginning their employment with us.
- Employees lose access to all company and product systems and data when terminated.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
DeltaMath Solutions
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 1/26/2022 – 6/30/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Access to and use of deltamath.com, an online platform for the teaching and learning of mathematics.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is housed on AWS servers in Ohio, USA and is protected both physically and via data encryption. Data is encrypted both in transit and at rest. Data is only accessed in the case of a legitimate educational purpose and, if so, from registered IP addresses. All employees with access to data undergo criminal background checks and are trained, both on hire and annually thereafter, in the requirements of federal, state, and local privacy laws.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Diarmuid (for Great Leaps Digital)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Diarmuid Inc. requires PII in order to maintain accurate and relevant student performance data in the Great Leaps Digital program. This is necessary for progress reports provided by instructors and administrative oversight to help ensure the fidelity of implementation. This data is also used to determine the effectiveness of the intervention with NYC DOE students. Diarmuid Inc will be providing the Great Leaps Digital platform that contains subscription based products in reading and basic math facts.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., DigitalOcean.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Diarmuid, will neither retain nor incorporate any of the Confidential Information into any database or any medium other than that which may be required for it to provide the Services and agrees to maintain appropriate administrative, technical, and physical safeguards in accordance with industry best practices and applicable law to protect the security, confidentiality, and integrity of information that can be used to identify or link to current, future and former users in its custody. Diarmuid safeguards and practices align with the NIST Cybersecurity Framework, and include sufficient (A) data privacy protections, including processes to ensure that Personally Identifiable Information, such as student names, birthdates, demographic information and educational performance is not included in public reports or other public documents; and (B) data security protections, including data systems monitoring, encryption of data in motion and at rest, an incident response plan, limitations on access to sensitive and identifiable information that may link to current, future and former users, safeguards to ensure that said information is not accessed by unauthorized persons when transmitted over communication networks, and destruction of the aforementioned sensitive information when no longer needed.
Diarmuid uses encryption technology to protect this information while in motion or in its custody from unauthorized. disclosure and conduct digital and physical periodic risk assessments and to remediate any identified security and privacy vulnerabilities in a timely manner. Additionally, Diarmuid incorporates various technical safeguards to protect the needed student information and data that we collect. The database servers are behind a firewall so that only their other servers can connect to the database. The program is built to ensure that any user account logged into the system is only able to access data about themselves and any students they are teaching, and each student is isolated from each other throughout our system. Diarmuid also limits access to customer data from employees and uses an internal tool to limit the interactions with customer data for authorized internal users. When generating any internal reports, Diarmuid minimizes the amount of sensitive information to just student performance and runs any necessary information that might identify a user through an anonymizing function so it cannot be linked back to the original student. Diarmuid also uses HTTPS with TLS 1.2 or later on any connections that customers make to the server to make sure the data transmitted back and forth is private. In case of becoming aware of any breaches in our system, Diarmuid will follow the steps outlined by their Data Breach Response Plan, including containing the breach, remediating the access, disclosing to affected users as appropriate, and reviewing and enhancing security measures to prevent further breaches.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Digital Age Learning
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 10/3/2022 – 7/1/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Digital Age Learning Inc is the lead CBO partnering with multiple Bronx schools to provide after school services to students. The program is funded by NYSED OCFS and NYSED 21st CCLC grants. Digital Age Learning Inc. provides arts and technology integrated residencies to students as well as after school support for academic intervention and enrichment, athletics activities and STEAM based activities. The goals of the program include attendance improvement and increases in family engagement. Digital Age Learning Inc. requires PII data to verify student participation in its afterschool activities for the purpose of reporting on student attendance, which is required for invoicing and payment for services provided aligned with our NYSDOE contract. Digital Age Learning has access to PII data when they are working in schools. Digital Age Learning does not keep any PII on paper records.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Digital Age Learning will access data using the DOE systems only.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Digital Age Learning will only use the contracted DOE youth services.net system and EZ reports for the data entry of all student information required for student enrollment and attendance. All access to student data will be secured at the schools and only accessible by NYCDOE personnel with appropriate login credentials to NYCDOE systems.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Dignity of Children (for iDEAS Empowered by Youth)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. iDEAS Empowered by Youth incorporates Project Based Learning (PBL) which is used as a teaching method that is inquiry-based that engages learners in knowledge construction by having them accomplish meaningful learning projects and develop real-world products. Students learn through the creation of a tangible product where students are focused on a shared goal and are provided with some end product specifications from the instructor. Researchers have found that PBL has been shown to support the development of 21st-century skills (Musa Mufti, & Latiff, 2012). iDEAS Empowered by Youth incorporate PBL in the curriculum where youth have to create projects ranging from documentaries, digital art portfolios, business proposals, and public service announcements. The PII will only be accessed for attendance purposes.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. “PII will only be accessed for attendance purposes and used in communications with DOE and/or staff including emails.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. To ensure the protection of Personally Identifiable Information (PII) and mitigate data privacy and security risks, Dignity of Children has implemented a comprehensive set of administrative, technical, and physical safeguards:
- Administrative Safeguards:
- Clear Policies and Procedures: Dignity of Children has established detailed policies and procedures governing the handling, access, and use of PII. These policies are regularly reviewed and updated to reflect the latest best practices and regulatory requirements.
- Access Controls: Access to PII is restricted to authorized personnel only, with role based access controls implemented to limit access to sensitive information based on job responsibilities. All data will be stored and retained by school and no data will be taken outside school premises.
- Training and Awareness: All employees undergo regular training on data privacy and security practices. This includes training on recognizing and responding to security threats, as well as understanding their roles and responsibilities in protecting PII.
- Incident Response Plan: Dignity of Children has developed a robust incident response plan to effectively address and mitigate data privacy and security incidents. This plan includes procedures for reporting incidents, conducting investigations, and implementing corrective actions.
- Technical Safeguards:
- Encryption: PII is encrypted both in transit and at rest to prevent unauthorized access or interception of sensitive data.
- Firewalls and Intrusion Detection Systems: Dignity of Children utilizes firewalls and intrusion detection systems to monitor network traffic and detect and block unauthorized access attempts.
- Secure Authentication: Strong authentication mechanisms, such as multi-factor authentication, are used to ensure that only authorized users can access PII.
- Regular Vulnerability Assessments: Regular vulnerability assessments and penetration testing are conducted to identify and address potential security vulnerabilities in systems and applications.
- Physical Safeguards:
- Access Control Measures: Physical access to facilities where PII is stored or processed is restricted to authorized personnel only. This includes the use of access badges, biometric authentication, and surveillance systems.
- Secure Storage: PII is stored in locked cabinets or secure server rooms to prevent unauthorized access.
- Secure Disposal: When PII is no longer needed, it is securely disposed of using methods such as shredding or degaussing to ensure that sensitive information cannot be reconstructed or retrieved.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Directions for Our Youth
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2023 – 6/30/2025.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Learning to work services for students, which include counseling, internship placements, and college counseling.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor wrote “LTW staff only share student data and outcomes on the required dashboard with the DOE Office of Student Pathways. As the funder, the Office of Student Pathways requires monthly student data for each program be entered on Google sheets.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. “LTW staff only share student data and outcomes on the required dashboard with the DOE Office of Student Pathways. As the funder, the Office of Student Pathways requires monthly student data for each program be entered on Google sheets.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Directions for Our Youth will only have access to student information for internships and to assist with financial aid applications for college as provided by the school. The data will be used for these purposes only and is not shared with other staff or programs. The data is recoded using the required dashboard from the DOE Office of Student Pathways, as required by the funder.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Discalced (also called Mark Morris Dance Group)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 1/1/2023 – 12/31/2028
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Discalced, Inc., doing business as the Mark Morris Dance Group (MMDG), will conduct program evaluations throughout and at the conclusion of each in-residency and partnership. The purpose is to be able to effectively measure the overall success and impact of the program through student learning, partner expectations, and teaching team effectiveness. Findings will support efforts to improve the programs and the long-term impact of sustained engagement in the arts.
Type of PII that the Entity will receive/access: Student PII, and “we ask the school principal and/or contact to complete an evaluation as part of our triangulated approach to measuring success.”
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. Vendor also states, “All PII related to program evaluations will be destroyed at the end of each residency once the data is aggregated for reporting purposes. However, the findings will be kept for archival purposes at MMDG.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The following demonstrates administrative, operational and technical safeguards in place at MMDG through the following:
- Contract with HomeField IT (HIT) as its Managed Service Provider
- Microsoft 365 Business Premium Services which includes MS Defender for security
- MMDG utilizes a monitored suspicious email program managed by HIT
- HIT executes a secure daily data backup procedure
- All staff are required to complete monthly Data Security Training through Ninjio
- MMDG utilizes 1Password to maintain the highest level of password management.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Discovery Education
The exclusive purposes for which Protected Information will be used: To provide digital education services.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Pursuant to Recipient’s DPA, attached hereto as Attachment B.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon termination or expiration of the agreement, Recipient will promptly, but without undue delay, destroy student data upon BOE’s written request. Recipient may retain student data to the extent required by the laws, rules, and regulations to which Recipient is subject, or if student data resides in Recipient’s backup archives, Recipient will continue to protect the security and confidentiality of such retained student data in accordance with the agreement and the DPA. Recipient has implemented retention rules so that student data in backup archives is retained for as short a time as necessary.
[NYC DOE comment: The current agreement became effective starting on January 23, 2020 and terminates when all NYC DOE schools and/or offices cease using Discovery Education, Inc.’s products/services. The terms of the agreement remain effective through the period during which Discovery Education, Inc. possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information will not be stored outside of the US.
How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest in the database. We perform daily lookup as well as backups. For data in transit, our subscription site is SSL embedded with AES-290.
District Public
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide professional development, data analysis, and tools to help school leaders and educators use data to improve student outcomes, communicate with administrators and families, and save time.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Drive.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. District Public takes great care to ensure the security of PII. Data is encrypted while in motion and at rest. Only data that is required to conduct analyses is collected. Data is never disclosed to anyone outside the school community for whose benefit the analysis is conducted, and access to data and analysis is only granted by District Public to school leadership. District public employees and contractors are trained in laws governing data security and privacy, as well as on best practices in cyber security. District Public employees such strategies as two-factor authentication, encryption, web and email filtering, ongoing cyber security and awareness training, and phishing simulations to ensure it maintains a secure environment for working with PII.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Don Johnston
Type of Entity: Commercial Enterprise
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII.
- Snap & Read Universal is a Text Reader to read aloud materials as well as support students in comprehending materials. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.
- Co:Writer Universal is a Word Prediction, Speech to Text and Translation tool to support struggling writers. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.
- uPAR (Universal Protocol for Accommodations in Reading) is a data tool to help educators match students to reading accommodations. uPar does not require use of personally identifiable student information. Personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution. The only data collected is that which is valuable for educational purposes.
- Word Bank Universal extracts words, places, people, facts and dates into a meaningful format. Required student data collected: Email OR user name and password for login purposes. Other personally identifiable data for student accounts is solely used for educational purposes by the student and the student’s educational institution.
- Quizbot is a teacher-only tool. Build quizzes automatically from any text with one click. Automatic scoring through Google Forms shows instantly what is being comprehended. No Student Accounts exist (and no data is collected).
- Readtopia is a special education curriculum designed for teachers who work with late elementary, middle, and high school students with autism and other complex needs. It serves as an integrated comprehensive reading curriculum across several domains of study including ELA, Math, Social Studies, Life Skills, and Science. Students do not login and no student data is collected.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII; and Other. Vendor stated “The district has access to student data at all times and is responsible to download data prior to expiration of the Agreement. After that, we will automatically destroy all data in 30 days and 65 days from all backups.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
Administrative Safeguards: We do annual training for all staff and assign access based on roles, limiting the number of people who have access to the data.
Physical and Technological Safeguards:
- All data is kept on AWS (Amazon Web Services) servers.
- AWS has the most stringent physical safeguards that has earned it ISO 27001 compliance, a Department of Defense Impact Level 4 Provisional Authorization, over 400 National Institute of Standards and Technology security controls, and a PCI DSS Level 1 certification among other security standards.
- All data is located in geographically discrete locations within the United States.
- Data at Rest - All data at rest is encrypted with AES-256 encryption algorithm.
- Data in Transit - All data being transmitted is protected with Secure Socket Layer and password hashing.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Donner Photographic
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Photograph students at schools/dance studios and sell photos to their parent/guardian. We need PII to assign names to the students’ pictures and assign teachers to the class photos.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII data is stored in SQL database. No employee has a logon to the database directly. All access is done through custom applications. All images of students that we take are named by a number only and that number is assigned by the database. There is no direct file system style way of associating an image with PII. We have safeguards in place such as firewalls, encryption and requires passwords that protect our student’s personal information. We have a PF Sense firewall providing reverse proxy SSL Authentication to web servers lockdown applicable port. We never obtain address information unless the parent/student personally goes to our website. Also, we ensure the appropriate in-person training of our employees pertaining to the federal and state laws when it comes to the privacy and confidentiality of our clients including NY Laws and FERPA policies prior to accessing PII.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
The Door – A Center of Alternatives
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2021 – 6/30/2024, extended to 6/30/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Door - A Center of Alternatives, Inc. (The Door) implements the Community School model by providing academics, health and mental health services, social services, expanded learning opportunities, positive youth development, and family and community partnership at our co-located site in Lower Manhattan. We will collect data to track services provided under the contract. The data will be securely stored in The Door’s Salesforce database.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Door tracks student data in Salesforce, a leading cloud-based CRM system. In addition to the standard security safeguards provided by Salesforce such as role-based security, enforcing strong passwords and multifactor authentication, auditable logs, protections against denial-of-service attacks, intrusion detection, anti-malware scanning and other robust security features, The Door uses Salesforce Shield, an enhanced security package that also allows for data encryption at rest and complex event monitoring. The Door is committed to training staff and external consultants on our data security policies and procedures.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
DreamBox Learning
The exclusive purposes for which Protected Information will be used: To provide hosted services and adaptive math software to the district.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: DreamBox does not utilize subcontracts in its delivery of software or services; however, DreamBox will ensure that all authorized persons are aware of the confidential nature of the information being share and have been trained on data protect and security best practices.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Personally Identifiable Student Information (PISI) will be removed from the DreamBox system and returned to the district at the district’s request.
[NYC DOE comment: The current agreement became effective starting on October 1, 2019 and terminates when all NYC DOE schools and/or offices cease using DreamBox Learning, Inc.’s products/services. The terms of the agreement remain effective through the period during which DreamBox Learning, Inc. possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be store in the US. DreamBox is ISO27001 certified and meets industry best practices for data security including encrypted at rest and in transit.
How the data will be encrypted (described in such a manner as to protect data security): At rest and in transit.
The DreamYard Project
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 71/1/2022 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. The work in question has our teaching artists working directly with students to supply arts education during school hours and after school as well. The DreamYard teachers must keep an active roster of students to comply with attendance requirements for all contracts.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using an Entity-owned and/or internally hosted-solution.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. If PII is recorded on paper for roster purposes on the day of class, the information is shredded and securely disposed of. Before the information is shredded, it is recorded digitally to our servers, which only DreamYard administrators have access to via password and 2-step verification. The DreamYard Project does not grant access of these servers to outside vendors for any reason. DreamYard administrators must work on password protected machines and only access this information on DreamYard supplied machines, and these machines are scrubbed of data if employee’s contract is terminated. The former admin’s access is subsequently revoked if they no longer work at DreamYard.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
DroneBlocks
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. “Services” means the DroneBlocks STEM drone curriculum, which includes over 150 cloud-based lessons for teachers to choose from, and a suite of software to enable educators to teach students about computer science using drones. It includes all services offered or provided by DroneBlocks, including access to DroneBlocks Technology, as well as access to Lesson Plans, Training Materials, Webinars, and Training. DroneBlocks Services include ongoing upgrading of the product and related technology, communications with educators in support of their use of the Services, as well as the benefits of related research and development, improvements, and supplements supporting the DroneBlocks offerings, the Website, and/or the App.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Entity selected “Other: Working with School, securely delete and/or destroy PII.” In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Firebase.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. DroneBlocks conducts periodic thorough external assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic, paper, or other records containing PII; and performs ongoing system monitoring and testing and ongoing security oversight by designated members of senior management.
All submitted PII is collected and stored by Firebase and Google Cloud Platform in reliance upon Google’s stringent security regimen. HTTPS via TLS is required to connect to all web servers from the public network. DroneBlocks maintains processes for the continued encryption of customer's PII through its secure deletion/destruction when requested in writing by the customer when it is no longer needed for the purpose for which it was collected; as well as procedures that protect PII maintained from improper alteration or destruction, including mechanisms to authenticate records and corroborate that they have not been altered or destroyed in an unauthorized manner.
DroneBlocks performs appropriate pre-hire employee background checks and screening; obtains agreement as to confidentiality, nondisclosure and authorized use of PII; provides training to support awareness and policy compliance; and maintains procedures to determine that the access of employees to PII is appropriate and meets a legitimate need and is terminated when appropriate. DroneBlocks also requires under written contracts that third party partners and subcontractors maintain Data Security and Privacy policies and procedures no less stringent than those above.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Dynamic Forms (also called Mark DeGarmo Dance)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 05/15/2021 – 05/14/2026
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We work in NYC DOE public schools with a research-based and evidence-based educational program to provide dance education instruction required by New York State Education Department, but that the NYC DOE is unable to provide its students and schools. The purposes of having the students’ names is to increase instructional effectiveness, as educational research demonstrates is most effective. The purpose of having their legal guardians’ names & addresses is to complete our consent & release forms.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third parties.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Dynamic Forms, Inc. AKA Mark DeGarmo Dance utilizes the following administrative, technical and/or physical safeguards to ensure PII: Access Controls; Encryption; Data Access Restrictions; Access Rights; Security Awareness and Privacy Training; Third Party Management; Physical Security; Information Security Incident Management; Incident Identification; Incident Severity Classification; Incident Response and Containment; Root Cause Analysis and Lessons Learned; Privacy; System and Information Integrity; Data Management; Collection; Use and Retention; Disclosure; Retention and Disposal; and Compliance with Legal and Regulatory Requirements.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
EarlyBird Education
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. EarlyBird works with educators to determine which children are at risk for reading struggles, and provides a comprehensive assessment to determine the child’s areas of strengths and weaknesses, as well as a series of Next Steps resources to support educators as they build strong readers. The child’s PII (ex: name, birthdate, and classroom) enables us to work with the school districts and educators.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. EarlyBird uses AWS firewalls and data protection tools and provides periodic security training to employees with have access to the system and/or data. When data is accessed through a web browser, EarlyBird employs industry standard measures to protect data from unauthorized access including, but not limited to, server authentication, data encryption, firewalls and SSL.
EarlyBird operates a secure platform and complies with FERPA regulations as described in FERPA policy. The underlying infrastructure resides entirely in Amazon Web Services and utilizes Virtual Private Clouds (VPCs) for all environments. All public facing ports are exposed only through load balancing solutions. All communication is encrypted using SSL through the load balancer and is routed to a production quality web server which resides on each server. The traffic is then proxied to the application port which is listening privately on localhost. All data that is stored on the EarlyBird platform is encrypted at rest and in transit, and no production or student data is allowed outside of the production environment. All servers are container based which ensures conformity to EarlyBird’s rigid security standards. Private keys are regularly cycled and are only distributed as needed and to a limited number of employees.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
East Side House
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ESH’s Learning to Work program will provide students with academic support services to improve student retention and expose students to career development through work readiness training, paid internships, and job placement. In collaboration with NYC DOE, ESH will provide services ranging from student recruitment and outreach, new student orientation, attendance outreach to referring non-eligible students to other programs.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In order to protect personally identifiable information and mitigate data privacy and security risks, Processor will:.
- Follow policies and procedures compliance with 1) relevant state, federal, and local data security and privacy requirements, including Education Law 2-d (“Section 2-d”), 2) this Addendum, and 3) the NYC DOE’s data security and privacy policy and the Family Education Rights and Privacy Act (“FERPA”);
- Implement commercially reasonable administrative, technical, operations, and physical safeguards and practices to protect the security of personally identifiable information in accordance with relevant law;
- All student data is stored on Salesforce cloud SASS Platform. Salesforce is an external vendor with a dedicated security team. All data exists on Salesforce Cloud Tenant. No student data is stored on East Side House on premise servers.
- Only authorized teachers and approved East Side House internal staff are granted access to Salesforce Portal. Salesforce logins are enforced with multi-factor authentication.
- Follow policies compliant with NYC DOE’s Parents’ Bill of Rights and Parents’ Bill of Rights Supplemental Information.
- Annually train its officers Annually train its officers and employees who have access to personally identifiable information on relevant federal and state laws governing confidentiality of Personally Identifiable Information; and
- In the event any subcontractors are engaged in relation to this Agreement, manage relationships with sub-contractors to contract with sub-contractors to protect the security of personally identifiable information in accordance with relevant law.
- Implement and follow an incident response plan and disaster recovery process that are compliant with relevant state, federal and local data security incident notification requirements.
To protect personally identifiable information that Processor receives, Processor will follow policies that include the following administrative, operational, and technical safeguards:
- Processor will identify reasonably foreseeable internal and external risks relevant to its administrative, technical, operational, and physical safeguards;
- Processor will assess the sufficiency of safeguards in place to address the identified risks;
- Processor will adjust its security program in light of business changes or new circumstances;
- Processor will regularly test and monitor the effectiveness of key controls, systems, and procedures; and
- Processor will protect against the unauthorized access to or use of Personally Identifiable Information.
- Processor’s sites are protected by firewalls with active threat protections including web content filtering / anti-malware scanning.
- Processor has all endpoint and servers protected by Crowdstrike EDR; systems are monitored by Crowdstrike 24/7 for proactive threats.
- Processor on premise server rooms are locked and accessed only by authorized staff. Server rooms are monitored by closed circuit television cameras.
- Processor Facilities are monitored by a 24 hours monitoring station for burglary alarms.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
EBSCO Industries (also called EBSCO Information Services)
The exclusive purposes for which Protected Information will be used: EBSCO uses the Personal Information we collect for the limited purposes of processing your transactions, establishing and/or verifying a person’s or account holder’s identity, customer service, improving and customizing our Services and their content, authorization, content processing, content classification, and providing you with information concerning our Services.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: In situations where we share Personal Information with Service Providers, we ensure access is granted to the Service Providers only upon the condition that the Personal Information is kept confidential and is used only for carrying out the services these Service Providers are performing for EBSCO Information Services. As part of making that determination whether we will share Personal Information with Service Providers, we will obtain assurances that they will appropriately protect and maintain the confidentiality of Personal Information consistent with our Privacy Policy and as required by applicable law. For additional information, please see EBSCO's Privacy Policy: https://www.ebsco.com/company/privacy-policy#prod_how-do-we-secure-info
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Contract duration - 4/1/2021 to 3/31/28. EBSCO will only retain information for as long as the account is active, or as needed to provide you Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Upon contract termination, data will be deleted or pseudonymized. If this is not possible (e.g., because the information has been stored in backup archives), then EBSCO will securely store the information and isolate it from any further processing until deletion is possible).
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data will be stored within EBSCO's data centers located in the greater Boston, MA area. EBSCO maintains an extensive information security policy to protect data which focuses on web application security and includes firewall and router security, data classification and control, vulnerability identification, authentication, etc.
EBSCO also keeps audit trails to maintain records of system activity both by system and application processes and by user activity, which, in conjunction with appropriate tools and procedures, acts as a technical control facilitating the detection of security violations, performance issues, etc.
How the data will be encrypted (described in such a manner as to protect data security): All sensitive data is securely encrypted in the database with restricted access. Data is also encrypted in transit with SS/TLS1.2 2048-bit encryption.
EDCLUB
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. edclub is a web-based and fully customizable educational platform. Students can learn in class, at home, or wherever an internet connection can be found. edclub’s suite of products currently available includes a web-based tying tutor to teach keyboarding skills called TypingClub, Vocabulary & Spelling to teach English language arts, Digital Citizenship and Social Emotional Learning.
edclub collects and processes PII in order to create accounts for staff and students, provide access to the services, and communicate with account holders. PII is also required to save and track students‘ progress on our Services and provide reports school staff.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
The entity also stated “de-identified data may be retained for product improvement purposes only.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS, and using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The data will be stored in the United States of America. edclub stores and processes confidential student records and information in accordance with commercial best practices, including implementing appropriate administrative, physical and technical safeguards. edclub’s safeguards includes keeping the collection of the information about the users/students to a bare minimum. The information that is transmitted over the web is securely transmitted through encrypted connection (HTTPS). Information at rest is secured in encrypted storage. A team of information security professionals constantly monitor edclub’s systems utilizing cutting edge technology.
All staff must use two factor authentication to access their accounts. Access to any student data is limited to staff who require access.
Administrative safeguards:
- Restricting access to only a few authorized individuals who have a valid reason;
- Mandating non-disclosure agreements for all personnel granted access;
- Layered permission levels for accessing logs of cloud-based services;
- Internal Audits and Compliance Monitoring;
- Incident Reporting and Response Procedures;
- Contingency Planning;
- Risk Assessment and Management.
Operational safeguards:
Physical Access Controls;
- Data Backup and Recovery;
- Patch Management;
- Antivirus and Malware Protection;
- Network Security Controls;
- User Authentication and Authorization;
- Incident Response Plan;
- Monitoring and Logging;
- User Training.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Edgenuity Inc. (for LearnZillion)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 3/1/2021 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We use PII to help us to diagnose technical problems, administer the Site and improve the quality and types of services that we deliver. We may also collect, track and analyze information in aggregate form that does not personally identify users.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We strive to protect the confidentiality, security and integrity of the Personal Information we collect from children and adults. We have put in place physical, electronic and administrative procedures designed to safeguard and to help prevent unauthorized access to and maintain the security of personally identifiable information collected through this Site.
Primary accounts and student accounts are protected by passwords. Please keep these passwords secret to prevent unauthorized access to these accounts. If you think someone has gained unauthorized access to an account, please change your password and contact us immediately.
We take customary and reasonable measures designed to protect the confidentiality, security and integrity of Personal Information collected on our Sites, both during transmission and once we receive it. This includes the use of encryption, firewalls and other security technologies to prevent access to the data from unauthorized parties. All connections between users and our Site are secured via encryption communication technology (SSL/TLS). All passwords are salted and hashed using the practices recommended by NIST (National Institute of Standards and Technology). We use highly rated application hosting providers who agree to perform frequent diagnostics, operating system updates, and network security monitoring. Our engineering team is committed to creating and maintaining systems to protect Personal Information.
Only employees and contractors who reasonably need to access user information in order to perform their job (for example, customer service) are granted access to student information.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Edia Learning
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Edia is a math learning platform providing a large standards aligned content library, AI -coached practice, automatic grading, and detailed proficiency data for individual students. Edia serves 4th-12th grade and may be used in the classroom and for homework, assessments, and interventions.
Edia has accounts for teachers and students. Teachers and students are associated together in classes. PII is required when making a student's account, in particular name and email. These are used to provide assignments and track student progress. These may also be accessed in the course of providing support.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Edia staff interact with teachers and students to provide support and training, but not in the normal operation of the application.
Edia receives and stores data purely electronically. These data are encrypted in transit and at rest.
Access to data is restricted to senior staff, and limited access may be provided to support staff on a need to know basis. All accounts are secured with strong passwords and two-factor authentication. Staff operates under our data privacy and security policy. This policy mandates that user data may only be accessed for legitimate business needs and only through secure and approved methods, data may not be retained or shared with unauthorized entities, and that staff must undergo regular training on data privacy and security policies and practices.
Privacy and security training entails sessions reviewing our security policies, use of the tools used to access user data, review of the relevant legal requirements, and how all these apply to employees' tasks. Completion of the training session is required before access privileges are granted. After that, a training session must be completed once annually.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Edlio LLC
Please include a brief description of the product(s) or service(s) being provided, and the exclusive purposes for which Protected Information will be used, collected or otherwise processed: K-12 school website services, design, hosting, support; Content Management System (CMS) software; Related optional services, including payment processing and communication services.
How you will ensure that the subcontractors or other authorized persons or entities that you will share Protected Information with will abide by data protection and security requirements required by your agreement with the NYC DOE: Edlio, LLC. agrees to ensure that subcontractors or other authorized person or entities that we will share Protected Information with will abide by data protection and security requirements required by our agreement with the NYC DOE. Edlio, LLC. have updated our internal contracts and technical requirements related to authorizing 3rd party entities and subcontractors to ensure we are in compliance with this NYC DOE agreement.
When your agreement with the NYC DOE starts and ends, and (ii) what happens to Protected Information upon expiration of the agreement: This agreement relates to the services for Thomas Warren Field Elementary-P.S. 299k specifically which is a 3 year contract (contract originally signed and received 2/23/2021 and expected to run until June 30 2024). Please note that Edlio, LLC. does business with many other schools with NYC DOE on various contracts. If possible, we would like an ongoing agreement for all NYC DOE, but if that is not possible, we would accept the 3 year term above for Thomas Warren Field Elementary-P.S. 299k only.
Edlio, LLC. agrees to destroy such Protected Information Data, making it unusable and unrecoverable.
If and how a parent, student, eligible student, teacher or principal may obtain copies of, and challenge the accuracy of, the Protected Information in the custody or control of the Contractor: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE to process requests for copies of, and challenges to the accuracy of, Protected Information in the custody or control of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov.
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and (ii) the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Edlio, LLC. agrees that all Protected Information will be stored in the US and that security protections are taken to ensure such data will be protected.
Edlio, LLC. agrees to and already limits the use and store of sensitive data. This includes but is not limited to the following internal Edlio, LLC. policy and/or procedure: all sensitive data must be encrypted while at rest and during transit across public networks to protect it from internal and external threats and provides a second line of defense in high threat areas. The requirements for data encryption are based on its classification, sensitivity, location, and media where it is stored.
If sensitive information is transmitted over public computer networks such as the Internet, this transmission must take place with encryption facilities. All portable and remote systems storing sensitive information must also employ hard disk encryption systems. In all but a few rare instances, if information is to be protected, then the user must take specific action to enable encryption facilities. Users must be careful about the inclusion of sensitive information in electronic mail messages that are not protected by encryption. It is the policy of Edlio, LLC. that all sensitive data will be encrypted while at rest and during transit across public networks to protect it from internal and external threats. The requirements for data encryption will be based on the data sensitivity, the location of the data, and the type of storage media wherein the data resides.
How the data will be encrypted (described in such a manner as to protect data security): Edlio, LLC. agrees to and already encrypts confidential information, including DOE data. This includes but is not limited to the following internal Edlio, LLC. policy and/or procedure: data in transit using algorithms and key lengths consistent with the most recent NIST guidelines.
Further, all encryption processes and algorithms must be approved in advance by the Information Security Officer. Proven, standard algorithms such as DES, Blowfish, RSA, RC5, and IDA should be used as the basis for encryption technologies. The use of proprietary encryption algorithms is prohibited for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by the Edlio, LLC. Information Security Officer.
All general-purpose encryption processes running on Edlio, LLC. information systems must include key escrow functions. These special functions allow management to recover encrypted information should there be system errors, human errors, or other problems. Encryption systems must be designed such that no single person has full knowledge of any single encryption key.
Payment information, such as credit card numbers or bank checking account numbers, must be encrypted when computer-resident and also not in active use for authorized business purposes, when transmitted over a public network, and when held in storage on computer disk or tape.
Edlio, LLC. will only implement and accept trusted keys and certificates. The protocol in use must only support secure versions or configurations. Finally, the encryption strength must be appropriate for the encryption methodology in use.
System Configuration Standards (PCI 2.2)
- All systems and devices must be configured in accordance with their respective configuration standards.
- System configuration standards must be based upon industry recognized best practices such as those provided by SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), Microsoft, or Center for Internet Security (CIS).
- System configuration standards must be reviewed at least annually and updated to reflect current industry best practices and newly-discovered vulnerabilities.
- Edlio, LLC. develops annually reviewed security configuration standards for systems in the Edlio, LLC. CDE that are hardened using industry-accepted standards. These configurations are documented, and used as system baselines. Relevant configuration changes are communicated to impacted teams. Procedures are implemented to monitor for compliance against the security configuration standards. Edlio, LLC. requires all CDE based servers to comply with CIS standards and are confirmed through NESSUS security scans prior to any new device deployment. This approach is used for servers and network devices when applicable to NESSUS scan capabilities.
Edmentum
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 2/1/2017 – 1/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Edmentum provides quality online programs designed to make personalized learning an achievable reality in every classroom. To meet NYCDOE’s needs, we offer Courseware, Exact Path, Study Island, EdOptions Academy, and Calvert Learning, paired with Edmentum’s Professional Services.
- Courseware offers customizable digital curriculum for grades 6–12, including core, AP®, CTE, electives, world languages, and test preparation courses.
- Exact Path personalizes K–12 learning by combining adaptive diagnostic assessments with individualized learning paths in math and ELA.
- Study Island is a customizable K–12 practice and formative assessment solution that improves mastery and retention, and boosts student achievement in math, ELA, science, and social studies.
- EdOptions Academy is a fully accredited virtual academy that allows districts to enhance and expand their program offerings, attract and retain students, and provide flexible, individualized learning experiences.
- Calvert Learning provides engaging, project-based curriculum for K–5 learners in virtual or blended learning environments.
We collect the following PII provided by the Customer, such as the student’s name, name of school, grade level, and e-mail address. Please refer to our Customer Privacy Policy: https://www.edmentum.com/privacy/customer.
Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review). “Our programs are not Student Information or Accountability Information Systems. Edmentum does not store academic records other than performance scores of online activities. PII is at the user’s discretion. Administrators and teachers can choose to include non PII data for required fields such as Students: First and last name; Email (username); Grade level; Student Local ID (required); Teachers: First and last Name; Email; Teacher Local ID; Role.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. “NYCDOE retains ownership and control of all student data. Your data is available throughout the term of your contract. During this time, it can be downloaded and reports generated in a variety of formats, including CSV, Excel, and PDF. All data is securely wiped from decommissioned systems. Customer data at rest is encrypted, minimizing the risk of exploitation.
Furthermore, our programs are not Student Information or Accountability Information Systems. Edmentum does not store academic records other than performance scores of online activities. Since Edmentum is an online solution provider, there are no limitations to the size or duration of data retention. Customers may retain data within our system with a valid subscription.
Within a reasonable time period after termination or expiration of the contract, or as requested or directed by NYCDOE, Edmentum will return personally identifiable data and will securely destroy personally identifiable information in its possession.
Please see our Standard Service Purchase and Software License Terms at www.edmentum.com/resources/legal/standard-terms and our Customer Privacy Policy at www.edmentum.com/privacy/customer for specific information pertaining to this requirement.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; and using an entity-owned and/or internally-hosted solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Edmentum maintains a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of students’ personally identifiable information against risks—such as unauthorized access or use or unintended or inappropriate disclosure—through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information. We perform quarterly internal and external security scans. In addition, Edmentum periodically performs additional penetration testing and/or other relevant threat assessments and performs subsequent remediation efforts based on the findings of these assessments.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
EDPuzzle
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Edpuzzle instructional software (accessible at https://edpuzzle.com) that allows teachers to take, embed or upload, as applicable, video-content (e.g., videos publicly accessible at third-party video-hosting platforms, a screen recorded video, or an Edpuzzle original video) and turn it into an interactive video lesson by embedding questions and notes for understanding along the way. Teachers then receive great data analytics on student progress from the completed lesson.
Edpuzzle Pro provides unlimited access to Edpuzzle to individual users, or to all users in the school or school district based on the type of license purchased. This includes unlimited storage space, a collaborative channel, and priority customer support.
PII will be used by Edpuzzle to improve the Edpuzzle services and for the following limited purposes:
- to create the necessary accounts to use the service;
- to provide teachers with analytics on student progress;
- to send teachers email updates, if applicable;
- to help teachers connect with other teachers from the same school or district;
- to assess the quality of the service;
- to secure and safeguard personal information of other data subjects; and
- to comply with all applicable laws on the protection of personal information
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services and MongoDB Atlas.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Contractor shall implement and maintain reasonable and appropriate technical and organizational security measures to protect the PII with respect to data storage, privacy, from unauthorized access, alteration, disclosure, loss or destruction. Such measures include, but are not limited to:
- Pseudonymisation and encryption of PII (TLS v1.2 for all data in transit between clients and server and AES256-CBC (256-bit Advanced Encryption Standard in Cipher Block Chaining mode) for encrypting data at rest).
- Password protection.
- Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- Restore the availability and access to personal data in a timely manner in the event of a technical incident.
- Regularly test, assess and evaluate the effectiveness of technical and organizational measures ensuring the security of the processing.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Edsoma
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Edsoma is an Artificial Intelligence (AI) software that assists little readers with the proper pronunciation of words when they get stuck while reading a book inside the app. Edsoma also provides a portal for the teachers to help them manage students learning journey, assign new books to read and collect reports about learning evolution.
PII is used to create user accounts and track student progress in their literacy journey. This information is used to monitor student progress and direct them to the correct follow-up courses or seek additional support if needed. Teachers are encouraged to communicate with parents about student progress, and PII is used to facilitate this communication. Without PII, we wouldn't be able to provide the personalized platform that we aim to deliver.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Microsoft Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
Administrative Safeguards
- Strict access controls are implemented, limiting access to PII only to authorized personnel with a legitimate need. Access permissions are regularly reviewed and adjusted accordingly.
- Access to PII is restricted on a need-to-know basis, enforced through role-based access controls.
Operational Safeguards
- Access controls are implemented using multi-factor authentication and strong password policies to ensure that only authorized personnel can access PII.
- PII is handled according to strict data handling and processing protocols, including secure data transfer methods and secure storage practices.
Technical Safeguards
- PII is encrypted both in transit and at rest using industry-standard encryption protocols.
- Edsoma maintains a strict regimen of applying security patches and updates to all software and systems to mitigate vulnerabilities and known security risks.
- MFA is enforced for all authorized users, adding an additional layer of security to protect against unauthorized access.
- To further bolster our data privacy and security measures, we utilize Amazon Web Services (AWS) as our trusted database and storage service provider. This allows us to leverage AWS's industry leading cloud infrastructure and security features to enhance the protection of PII. AWS offers a range of robust security features and compliance certifications, including but not limited to, ISO 27001, SOC 2, and PCI DSS, which align seamlessly with our commitment to data privacy and security. The use of AWS services ensures data encryption, redundancy, and access controls at the infrastructure level, complementing our internal technical safeguards.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Educa
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Educa is a private online sharing platform where teachers document and share children’s learning. It supports heart-led documentation, via Learning Stories, that in one motion meets reporting requirements and provides learning visibility – in other words, images and videos – helping families and teachers work together. In order for Educa to carry out these communication-oriented goals, it is absolutely essential that PII be readily accessible for all teachers, students, and parents that exist in the platform.
Type of PII that the Entity will receive/access: Student PII and APRP PII (Identifiable Teacher or Principal Annual Professional Performance Review Data). "Ideally Educa would have access to PII for teachers, students, and their parents. For example, all users in Educa must have a unique email address, which they use to sign into the platform.”
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor, specifically “inside an MS SQL RDS database, hosted on Amazon Web Services in US East.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data will reside inside an MS SQL RDS database, hosted on AWS in US East. All data to and from the database is encrypted in transit and at rest. Backups are also encrypted and hosted in AWS.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
EducAide Software (for Problem-Attic)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. EducAide makes an online question database covering all grades and core subjects (math, science, social studies and ELA). Teachers use the program to create tests and worksheets. Most use does not involve any student PII, because the materials are download and printed. As an option, teachers may create an online test. In that case, EducAide will receive student PII. It is used only for the purpose of scoring tests and delivering results to the teacher, who in turn will use it to calculate grades, fine-tune their instruction, and provide feedback to students.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Linode servers (Akamai Technologies) and AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. EducAide collects the minimum amount of information to score a test and deliver results to a teacher, then deletes the information after no more than 180 days. To protect data and assure student privacy, EducAide:
- does not connect to any student information system or NYC DOE network service
- follows industry best practices for encryption and secure transmission/backup
- trains employes on data security techniques and legal requirements for student privacy
- maintains office security through passkeys, cameras and clean desk policies
- enforces use of two-factor authentication for logging in to cloud-based services, and
- password rotation for logging in to local network and client computers
- closely monitors servers and website traffic to prevent a security breach.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Education Analytics
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2022 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. To provide technical assistance and perform data analysis to measure student learning for Annual Professional Performance Reviews (“APPR”) as approved by New York Education Law §3012-d.
Type of PII that the Entity will receive/access: Student PII and student-teacher linkage data.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
Secure Data Transfer and Data Storage Protocols: All confidential data are transferred using EA’s secure file transfer solution. All client data in house is stored on EA’s file and backup servers, with access controlled via Active Directory. Our facility is locked 24 hours a day, 7 days a week, and entry requires authentication using a key fob with unique codes for each user. Within the secured office suite, the server room storing network devices and secure servers is locked 24 hours a day, 7 days a week, and entry requires authorization using a key fob with unique codes for each user.
Authorized Data Access and Data Destruction Policy: EA ensures that access to the data is restricted solely to staff who need such access to carry out the responsibilities of the project based on their role, and that such staff will not release such data to any unauthorized party as agreed by signing of EA’s non-disclosure agreement. Access to all computer applications and data at EA are managed and authorized at every step using the Windows Active Directory user ID and high security password procedures. Key personnel working on client data have federal security clearance and have undergone human subjects training on handling data. EA requires all staff to sign confidentiality agreements prior to providing data access. Also, EA prioritizes the ongoing training of employees and authorized users about laws governing the usage of sensitive data including FERPA and other appropriate state laws. More details on this topic can be found below. EA agrees that data will remain the property of the client. To this effect, EA has a data destruction policy which ensures that the electronic data stored on the EA file and backup servers are destroyed within the contracted time frames.
IT System Security: All internal servers deployed at Education Analytics shall be managed by an operational group that is responsible for system administration. Approved server configuration guides shall be established and maintained by this operational group, based on business needs.
IT Network Security: EA’s computer network storing the data ensures appropriate and secure data access by utilizing firewalls, an intrusion detection and prevention system and up to date anti-virus solutions. EA allows remote access only to authorized users using a remote gateway secured using SSL.
IT Risk Management and Contingency Planning: EA has a disaster recovery plan and a process for handling outages which will be utilized in cases a need arises. EA has redundant and uninterruptible power and internet infrastructure provisions in place. In case of data breaches, EA will notify its cyber security insurance provider about the breach and work with the provider to investigate the breach and inform the related parties.
Compliance with FERPA and Data Security Laws: EA is in strict compliance with data security and privacy laws including but not limited to FERPA, and ensures that its staff are trained on the required laws and kept up to date to gain knowledge about how to store, access and treat data records with a high level of security.
Security Audit process and Data breach policy: EA’s IT systems maintain incident, change management logs and allows for audits of the IT data security compliance. The security audit process will cover the following steps to identify, evaluate and analyze potential threats and fixes for evaluating the security requirements of EA’s IT system. In case of breaches to the student data or teacher or principal data, EA will activate its Incident Response Team. This team will investigate the breach and notify the educational agency owning the data as necessary in accordance with regulations. EA will promptly comply with any inquiries from the client based upon the client’s receipt of a complaint or other information indicating that improper or unauthorized disclosure of personally identifiable information may have occurred.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Education Analytics (for New Schools Venture Fund)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: Starting June 2022.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. EA is working with [New Schools Venture Fund] NSVF on a series of deliverables that serve to help NSVF understand the schools in their portfolio better. Using data from SEL and Culture and Climate surveys, along with MAP assessment data, this information will be utilized for a series of research questions along with a dashboard that displays school level data and subgroup data from the aforementioned surveys.
Type of PII that the Entity will receive/access: Student PII and Other (staff social emotional survey results)
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- A risk management strategy is in place to identify and detect data security incidents
- Data security protocols and procedures are in place to protect data access
- A security incident monitoring system is in place to identify cybersecurity events
- A data incident response plan is in place to ensure prompt and effective responses to any security breach
- A recovery process that ensures restoration of systems or assets affected by a security incident
- Access controls that is only provided to staff with a need to use information for the direct study and research purposes
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
The Educational Alliance
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Educational Alliance is committed to providing quality community school services to students and their families. As part of our services, we have assigned a Community School Director at each school who oversees the community school program. On occasion, the Community School Director may need to access Protected Information to contact a student and/or their family.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Educational Alliance has implemented various administration, operational, and technical safeguards to protect Protected Information received under our contract. EA staff are prohibited from removing anything from school sites, and are provided regular updates on confidentiality and data security obligations. All paperwork containing Protected Information is securely locked away in a file cabinet, and only the Community School Director will have access to this locked cabinet further ensuring it remains confidential and secure. When the director needs to contact parents, they will utilize DOE systems and follow the guidance provided by the Department of Education for communication. Educational Alliance is committed to maintaining the highest level of security and confidentiality for all data entrusted to us.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. “Because Educational Alliance does not collect electronic data, we will not encrypt PII information.”
Educational Vistas
Type of Entity: Commercial Enterprise
Contract / Agreement Start Date: 9/3/2021
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Providing the ability to auto synch staff and student information, to successfully auto roster students, classes, schools, district, and DOE to provide assessments, such as Degrees of Reading Power and Degrees of Math Power. In addition, we can offer for additional contract of data warehousing and custom dashboards, that can host all third-party assessments and scores including NY State tests. This way miscue reports and analysis, drill down reports, generation of pre-slugged answer sheets, customizable reports, etc. The ability to track staff teacher-principal evaluations and professional development, including the process for developing SLOs, and much more.
Type of PII that the Entity will receive/access: Student PII and APPR PII (Identifiable Teacher or Principal Annual Professional Performance Review Data).
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Educational Vistas, Inc. complies with and exceeds all expectations of Section 2-c and 2-d of the Education Law.
Physical Safeguards are in place by utilizing a 24/7 monitored facility that restricts physical access to the servers. The servers are also appliance and firewall protected from outside access, and is housed on multiple redundant load-balanced servers with backed up data that is encrypted. We use SHA-256 bit encryption along with https:// to encrypt the data to and from the end points.
Educational Vistas, Inc. employees are instructed and trained to not store, remove, or share any customer data. We only use the customer’s information in training the customer at the customer’s site. Staff is trained on HIPPA privacy, security rules, GLBA, which talks about safeguard procedures against fraud or identity theft and instruction about computer security, and FISMA (Federal Information and Security). We also comply with FERPA, which includes hiring contractors to minimize security risks. Every employee and contractor is required to sign a confidentiality agreement as part of their employment package.
Our IT security company, WLS, monitors the servers for security related breaches. We require immediate notification of any security breach so we can in turn immediately notify our clients that a breach has occurred and what was breached. We have, to this date, not had any security breach.
The login and security policies within the program restrict access to the data to individuals that need access to the data.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Eduware
The exclusive purposes for which Protected Information will be used: To provide the requested services and to ensure proper functioning of sites. To provide requested customer support and communicate with user.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Eduware, Inc. does not use subcontractors, however in the event that Eduware, Inc. engages subcontractors, assignees, or other authorized agents to perform one or more of its obligations under the AGREEMENT (including any hosting service provider) it will require those to whom it discloses Protected Data to execute legally binding agreements acknowledging the obligation under Section 2-d of the New York State Education Law to comply with the same data security and privacy standards required of Eduware, Inc. under the AGREEMENT and applicable state and federal law.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon expiration of that agreement without a successor agreement in place, Contractor shall assist NYC DOE and any educational agencies that contracts with NYC DOE for the provisions of Contractor’s products or services in exporting any and all student data and/or teacher or principal data previously received by Contractor back to NYC DOE or the educational agency that generated the student data and/or principal data. Contractor shall thereafter securely delete or otherwise destroy any and all student data and/or teacher or principal data remaining in the possession of Contractor or its assignees or subcontractors (including all hard copies, archivist copies, electronic versions or electronic imaging of hard copies of such data) as well as any and all student data and/or teacher or principal data maintained on behalf of Contractor in secure data center facilities. Contractor shall ensure that no copy, summary, or extract of the student data and/or teacher or principal data or any related work papers are retained on any storage medium whatsoever by Contractor, its subcontractors or assignees or the aforementioned secure data center facilities. To the extent that Contractor and/or its subcontractors or assignees may continue to be in possession of any de-identified data (i.e., data that has had all direct and indirect identifiers removed) they agree not to attempt to re-identify de-identified data and not to transfer de-identified data to any party.
[NYC DOE additional information: The current agreement became effective starting on December 1, 2020 and remains effective until November 30, 2027.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Contractor. [NYC DOE additional information: such requests, including requests for copies of student data, may be sent to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Student data and/or teacher or principal data transferred to Contractor by NYC DOE or NYC DOE officers, employees, agents, or students will be stored in electronic format on systems maintained by Contractor in a secure data center facility, or a data facility maintained by a board of cooperative educational services, in the United States. In order to protect the privacy and security of student data and/or teacher or principal data stored in that manner, Contractor will take measures aligned with industry best practices and the NIST Cybersecurity Framework Version 1.1. Such measures include, but are not necessarily limited to disk encryption, file encryption, firewalls, and password protection.
More specifically, data is stored in Amazon Web Services (AWS) which are served from data center in Oregon, United States. Servers are secured physically by Amazon, and virtually by installed firewalls and a strict authorization system. Additional security information about AWS system is available online at: https://amazon.com/security/. All data storages are only available through password/key protected instances. User passwords are encrypted in the database, so even Contractor’s high level system administrators can’t view sensitive password information. All of Contractor’s network communication is now encrypted under HTTPS.
How the data will be encrypted (described in such a manner as to protect data security): Eduware, Inc. (or, if applicable, its subcontractors) will protect Protected Data in its custody from unauthorized disclosure while in motion or at rest, using a technology or methodology specified by the secretary of the U.S. Department of HHS in guidance issued under Section 13402(H)(2) of P.L. 111-5.
El Puente de Williamsburg (for Community Schools services)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2023 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. El Puente is a human rights institution working to inspire and nurture leadership for peace and justice. As a Community Based Organization (CBO) partner, El Puente provides resources and support in the following areas: Attendance, Academic, Health and Wellness, Family Engagement. Using collected student and family data, El Puente conducts support to achieve school goals, monitors and evaluates targeted areas such improving attendance and academic achievement.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., NYCDOE Google Drive.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The entity will mitigate data privacy and security risks by adhering to the following:
- Utilization NYC DOE cloud systems (DOE email, Google Drive, etc.) when confidential information is disseminated or received.
- Implementation of 2 step factor authentication when signing in on cloud systems.
- Strict use of DOE and Entity computers, cell phone, software, etc. for both confidential and work-related information to maintain safeguards.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
El Puente de Williamsburg (for Crisis Intervention services)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 71/1/2021 – 6/30/2022
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. El Puente is working in partnership with the Department of Education in their Crisis Intervention initiative at EBC High School Bushwick. El Puente provides students with various engagement activities in the areas of leadership development, academic enhancement and community building with the goal of helping them build capacity to resolve conflicts and interact with their peers in positive manners. The way El Puente ensures the DOE we have provided services is by having youth sign into the activities. The signing sheets collected are provided to the DOE in order for El Puente to receive payment. Sign in sheets are uploaded to Google Drive to be submitted to the Department of Education as it is required for payment.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Google Drive.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Youth who participate in the El Puente programs through the Crisis Intervention Initiative are asked to sign in providing First Name and Last Name. This information is strictly safeguarded and protected and it is only utilized to invoice the DOE for services provided. All sign in sheets are secured under a locked key. The Program Director and its supervisor has access to the files and safeguards the key. Sign in sheets are scanned and kept in the Google Drive of the administrator overseeing the program and the Director of Administration who utilizes the sign in sheets for billing purposes.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Elite Learners
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 11/1/2022 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Elite’s Violence Prevention Specialists and Teaching Artists will work with youth groups to facilitate age-appropriate restorative practices including peer mediation, one-on-one mentorship and conflict mediation training activities designed to help address negative behaviors such as bullying, disruptiveness, and peer conflicts that impact youth self-esteem, academic achievement, peer, and familial relationships. PII will be used to record students’ participation/attendance in the program.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. OneDrive will be used if needed.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Elite Learners has guidelines to ensure that all individuals working under/with Elite and on Elite Learners’ projects/programs understand their responsibility in reducing the risk of compromise and take appropriate security measures to protect client data.
- Nondisclosure/confidentiality agreements are included in Elite Learner’s Employee Handbook and are signed upon new hire.
- Industry standard security measures including authentication and encryption protocols are used to preserve and protect Protected Information. Protected Information is encrypted at rest and in transit.
- Protected data is maintained in a secure data center managed solely by Elite Learner's employees.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Encyclopedia Britannica
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Services are digital encyclopedia services and PII, if any, will be provided solely for purposes of providing access to the Services or a feature contained therein.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS Cloud Services in the U.S. only.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Britannica employs physical, administrative, and technical safeguards based on currently available technology and industry best practices to promote the integrity and security of personal data. Those safeguards include, but are not limited to, measures for preventing access, use, modification, or disclosure of customer data by Britannica personnel, except to provide services and prevent or address service or technical problems; as compelled by law; or as expressly permitted by the customer in advance, in writing. In addition, our documented security and privacy policies provide a framework for maintaining effective and efficient internal security and privacy controls and practices in order to mitigate data privacy and security risks.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Enhanced Learning
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Enhanced Learning will co-create customized in-school, interschool and intraschool institutes, workshops and coaching modules to empower principals, school leaders, and new/experienced teachers with knowledge across the educational, social, and behavioral spectrums. They will also provide student services: supplemental instruction, counseling, tutoring, mentoring, parent engagement, professional development, and an extended year program. In the process, Enhanced Learning may need to receive, handle, and/or access protected student information to ensure an individualized approach and thus prompt optimal outcomes of provided services.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option
and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google, Microsoft, Zoho.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
Administrative Safeguards:
- Establish policies and procedures to manage security risks, conduct risk assessments, and implement security measures.
- Ensure proper training, authorization, and supervision of personnel handling PII.
- Control access to PII based on roles and responsibilities.
- Develop protocols for detecting, reporting, and responding to security incidents.
- Periodically assess security measures and adjust as needed.
- Establish agreements with external entities handling PII.
Technical Safeguards:
- Utilize Data Loss Prevention (DLP) rules to control content sharing and prevent unintended exposure of sensitive information.
- Customize policies to allow or restrict specific features or services for managed accounts based on user roles.
- Ensure that users handle PII in approved tools.
Physical Safeguards:
- Limit physical access to authorized personnel only and use mechanisms such as access cards, biometrics, and secure locks.
- Secure workstations (computers, laptops) to prevent unauthorized access. Implement screen locks and restrict access to sensitive areas.
- Safeguard hardware (e.g., servers, storage devices) and removable media (USB drives, external hard drives). Encrypt sensitive data on portable devices.
- Properly disposing of PII-bearing media (e.g., shredding paper documents, wiping data from hard drives).
- Educate staff on physical security practices
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Enome (for Goalbook)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2022 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Goalbook Toolkit is used by teachers to access our research-based instructional resources and personalize instruction more effectively. The necessary PII that Goalbook requires are: educator name, email, title, and school/district name, which are used to provision user logins to the Goalbook platform.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Your privacy and security are paramount and we are not in the business of selling your data. We comply with all federal, state and local laws governing confidentiality of your data and regularly review them for new or updated guidance and regulations. To clarify, Goalbook does not provide any student access, so COPPA does not apply. Goalbook’s infrastructure is hosted on a commercial provider, Amazon Web Services (AWS) which is fully SOC2 compliant. Goalbook itself is currently contracted and engaged with auditors to evaluate our SOC2 compliance. All of Goalbook’s AWS services and data are located within the US. Goalbook's security features also include the use of industry-standard encryption algorithms for server access, data storage, and data transit such as 256-bit Advanced Encryption Standard, TLS 1.2, SSL, RSA, and ED25519; strong network security; employee role-based access controls using the principle of least-privilege; regular data backups; employee security awareness training; export and deletion of customer data on request; and automated monitoring of any 3rd party library security issues and regular updates.
We will maintain an active line of communication with NYC DOE to ensure that we understand and comply with their evolving security and privacy requirements as well. We regularly audit, monitor, and log access to our systems, data, and applications to prevent and identify any data security or privacy incidents. In the event of any data breach, NYC DOE would be promptly notified and follow-up would include analysis and actions to prevent any future incidents.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
ENRICHEDNYC
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We provide live, synchronous, high dosage academic tutoring services for students in Grades K-12, either one-on-one or in small groups of 2-4 students, both in person and online, primarily focused on accelerating foundational reading skills. PII is necessary to identify students receiving specific services and to monitor attendance and student progress.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Docs.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- ENRICHEDNYC limits the collection of Student PII to ensure the privacy and protection of each student served.
- ENRICHEDNYC stores Student PII in databases and on servers powered by Google behind multiple layers of electronic safeguards.
- ENRICHEDNYC protects Student PII through various means, including implementing secure user authentication protocols, secure and limited access control measures, and data encryption on public networks.
- ENRICHEDNYC restricts access to NYCDOE Student PII to those with legitimate purpose.
- ENRICHEDNYC uses strict password protection including to use two-factor authentication and password protected cloud database.
- All employees and contractors associated sign an non-disclosure agreements.
- ENRICHEDNYC employs various encryption techniques for while data is in transit or stored.
- Backups for data storage are also encrypted.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Entourage Yearbook
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Entourage Yearbook provides online yearbook design software and also offers production/printing and shipping services. Entourage Yearbook receives the following PII: student name, student grade, student’s teachers, photographs of students. If the school sets up online sales, at checkout we require a billing name, address and email address to send the confirmation to. The parent will fill out standard billing information including name, address, phone number, and email. If the school sets up individual shipping we will also require shipping information.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Any custom content that you add to your personalized, custom yearbook (such as photos, documents and text) is only visible within the account that uploaded the custom content, and not to other users of the System.
Personal Information and Children’s Personal Information about our users is an integral part of our business. We neither rent nor sell your Personal Information or Children’s Personal Information to anyone.
The user profiles can have several different levels of access. Admins are reserved for the Yearbook Advisor at the schools. Editors are for people working on the yearbook and have to be approved or created by the yearbook admin. Users are for people contributing photos to the yearbook, again have to be approved or created by the yearbook admin. Mass users are for parents purchasing yearbooks or ads through our link site and do not have access to any part of the yearbook, or PII. Only the information they provide will be able to be accessed. All Admins, Editors, Users, Mass users passwords are encrypted. The access to the yearbook must be provided by the yearbook admin. Any changes to the levels of permissions are controlled by the yearbook admin.
The database information is stored in our protected server that is stored on the AWS cloudfront. Only senior level employees, which can include subcontractors hired at a senior level, i.e. Senior developers, can access the database, and they must be on the Entourage VPN and have the credentials. Entourage employees must be full-time employees, with over a year in the company to get certified to have access to the database. The Entourage VPN must be installed on the user's computer. The user must get credentials from the development team. The development team can revoke access to the VPN at any time. Once logged on, the VPN the employees can access the Remote desktop computers, they also must have usernames and passwords to those machines. The passwords must be updated every 90 days.
Your Entourage account Personal Information or Children’s Personal Information is protected by a password for your privacy and security. You may help protect against unauthorized access to your account and Personal Information or Children’s Personal Information by selecting and protecting your password appropriately and limiting access to your computer and browser by signing off after you have finished accessing your account. When you enter sensitive information (such as a credit card number) in our Credit purchasing process, we encrypt the transmission of that information using secure socket layer technology (SSL). Entourage endeavors to protect user information to ensure that user account information is kept private. Entourage, however, cannot guarantee the security of user account information. Despite Entourage’s best efforts, unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time. For additional information about the security measures Entourage uses in connection with the System, please contact us at help@EntourageYearbooks.com.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Epiphany Blue
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Epiphany Blue is an award-winning event planning and experiential services agency and New York City/New York State certified Minority and Women-Owned Business. We curate unforgettable event experiences, activations, workshops, and programs for companies and communities nationwide while providing clients with world-class service. Epiphany Blue is dedicated to creating youth leaders and personally and professionally fulfilled adults by facilitating workshops and events that aim to assist our participants with developing their vision of success and bringing that vision to life. Since its inception in 2006, Epiphany Blue’s programming has served over 25,000 youth, staff, parents, and adults.
Our services for youth include personal and professional development workshops, educational outings, thematic projects, and youth-centered events. Our services for parents and school staff include personal and professional development workshops and events, and retreats and conferences.
Epiphany Blue may receive PII for program enrollment, participation, or to track program and student progress. As required by the NYC Public Schools, attendance documentation at each workshop and event is required. Upon scanning information into our encrypted Google Drive, documentation is immediately shredded and destroyed. Surveys are also provided to program attendees; however, no identifying data is included in the anonymous surveys.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Workspace.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Epiphany Blue implements administrative and operational safeguards to ensure that staff who interact with this information do so responsibly and legally.
Administrative Safeguards:
- Policy Development and Implementation: We established clear policies regarding the handling of PII, including data collection, storage, access, sharing, and disposal.
- Staff Training: We regularly train our staff on data protection policies, ethical handling of PII, and the legal implications of mishandling data.
- Access Control: We implementing policies to control access to PII, Ensuring that only authorized personnel have access to sensitive information.
- Audit and Compliance: We audit data handling practices and ensure compliance with legal standards.
- Incident Response Plan: We developed a plan for responding to data breaches or unauthorized access incidents, including notification procedures and remedial actions.
Operational Safeguards:
- Secure Data Storage: We use secure, compliant systems for storing PII and regularly back up data to protect against loss.
- Password Management: We implement strong password policies and consider multi-factor authentication for systems that handle PII.
- Regular Software Updates: We keep all systems updated to protect against security vulnerabilities.
- Physical Security: We ensure the physical security of servers and computers where PII is stored.
- Data Minimization: We collect only the PII that is absolutely necessary for program services and avoid excessive data collection.
- Data Retention and Disposal: We have clear policies on how long PII will be retained and procedures for securely disposing of data that is no longer needed.
Monitoring and Evaluation
- Continuous Monitoring: Regularly monitor data handling practices and systems for any potential security breaches.
- Evaluation and Improvement: Continuously evaluate the effectiveness of data protection measures and make improvements as needed.
The Company adheres to the following data protection guidelines:
- Due to the nature of their position, only the person required shall access personal data.
- We protect access to personal data through strict administrative and technical access control including limiting access to data and implementing role-based access, verifying the identity of individuals trying to access personal data e.g. passwords or security questions), encryption, using firewalls and intrusion detection systems, MFA, and regular software updates.
- Data shall be reviewed and updated on a regular schedule. If data is determined to be outdated, no longer relevant, or needed, it will be detected or destroyed appropriately.
- We require express consent to collect personal data, and a clear notice will be provided to consumers of the collection of personal data use and sharing practices.
- When personal data is being used, the Company’s employees shall ensure computer screens computers are always locked when left unattended.
- Personal data should not be saved on desktops or local drives.
- Details on storing, using, and processing personal data shall be provided upon request.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Ernst & Young
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2017 – 6/30/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Ernst & Young US LLP was contracted for co-sourcing assistance with the planning and execution of statutorily mandated internal audits of schools. In addition to the State-mandated school audits, Ernst & Young US LLP assists the DOE’s Office of the Auditor General (OAG) in performing internal audits and other related consulting services for other divisions with the DOE. These internal audit and related services shall cover, but not necessarily be limited to the DOE’s activities in the areas of expenditures for payroll, per session, per diem, and other costs, enrollment and attendance, custodial expenditures and operations, contract providers of general and special education programs and services, food, transportation, technological and facilities services, grants management and any other fiscal operational or business process matters. PII may be received or accessed in connection with the planning and/or execution of these services.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall:
EY receives documentation that contains PII via the Department’s version of Microsoft Teams. DOE stakeholders sometimes send such information via email. Our team policy in this case is to move the documentation to our documentation retention platform (MS Teams) and delete the emails (and remind the stakeholders not to send such information via email).
Documents uploaded to Teams are then scrubbed for PII that is not needed for testing (i.e., redacted in PDF). We also receive various reports from the DoE with some Confidential Information on it, such as: a payroll file that includes name, employee ID, and amounts paid per session worked (i.e., hours worked on a specific job in a day x the pay rate = total pay for that job for that day), and an employee reimbursement file that will show employee name and address. These files have not been redacted as the information contained in them is required for sampling and testing.
Within 30 days of project completion, we archive all final work products (tens of thousands of pages of PDFs as well as the reports). All work products are maintained for 6 years after the end of the contract period. We have received requests for documentation in years following the completion of a project.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft M365.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Data is encrypted in transit and at rest and access to the data is restricted based upon role and need to know.
EY receives documentation that contains PII via the Department’s version of Microsoft Teams. DOE stakeholders sometimes send such information via email. Our team policy in this case is to move the documentation to our documentation retention platform (MS Teams) and delete the emails (and remind the stakeholders not to send such information via email).
Documents uploaded to Teams are then scrubbed for PII that is not needed for testing (i.e., redacted in PDF). We also receive various reports from the DoE with some Confidential Information on it, such as: a payroll file that includes name, employee ID, and amounts paid per session worked (i.e., hours worked on a specific job in a day x the pay rate = total pay for that job for that day), and an employee reimbursement file that will show employee name and address. These files have not been redacted as the information contained in them is required for sampling and testing.
Within 30 days of project completion, we archive all final work products (tens of thousands of pages of PDFs as well as the reports). All work products are maintained for 6 years after the end of the contract period. We have received requests for documentation in years following the completion of a project.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
eScribers
Type of Entity: Commercial Enterprise
Contract / Agreement Start Date: February 2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Reporting and transcription services for the Impartial Hearing Office. PII is transmitted to us in the course of our reporting on administrative hearings and so as to allow us to prepare accurate legal transcripts of the hearings.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Our safeguard to ensure PII will be protected include:
- Routine and spontaneous risk assessments of our systems
- Secure access control
- Secure device configuration
- Up-to-date patch management
- Anti-virus and malware protection
- ISO 27001 certification (in the UK; US pending)
- Data Center Security
- IAM roles to minimize access
- Physically and digitally protected by AWS IaaS
- AWS Cloud firewalls
- VPN access
- IAM users
- AWS physical data center security measures
- Client Data encrypted in transit and at rest (min security requirement: SSL 256-bit encryption)
- Completed transcripts uploaded to DoE via SFTP
- Email Systems
- Anti-Spam and Phishing Detection software (Checkpoint Security, Avanan, Google).
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Eskolta School Research and Design
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Eskolta School Research and Design Inc Services include:
- Research and Evaluation projects that use a mix methods approach
- Sharing Learnings through workshops, conferences and school intervisitations
- Eskolta fellows program to build leadership capacity in teachers
- Resource Development Tool Kits for Educators
- Coaching and Capacity Building for School Leaders
- Facilitated inquiry projects with individual school teams
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. In any case where Eskolta received PII, all personal information (e.g. interview transcripts, names, contact info) is deidentified, stored on password protected devices of the research team, using a lookup code where appropriate, with the code key stored separately.
For many projects de-identified, linkable data will be sufficient for Eskolta and our NYCDOE partners to engage in data-centered professional learning and continuous program improvement.
Use an internal data base for client services. The data base will be password protected. Due to the organization being hybrid we use electronic communication for signatures and data collection. Staff is required to use agency issued computer device.
All of our files are behind a managed Google Workspace account that has explicitly defined permissions for all files with all users requiring 2FA to log into. This account is also monitored by our managed service provider for any unusual logons and suspicious activity. Local machines all have anti-virus installed on them as well.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
eSpark
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. eSpark is a web-based supplemental curriculum resource for math and ELA. PII is used exclusively for the purpose of rostering students and creating accounts. PII collected from authorized school officials for this purpose includes student names, unique IDs (to prevent duplicates), grade levels, teachers, and class enrollment.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity states “If eSpark is not provided with notification that all usage is being terminated and/or if eSpark is not asked to immediate delete PII, the PII will be deleted in the last week of July.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. eSpark’s platform is built on the premise of “legitimate educational interest” as outlined in FERPA. The program’s role-based security ensures that student data is accessible only by those who have a right and need to access that data. We will never sell students’ personal information to third parties, we will never ask students to provide any personal information to us, and we will never send marketing messages to students or disclose student data to any company that would.
eSpark’s technical safeguards include industry-standard encryption while data is at rest and in transit. The program is constantly monitored for intrusions and our development lifecycle includes multiples checks and balances to test updates for bugs and vulnerabilities before they are pushed live to production. All eSpark data is securely hosted in the United States with Amazon Web Services.
eSpark employs the same level of care at the operational and administrative levels, with documented workflows ensuring that student data access is limited to those who need it to perform their duties under our contract agreements with our partners. All employees and contractors who may come into contact with student data are required to attend annual training on data privacy and security, and sign a student data confidentiality agreement before they can access eSpark systems.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Essential Education
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Essential Education provides adult education learning tools in both digital and print formats and provide students with test taking tools and skill development. PII is used to create user accounts, track student progress, and customize learning plans.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Essential Education maintains the following technical and operational safeguards:
- Security Breaches – Essential Education monitors databases and services for security breaches. Should a breach be detected, NYCDOE will be notified within 24 hours.
- Data Destruction –. Student data can be deleted by the District Administrator at any time and destroyed by Essential Education at a reasonably scheduled time, upon notification by DOE.
- Training of Employees – Essential Education provides onboarding training of all employees which includes privacy and security training. Any administrative level accounts require two-factor authentication.
- Security Design – Essential Education uses a VPC with separate subnets for public and private services.
- Vulnerability Monitoring and Mitigation – Essential Education scans for and track vulnerabilities in its production infrastructure. A vulnerability scan is run at least once per week.
- Data backups – Daily backups of the database are created and retained for approximately one month.
- Single Sign-On – Essential Education provides its own user management and authentication system, but also supports single sign-on integration
- Roles and Permissions – Essential Education provides a number of account types and can also customize the capabilities of these roles for individual customers to an extent.
- Multi-Factor Authentication – Essential Education staff are required to authenticate with MFA on a VPN to access the administrative control features of the application.
- Account Deactivation / Expiration – A system for automatically deactivating inactive student accounts is available and enabled by default.
- Password Handling – Specific password requirements must be met for all user accounts.
- Disaster Recovery Plan – Essential Education provides redundancy across two availability zones (A and B) in the us-west-2 (Oregon) region.
- Change Control - Essential Education uses various software tools, to track change requests and changes to the application.
- Firewall Policies- Certain administrative functions within the application are restricted by the application software to the Essential Education VPN. Essential Education allows access to its bastion server only from the Essential Education VPN. Changes to these restrictions require approval.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Essential Skills Software
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Essential Skills is an online learning platform for K‐6 and older remedial students. Basically, it’s educational software. Student names are used to identify students in the system, create student login credentials and to maintain a record of student progress in the Essential Skills platform.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Regular employee training is conducted on data privacy and security best practices including the proper handling of PII, password protection, and phishing scams. Access controls are implemented that limit access to PII to Essential Skills employees who need to perform their job duties. Two factor authentication has been implemented to verify the identity of users accessing sensitive systems and data. PII data is stored on a private cloud server. Any backups are encrypted and stored online. PII is not stored on any physical media. PII data is erased as subscription are cancelled.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Everbridge, Inc.
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Everbridge grants access to our propriety communications SaaS solutions for emergency mass notification messaging, via email, phone, text, or mobile app. End users of the solutions provide their Client Data, which contains the names and contact information (email, phone) of the recipients of the messaging.
NYCPS comment: NYCPS is the “end user” and families’ contact information is the “client data.”]
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Everbridge has implemented and shall maintain an information security program designed to protect against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage, including the measures described below.
- Physical Security Controls – policies, procedures, and physical and technical controls designed to limit physical access to information systems and facilities in which they are housed to properly authorized persons, including:
- A badge-based access control system to control physical access and movement into and throughout Everbridge’s facilities; and
- Processes and procedures to promptly remove facility access rights from terminated personnel.
- Access Controls – policies, procedures, and technical controls to ensure that all members of Everbridge’s workforce who require access to Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access, including:
- Role-based access policies that restrict user access to systems and resources based on job responsibilities;
- Processes to grant and revoke access rights based on business need, and to regularly review user access rights to ensure ongoing alignment with business needs;
- Strong authentication procedures for production environments that require a username, password, and multifactor authentication; and
- The use of firewall and intrusion detection systems to log access events for review by authorized Everbridge personnel.
- Security and Data Protection Awareness and Training – a security and data protection awareness and training program for members of Everbridge’s workforce (including management), which includes training on how to implement and comply with Everbridge’s security and data protection program, and which all workforce members are required to undergo upon initial hire and annually thereafter.
- Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including:
- deployment of an intrusion detection system to log access events and to monitor and restrict inbound internet traffic;
- documented procedures to identify, escalate, and respond to suspected or known security incidents, mitigate harmful effects of security incidents; and
- documented procedures to analyze the root cause of security incidents and to implement changes to existing controls, where appropriate, to better respond to future threats.
- Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Personal Data or systems that contain Personal Data, including:
- documented business continuity and disaster recovery plans that include procedures to restore data and the functionality of affected systems, including procedures to rebuild systems, update software, install patches, and change configurations, as needed;
- documented policies and procedures for the backup and recovery of data maintained in cloud-based environments, including periodic backups of production services, files, and databases, and the storage of backups in a separate data center; and
- periodic testing of Everbridge’s business continuity and disaster recovery plans.
- Device and Media Controls – policies and procedures that govern the receipt and removal of hardware and electronic media that contain Personal Data into and out of a Everbridge facility, and the movement of these items within a Everbridge facility, including policies and procedures to address the final disposition of Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use.
- Audit controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including:
- logging of system access activity, including user authentication, failed user login attempts, and access control list changes; and
- regular reviews of the logs for unusual or suspicious activity.
- Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction.
- Storage Security – technical security measures to guard against unauthorized access to Personal Data in storage, including:
- encryption of data in motion and at rest in hosted environments use of a key management system to securely manage the lifecycle of encryption keys; and
- use of full-device hard drive encryption to protection the confidentiality and integrity of information maintained on approved mobile devices.
- Assigned Security Responsibility – designation of a security official responsible for the development, implementation, and maintenance of Everbridge’s security program.
- Testing – Regular testing and monitoring of the effectiveness of Everbridge’s security program, including through SOC 2 Type II audits of Everbridge’s solution performed by an external third-party auditor, and through periodic vulnerability scans and risk assessments designed to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Personal Data, and to ensure that these risks are addressed.
- Adjustments to the Program – Monitoring, evaluation, and adjustment, as appropriate, of Everbridge’s security program considering any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Everbridge or the Personal Data, and Everbridge’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
EverFi
The exclusive purposes for which Protected Information will be used: Personally Identifiable Student Information (PISI) will be used for registration and use of EverFi courses.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Everfi requires employees, subcontractors and authorized persons or entities that receive student data or teacher or principal data to sign agreements that include appropriate confidentiality obligations that covers such data.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: EverFi will return or destroy such data in accordance with the terms of this agreement.
[NYC DOE comment: The current agreement became effective starting on March 5, 2020 and terminates when all NYC DOE schools and/or offices cease using EverFi, Inc.’s products/services. The terms of the agreement remain effective through the period during which EverFi, Inc. possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipients.[NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): PISI will be sorted in the U.S. (within contiguous 48 states) in accordance with EverFi’s Data Security Policy. Please see EverFi’s “Data Security Policy” for more details.
How the data will be encrypted (described in such a manner as to protect data security): Data is encrypted at rest and in transit (AES-256 encryption algorithm). Database connections are vial SSL protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384.
Evergreen Technologies
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Evergreen Technologies provides staff augmentation to DOE offices for a range of services. We have high-level proficiency in supplying all areas of IT; Emerging Technologies, Big Data, Engineering Support, Enterprise Data Management, Business Analysis, Application Development, Infrastructure, Cyber security, IT Compliance, Cloud Solutions & Project Management. All consultants will work on DOE systems only, and in doing so, may have access to student information. However, it's important to note that handling PII will be done in accordance with privacy regulations and best practices.
Site Surveys: The surveys may involve collecting information about individuals at the sites, such as names, contact details, and specific roles related to the integration, cabling work, and network setup.
Vendor Management: Managing client vendors may involve handling PII, especially if communication involves individual representatives from those vendors.
External Meetings: Coordinating on-site meetings with schools could involve gathering and handling PII of school staff or participants in those meetings.
Documentation: Maintaining a central repository for project documents and updating project related documents may include PII such as names and contact information of individuals involved in the project. Given these potential scenarios, it's crucial for Evergreen Technologies and its employees involved in the project to be mindful of privacy and data protection laws. We will implement appropriate measures to ensure the confidentiality, integrity, and availability of any PII that may be accessed or processed during the course of the project. This includes obtaining necessary consents, ensuring secure transmission of PII, and adhering to relevant data protection policies and procedures.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Evergreen Technologies asserts that it will not store any Personally Identifiable Information (PII) or confidential data outside of the secure systems controlled by NYC DOE.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Considering that Evergreen Technologies will not host or manage the data, but will only have access to it, the safeguards that we will have in place are as follows:
- Comprehensive Access Controls: We will implement stringent access controls to regulate access to the Protected Information, ensuring that only authorized personnel can access the data.
- Robust Administrative Safeguards: We will establish Administrative safeguards which will involve establishing and enforcing policies and procedures to govern how our employees interact with the Protected Information. This includes training programs to ensure adherence to security protocols.
- Operational Safeguards: We will establish Operational safeguards which will focus on defining and implementing secure processes for handling and interacting with the Protected Information during the course of tasks.
- Technical Safeguards: While not hosting the data, we will comply with the technical safeguards such as encryption, secure communication channels, and authentication mechanisms to protect the data during access and transmission.
- Meeting Industry Standards: We will commit to aligning our security practices with industry standards, despite not hosting the data. This ensures that its access protocols and security measures adhere to recognized best practices.
In summary, these safeguards are adapted to the specific role of Evergreen Technologies as an entity with access to, but not the host or manager of, the Protected Information. The emphasis remains on securing the data during access and ensuring compliance with industry standards.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Everyone Reading
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: September 2023 – June 2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Our training provides prevention and intervention strategies to familiarize educators with multi-sensory language education strategies to be used in general and special education classrooms and in Multi-Tiered Systems of Support, Response to Intervention (RTI) and Academic Intervention Services models of support. We provide virtual workshops and on-site training specifically on assessment and data interpretation, as well as including necessary discussion of those topics in all of our other workshops. The area of assessment includes baseline data such as attendance, school mobility, hearing and vision, home language, standardized test scores, report card grades and comments, individual, group and schoolwide assessments on such instruments as Acadience, KeyPhonics, PAST, early childhood assessments, such as the Early Screening Inventory (ESI-R), work samples and observational data. As appropriate, we also look at sample Individual Educational Programs (IEP’s) and psychosocial evaluations.
Type of PII that the Entity will receive/access: Student PII. “All participants will be asked to de-identify all student data. However, data may include multiple modalities such as writing samples, benchmark assessment data and progress monitoring reports. These multiple modalities together may lead to identifying different students if they are not correctly de-identified. Any student data will be used only during professional development sessions in real-time alongside participants. No data will be stored physically or electronically by Everyone Reading.”
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Data will not be stored at any time during the duration of the agreement, and will not need to be deleted or destroyed.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data will be used in real-time with professional development participants. In all sessions any assessments, work samples, records, other forms of data that may contain identifying information will be kept in the possession of participants, with Everyone Reading facilitating data analysis.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Evolution Labs (EL) (for Suite 360)
The exclusive purposes for which Protected Information will be used: For the purposes of administering and assessing learning related to the subject material of the program.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: Data is only shared with Evolution Labs employees with a demonstrated need for that information (i.e. developers, DBAs, Client Services etc). Each EL employee receives annual training on protecting user data. Data is never shared outside of EL.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: NDA begins on August 27, 2020 and is sustained indefinitely until/unless either party terminates the agreement. Upon expiration of the agreement, archived data is kept for 12 calendar months upon which time it is destroyed. Accelerated deletion of data can occur upon request.
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Recipient will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Recipient. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Data is stored in the US and all databases are encrypted and protected with industry standard security.
How the data will be encrypted (described in such a manner as to protect data security): Databases are encrypted at rest. All programs utilize industry standard encryption.
ExpandED Schools
Type of Entity: Research Institution or Evaluator; Community Based Organization or Not-for-Profit
Contract / Agreement Term: 8/31/2022 – 8/30/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This agreement covers multiple projects, and thus the type of PII collected and for which purposes will vary. PII may include, but is not limited to:
- names of students participating in relevant DOE initiatives, their parents and guardians;
- student OSIS number;
- student’s date of birth;
- school affiliation, district, and grade;
- school-day and afterschool attendance;
- state test scores or other academic achievement information (e.g., report card grades)
- Race, ethnicity, special education status, language spoken at home and English Language Learner status.
If collected, all information will remain confidential solely between relevant parties (DOE, ExpandED Schools, and any subcontractors where applicable, who are subject to the same rules and regulations governing ExpandED Schools’ access to these data). If collected, processing PII will allow ExpandED to identify youth who would benefit most from the supports we are offering, as well as to track whether students improve outcomes as a result of participation in our supports.
Type of PII that the Entity will receive/access: We are not aware of which types of data will be required at this time, but it is likely that we will be collecting student and/or educator PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; (i.e. if data are transferred via a cloud-based tool, ExpandED Schools will use a secure Sharepoint link to transfer and store data, ensuring that only those who require access are granted access); and using an entity-owned and/or internally-hosted solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ExpandED Schools commits to implementing all state, federal, and local data security and privacy contract requirements over the life of the agreement, consistent with NYC DOE’s data security and privacy policy, as well as the requirements of NYC DOE’s Parents’ Bill of Rights for Data Privacy and Security. The following outlines the data security protocols and measures and in place to ensure compliance with all requirements.
ExpandED Schools has numerous administrative, operational and technical safeguards and practices in place to protect any Protected Information that we may potentially receive under the contract. This includes, but is not limited to:
Administratively:
- ExpandED staff and its subcontractors are required to hold Confidential Information in strict confidence. ExpandED staff and subcontractors will only disclose Confidential Information to other staff who need to know the information in order to carry out tasks and only to the extent justifiable by that need.
- ExpandED will only use Confidential Information collected for projects that fall under the agreement for specific project purposes. ExpandED and its subcontractors will not use Confidential Information for its own benefit or for the benefit of another, or for any use other than specified in the agreement. ExpandED will never sell, license or distribute any Confidential Information collected as part of this agreement.
Operationally and technically:
- ExpandED will store all Confidential Information on ExpandED’s server located in the United States. Confidential Information may never be stored on personal technology devices or laptops at any time. ExpandED will not incorporate any Confidential Information into any database or any medium other than required for this agreement.
- If necessary to share information via a cloud-based server, ExpandED will use secure Microsoft SharePoint Drive folders to share information, which offers security in compliance with state, federal, and local standards and ensures only authorized individuals can access data.
- ExpandED will ensure end-to-end encryption when data is in motion and at rest to preserve safety of data at all times.
- If not necessary to share data via a cloud-based server, ExpandED utilizes a Virtual Private Network (VPN) which is secure and password-protected.
All research team members and the President & CEO of ExpandED will be trained and certified through the Collaborative Institutional Training Initiative (CITI) program Research Ethics and Compliance Training which includes federal laws, research in schools, and other topics that ensure the ethical use of data and protected information. Research team members will also receive training on state-specific laws provided by the Director of Research as part of their orientation to work on projects that fall under this agreement. Third-party subcontractors will be required to offer these same training opportunities to their staff members, and this will be included as part of our written agreement.
Any third-party subcontractors will be subject to all rules and regulations governing ExpandED’s access to this data, and ExpandED will hold subcontractors accountable to following all protocols. This will be specified in writing as part of any written agreements between ExpandED and subcontractors as part of this agreement.
Data security breaches or privacy incidents will be managed by the senior executives of the organization who will contact the NYC DOE via phone and email as soon as we learn of any breach. Staff are required to notify senior executives of ExpandED of any suspected data security breach or privacy incidents. The senior executives will act promptly to stop the breach, assess how it occurred, and make changes to ensure the breach will not be repeated, and notify the NYC DOE of its actions, findings and next steps.
All confidential information will be returned or destroyed upon termination of services.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
ExpandED Schools (for tutoring services)
Type of Entity: Research Institution or Evaluator and Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ExpandED Schools (ExpandED) is the lead organization, working in direct partnership with New York City Public Schools (NYCPS), implementing a large-scale tutoring effort, serving 10 NYC school districts, including 71 elementary and middle schools, in school year 2022-23. ExpandED and NYCPS have secured private funding to allow for each participating school principal, working in collaboration with their district superintendent, to develop a tutoring plan, choosing from a menu of tutoring service providers who meet a predetermined set of criteria. Tutoring will either focus on literacy in grades K-2, or math in grades 6-8. ExpandED will: (1) facilitate tutoring program design sprints and support school with program development; (2) coordinate data collection and analysis for continuous improvement; (3) provide ongoing coaching and support for school-based implementation; and (4) communicate regularly with updates for all stakeholders.
To effectively meet the aims of the joint goals of this initiative, ExpandED and its subcontractors will require access to the following Student Personally Identifiable Information (Student PII): (i) names of students participating in this tutoring program, their parents and guardians; (ii) student OSIS number; (iii) student’s date of birth; (iv) school affiliation, district, grade, ELA and/or Math classroom, and homeroom; (v) school-day, afterschool, and tutoring attendance; (vi) literacy and/or math screening assessments in order to target the tutoring intervention to students for whom it is most appropriate; (vii) literacy and/or math achievement data, including marking period grades and/or state test scores, to examine whether tutoring successfully improved student outcomes; (viii) Race, ethnicity, gender, housing status, special education status, language spoken at home and English Language Learner status.
As different schools will decide on different implementation plans for their tutoring programs, ExpandED and its subcontractors may also need to access DOE employee PII, such as: (i) names of teachers and other school staff participating as tutors in the program; (ii) Race, ethnicity, gender, and other demographic information; (iii) employment status, including number of years the individual has been employed as a teacher or other school staff within NYC and elsewhere.
Type of PII that the Entity will receive/access: Student PII and “depending on the type of tutoring program selected by the school, we may require identifiable information for DOE employees leading tutoring activities, such as teachers or other school staff.”
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. “We plan to use SharePoint; we may introduce additional cloud or infrastructure owned tools as the project progresses; we will update this agreement and related forms prior to making any changes.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. ExpandED Schools commits to implementing all state, federal, and local data security and privacy contract requirements over the life of the agreement, consistent with NYC DOE’s data security and privacy policy, as well as the requirements of NYC DOE’s Parents’ Bill of Rights for Data Privacy and Security. The following outlines the data security protocols and measures and in place to ensure compliance with all requirements.
ExpandED Schools has numerous administrative, operational and technical safeguards and practices in place to protect any Protected Information that we may potentially receive under the contract. This includes, but is not limited to:
Administratively:
- ExpandED staff and its subcontractors are required to hold Confidential Information in strict confidence. ExpandED staff and subcontractors will only disclose Confidential Information to other staff who need to know the information in order to carry out tasks and only to the extent justifiable by that need.
- ExpandED will only use Confidential Information collected for projects that fall under the agreement for specific project purposes. ExpandED and its subcontractors will not use Confidential Information for its own benefit or for the benefit of another, or for any use other than specified in the agreement. ExpandED will never sell, license or distribute any Confidential Information collected as part of this agreement.
Operationally and technically:
- ExpandED will store all Confidential Information on ExpandED’s server located in the United States. Confidential Information may never be stored on personal technology devices or laptops at any time. ExpandED will not incorporate any Confidential Information into any database or any medium other than required for this agreement.
- If necessary to share information via a cloud-based server, ExpandED will use secure Microsoft SharePoint Drive folders to share information, which offers security in compliance with state, federal, and local standards and ensures only authorized individuals can access data.
- ExpandED will ensure end-to-end encryption when data is in motion and at rest to preserve safety of data at all times.
- If not necessary to share data via a cloud-based server, ExpandED utilizes a Virtual Private Network (VPN) which is secure and password-protected.
All research team members and the President & CEO of ExpandED will be trained and certified through the Collaborative Institutional Training Initiative (CITI) program Research Ethics and Compliance Training which includes federal laws, research in schools, and other topics that ensure the ethical use of data and protected information. Research team members will also receive training on state-specific laws provided by the Director of Research as part of their orientation to work on projects that fall under this agreement. Third-party subcontractors will be required to offer these same training opportunities to their staff members, and this will be included as part of our written agreement.
Any third-party subcontractors will be subject to all rules and regulations governing ExpandED’s access to this data, and ExpandED will hold subcontractors accountable to following all protocols. This will be specified in writing as part of any written agreements between ExpandED and subcontractors as part of this agreement.
Data security breaches or privacy incidents will be managed by the senior executives of the organization who will contact the NYC DOE via phone and email as soon as we learn of any breach. Staff are required to notify senior executives of ExpandED of any suspected data security breach or privacy incidents. The senior executives will act promptly to stop the breach, assess how it occurred, and make changes to ensure the breach will not be repeated, and notify the NYC DOE of its actions, findings and next steps.
All confidential information will be returned or destroyed upon termination of services.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology."
Experis US (for staff augmentation for the Special Education Office)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 6/1/2023 – 5/31/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Experis’ services will support the timely identification, evaluation, and placement of all students in an appropriate educational setting. Experis will provide the tools and resources required to adequately test the primary special education processing systems, address end-user escalations, train all appropriate NYCPS staff who require the system to perform their job responsibilities, and develop the reporting infrastructure required to meet operational, management, and regulatory reports.
PII will be accessed for project management, developing initiatives, providing adequate support, troubleshooting issues, and creating reports.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: No PII will be stored or hosted by Entity.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: No PII will be stored or hosted by Entity.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Require annual third-party security privacy and awareness training for staff and subcontractors
- Implemented malware protections on all devices and accounts.
- Granular event logging employed to assist with security incident response.
- Network access will only be from secure, known networks, secured by a network firewall, and not utilize any unknown, public, or open networks.
- All software will be kept current and patched.
- Employing best practices including:
- Local user accounts will utilize a strong password.
- The system automatically locks after 30 minutes of inactivity.
- Hardware used by staff/subcontractors will be securely stored when not in use
- Staff/subcontractors will conduct work in a private location away from non-DOE vendor resources and lock their screen when anyone unauthorized has visibility of their work area or screen.
- No data shall be stored locally on staff and contractors’ servers, computers, or personal devices.
- Staff/subcontractors will submit a ticket in the event they need additional software or access.
- Access to PII data shall only utilize role-based access controls, provide least privilege access, be limited to authorized persons whose job responsibilities require access, and all access will be logged to an external source sufficient to determine who, what, and when DOE data was accessed.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Experis US (for SMART Intake)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 04/3/2023 – 3/31/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. This project will build an online tool with the help of the vendor that can be used to conduct the intake process and perform assessments for the Office of Students in Temporary Housing (STH). Automation of process and using data from current DOE system that houses PII data to validate student information will allow support staff to best serve students and families in need. Additionally, canned and ad-hoc reporting functionalities using data from current DOE system that the vendor will help to build will allow DOE staff to make decisions to improve allocation of service resources and supports to better serve our students and families in temporary housing.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud service providers) and agrees not to share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: PII will not be transmitted to Experis and Experis will not host or store any PII from DOE.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Access to PII data shall be limited to authorized persons whose job responsibilities require it. Any incidents in data security storage or handline or un-authorized access to protected client information will be reported to DOE immediately. No data shall be stored locally on staff and contractors’ servers, computers, or personal devices.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Experis US (for the Social Worker Information Management System (“SWIMS”)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 04/3/2023 – 3/31/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Vendor will access certain PII in connection with integrating the Social Worker Information Management System (“SWIMS”) into DOE databases such as NYCDOE Single Sign On Identity Provider (IDP) and Student Information System. SWIMS will house all records for DOE case managers, provide a mechanism to create new cases, edit existing cases and provide an easy system to track social workers’ services across DOE. The SWIMS database will include information such as Student First Name, Student Last Name, and Student ID and the data will be encrypted.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Vendor resources are all vetted in DOE’s Personnel Eligibility Tracking System (PETS) and they will have DOE assigned user name and password. Any access to DOE systems will be monitored as per DOE guidelines. The vendor resources will also sign and follow the Experis Data Privacy document. Vendor resources will not have access to production data. Data in production environment will be encrypted. Access to PII data shall be limited to authorized persons whose job responsibilities require it. Any incidents in data security storage or handling or un-authorized access to protected client information will be reported to DOE immediately. No data shall be stored locally on staff and contractors’ servers, computers, or personal devices.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
ExploreLearning
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 6/1/2023 – 5/31/2030
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. ExploreLearning is an education technology company creating seriously fun web‐based learning solutions for the most critical challenges facing K‐12 STEM education. Our programs are state‐ and national‐standards aligned, including Next Generation Science Standards (NGSS) and the Standards for Mathematical Practice (SMP). We help teachers bring engaging instructional strategies to classrooms in every state in the U.S. and more than 80 countries worldwide.
ExploreLearning products include:
- Gizmos is a website offering interactive simulations and case studies for math and science, using structured inquiry and experimentation to help students understand concepts. With more than 450 Gizmos covering STEM topics for grades 3‐12, students can dig deeper into tough‐to‐teach concepts as they form, analyze, and test ideas to find solutions.
- Reflex is a math fact fluency website for students in grades 2–8. Using adaptive learning, Reflex builds student mastery with basic math facts in addition, subtraction, multiplication, and division. Students cycle through assessment, instruction, and academic practice personalized to maximize their progress. With lively characters, game‐based challenges, and incentives for achievement and effort, students engage deeply in their progress.
- Science4Us offers blended learning designed for students in grades K‐2, combining web‐based lessons and academic practice with offline teacher‐led instruction and hands‐on extension. The cross‐curricular approach reinforces literacy and math standards, featuring interactive games, songs, virtual notebooks, experiments, and more. Science4Us includes 28 modules (covering topics in physical, life, and earth/space science) and lessons take as little as ten minutes to complete.
- Frax is an adaptive learning website that uses story‐driven, game‐based lessons to help students in grades 3‐5 learn fractions. Frax utilizes the latest research‐based instructional methods, with fun challenges and motivating rewards to ensure that students build mastery in fractions concepts. Students practice with visual models and number lines to reinforce the essential knowledge that fractions are numbers too!
Customer PII is encrypted at rest and in transit using industry standards such as BitLocker, AES 256, and HTTPS and TLS 1.2 and higher.
The DOE student demographic data collected by ExploreLearning is data entered/provided by DOE educators and administrators. The same data is made available solely to DOE educators and administrators for their own use in reporting. DOE PII data is not used by ExploreLearning for any system testing or system reporting. DOE PII data is not used outside the scope of services of this agreement. Aggregate data may be used for our research and analysis of our customers’ use of and experience with our products and services, for the development, improvement and optimization of our educational products and services for the DOE. DOE PII data will only be used in accordance with performing the contract at DOE’s direction.
Additional educational information is collected as the child progresses through the service, such as amount of time logged in, reading rate, and assessment scores. This information allows the service to adapt to the child and inform the teacher on the child’s progress.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We maintain administrative, technical and physical safeguards designed to secure student data, as provided by NYC DOE, both during transmission and while in our custody. These safeguards include technical and operational measures, such as firewalls, routers, encryption (at rest and in‐transit), passwords, and vulnerability testing, as well as training, policies and procedures to limit access to NYC DOE provided data to authorized staff, contractors and agents that have a legitimate need to access such data for purposes of enabling us to deliver and support our products and services to the NYC DOE, and that are under appropriate contractual obligations of confidentiality, data protection and security.
No student PII is ever public. Our applications are designed to keep this information private and secure. It is never discoverable by the public.
- The Company has a formal onboarding and off‐boarding procedure where access to database assets are formally granted and revoked respectively; access is only granted to employees who need access to support the online products as we ascribe to the principle of least privilege.
- The Company provides student data privacy training to all employees and contractors who access our network.
- The Company employs a 3rd party company to conduct both COPPA and FERPA compliance audits.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Family Life Time Solutions (for #SameHere)
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 11/1/2021 – 9/1/2022
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The #SameHere Teacher and Student Apps allow teachers and students to share their feelings in a secure app setting. The app acts as an emotional thermometer. It is not diagnostic, and it does not make recommendations. It strictly allows student to tell teachers how they are feeling, and to track those feeling trends over time.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Log systems are in place so as to identify unauthorized access of the databases. Vulnerability assessments are done periodically to identify any threats or risks. OWASP Top 10 is being followed as much as possible. Also WAF are implemented to avoid DDOS attacks.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
FEV Tutor
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. FEV Tutor provides high-impact tutoring for Grades 3-12 through an online, interactive whiteboard with a live adult.
As part of our implementation process, we can integrate with a school’s existing SSO and LMS. Doing so allows us to quickly roster students in our system and build a benchmark of their current academic aptitude, which lets us more accurately target their needs.
The integration process inherently involves some PII, including name, Grade, and which school the student attends.
We manage this process according to strict guidelines, and have One Roster 1.2 and LTI 1.3 certification through 1EdTech. These are considered industry-leading certifications for managing student data.
At the discretion of the client, standardized benchmark test results for students may be shared using secured API integrations of secure file transfer in order to evaluate student learning gains and the efficacy of the tutoring implementation.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Oracle Cloud Infrastructure (OCI) and Microsoft Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
Administrative Safeguards:
Our administrative measures include a rigorous framework of policies and procedures that govern the handling of PII. This framework is underpinned by a training program for all staff members, emphasizing the importance of data privacy and security and their roles in maintaining it. Access to PII is strictly governed by role-based permissions, ensuring that individuals are granted access only to the data necessary for their specific job functions. Regular audits and compliance checks are conducted to ensure adherence to these policies and procedures, with corrective actions taken as necessary to address any identified deficiencies.
Technical Safeguards:
On the technical front, we utilize state-of-the-art encryption techniques to protect PII both in transit and at rest, ensuring that data is unreadable to unauthorized individuals. Our password policy mandates strong, unique passwords, supplemented by multi-factor authentication to add an additional layer of security. Access controls are meticulously managed and reviewed to prevent unauthorized access, with automatic log-offs and session timeouts implemented to minimize the risk of unauthorized data exposure. Regular vulnerability assessments and penetration testing are conducted to identify and remediate potential security weaknesses, ensuring our defenses remain robust against evolving threats.
Mitigating Data Privacy and Security Risks:
We adopt a proactive and dynamic approach to mitigate data privacy and security risks. This includes continuous monitoring of our data protection measures, regular updates to our security protocols in response to new threats, and swift action to address any potential vulnerabilities. Our incident response plan outlines clear procedures for responding to data breaches or security incidents, ensuring rapid containment, investigation, and notification in compliance with legal and regulatory requirements..
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Find Your Grind
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Find Your Grind provides curricula for students in grades 6th-12th and professional development services for educators that support students in their self-discovery, career exploration, and career planning journey. We collect PII to create student accounts, service students access to the platform and for educator tracking and progress monitoring.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The key points of Find Your Grind’s technical safeguards include:
- Incorporating automated security scanning into the platform
- Automatic threat detection and monitoring
- Implementing a vulnerability assessment solution
- Encryption all the way through (SQL TDE, HTTPS between services, etc)
- Penetration Testing
- Two-Factor Authentication where possible
- Authentication and Authorization
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Finding Focus (through University of California Santa Barbara)
Type of Entity: Public, Not-for-Profit University
Contract / Agreement Term: 8/01/2021 – 6/30/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Finding Focus is an online course that is intended to help high school students learn how to improve their focus and emotional resilience. Students use their names and email addresses to securely create accounts. These accounts allow each student to receive a personalized learning experience, and it also makes it possible for teachers to track their students’ progress throughout the course. PII is used exclusively to provide this educational service.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Upon expiration of the agreement, protected information will be stored securely for the duration indicated by the NYSED Education Retention Schedule ED-1 and then deleted.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We follow best practices in workstation management and secure application development. Our cloud services are provided by industry leaders with excellent reputations for providing and maintaining security. All data is encrypted in transit according to industry standards, and PII is also encrypted at rest. We continuously monitor for potential security vulnerabilities through third-party services, and we apply all patches and updates needed to reduce exposure to identified vulnerabilities. A quarterly risk assessment is also implemented to identify and remediate any emerging security risks. Early warning signs of a data breach are regularly monitored, and an incident response plan is in place to ensure a rapid and effective response in case a breach does occur.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Fishtank Learning
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Fishtank Learning is a digital curriculum platform offering high-quality core ELA and math curriculum materials. This project would make Fishtank’s 6th-8th grade ELA curriculum available to NYC schools for use by teachers. The curriculum is currently accessed only by teachers via Fishtank’s website, www.fishtanklearning.org. Students do not create accounts. This part of the service does not require PII.
Fishtank Learning’s new application, Fishtank Student, will allow teachers to assign work directly to students and allow students to complete assignments on the platform. If schools choose to pilot the new platform, PII will be accessed to track student progress and provide students with feedback. PII is needed to make student accounts and track student progress in completing ELA assignments. PII is needed for teachers to grade and provide feedback on student work, to identify areas where students need further support or instruction and communicate with students about their progress.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Heroku Postgres, AWS S3
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Fishtank Learning uses industry best practices to ensure data safety and security. Employees will be given limited role permission within Fishtank applications to only access necessary data. Contractors will not be granted administrative access to databases that contain student data.
Fishtank Learning uses TLS and HTTPS, which encrypts all data before it leaves the Fishtank learning servers and protects that data as it transits over the internet. All of our Services are hosted by Heroku, Amazon Web Services (AWS), and served securely from Cloudflare. All personal identifiable information is encrypted at rest using modern encryption algorithms.
Virtual access to administrative controls and information within applications is strictly limited to essential engineering staff and support, with user support receiving less access than engineers. Credentials and access to our applications are removed when a staff member leaves the organization.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
FMYI, Inc (also called Grouptrail)
The exclusive purposes for which Protected Information will be used: NYC DOE Bridge for All Program.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: There is no sharing of the student data by Grouptrail for NYC DOE Bridge for All. If there was, we will have the subcontractor sign an amendment to our agreement that includes these data protection and security requirements required by this non-disclosure agreement with the NYC DOE.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: Upon termination of our relationship with the NYC DOE related to this agreement, the protected information is deleted. Decommissioned media utilizes techniques detailed in NIST 800-88.
[NYC DOE comment: The current agreement became effective starting on June 26, 2020 and terminates when all NYC DOE schools and/or offices cease using FMYI, Inc.’s products/services. The terms of the agreement remain effective through the period during which FMYI, Inc. possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): Protected Information is stored in the US.
How the data will be encrypted (described in such a manner as to protect data security): SSL for data in transit, network firewall, and encryption at rest.
FOCALPOINTK12
The exclusive purposes for which Protected Information will be used: The software provides online learning for middle and high school students in a classroom setting. The student names and their grades will be available to teachers and advisors.
How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your non-disclosure agreement with the NYC DOE: The company have strict data protection and privacy policies in place and adheres to it. The company has built stricter security policies as part of the contracts working with several State DOE agencies.
When the non-disclosure agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: All the data will be removed and purged from the system.
[NYC DOE comment: The current agreement became effective starting on June 6, 2020 and terminates when all NYC DOE schools and/or offices cease using FOCALPOINTK12, INC.’s products/services. The terms of the agreement remain effective through the period during which FOCALPOINTK12, INC. possesses or otherwise is in control of covered protected information.]
If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Processor will work with the NYC DOE in processing challenges to the accuracy of student data in the custody of the Processor. [NYC DOE comment: requests for copies of student data or to challenge the accuracy such data should be directed to your child’s school, or to studentprivacy@schools.nyc.gov.]
Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): All the data is securely stored in the US East region in a Microsoft Azure Elastic Cloud Environment. The data is encrypted both in transit and at rest. Azure Cloud provides multi-layered, built-in security controls and unique threat intelligence to identify and protect against rapidly evolving threats.
How the data will be encrypted (described in such a manner as to protect data security): All the communication between the users and web applications are secured with SSL layer. All communications between the web application and the database happen on a encrypted channel. The data storage inside the database is encrypted.
Follett School Solutions (for Destiny Solution)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Follett School Solutions, LLC is providing its Destiny Solution to entities within the DOE. The Destiny Solution includes modules such as Library Manager and Resource Manager, which help schools purchase and track library and other school-related resources and information. PII is collected for related reasons, including to, for example, track which students have checked out which books.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Entity selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft Azure.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Destiny has multiple levels of data security Session-level authentication—All data access within Destiny is routed through a layer that checks authentication credentials and permissions on each request. User Interface security—The Destiny interface presents different options based on the permissions associated with the users.
The Destiny application does store within its own internal database student/staff demographic data and information regarding the usage of district/school resources (Checkouts, Holds, Fines, Reviews, etc.…) by students and staff. Access to this data is restricted to district staff based on configured permissions and access levels. Customers can have Destiny installed locally within the district’s technical environment or hosted by Follett. The data for Destiny is managed/stored in a Microsoft SQL Server database. Follett supports encryption of the data under SQL Server in an optional configuration. The database is protected through Microsoft SQL Server security.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Follow Us
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Follow Us provides elite college, career, academic, and social-emotional learning (SEL) prep for K-12 students, at a non-elite price to ensure ALL students experience a smooth transition between elementary school, middle school, high school, and post-secondary education. Our emphasis is on helping underserved student populations from urban and rural backgrounds to close the postsecondary achievement gap.
We provide a wide range of student support services for schools to choose from. Our programming follows two main pathways, with additional bespoke services for English language learners (ELL) and undocumented students
- College & Career Readiness, including college application completion, financial aid, SEL workshops, career exploration, financial literacy workshops, and structured mentorship
- Academic Support, including interventional tutoring, SAT / ACT prep, graduation exam prep, and Gifted & Talented (G&T) early-prep programs.
Our services also include parent engagement and professional development (PD) programs.
Based on the insights we have gained from delivering services programming, we have built CarrotPath (https://carrotpath.com/). CarrotPath is a platform designed for schools and organizations that provide support services to underserved students to increase their likelihood of graduating from high school and continuing to higher education. We aim to:
- Help students pursue their goals within an SEL-based foundational context and achieve their personal, academic, financial, and college / career aspirations.
- Help students grasp key financial literacy concepts as it relates to college & career readiness
- Enable program staff (administrators, program managers, counselors, teachers, etc.) to more effectively engage with their students and to better measure and track the impact of their support.
Follow Us and our CarrotPath platform use student data collected from, or on behalf of, an educational organization to more effectively deliver support services programming to students; to assess and understand individual student needs, goals, and outcomes; and to analyze and track results/impact at the overall program level.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS, Google Cloud Platform, Microsoft Azure, Digital Ocean.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Follow Us only uses software that holds PII that is FERPA compliant. All staff are informed of our data privacy and security policies and trained in how to keep information secure. In addition, we have engaged a technology consultant that reviews our data security systems and provides ongoing security training of staff and monitoring. Any potential breaches or unauthorized attempts to access data we store are quickly reported and responded to by this consultant. The administrative, operational, and technical safeguards in place that protect PII center upon both accessibility to data and data storage. Data is only accessed by employees and/or agents working with the associated program for the duration of the program; afterwards, their access is revoked. Data storage is limited to Follow Us’ Google and/or Dropbox accounts. Furthermore, both the Google and Dropbox accounts used by Follow Us are password-protected. Each user has a unique account with their own password. Employees and key agents that work with PII use either Macbooks or PCs that have the standard security protections that are provided by the manufacturers, Apple and Microsoft, respectively. All laptops require a password to access, and are in the physical possession of these employees and agents.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Foresight Advisory and Consulting
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/15/2023 – 7/14/2024; renewal is optional upon request by Queens Academy High School.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Foresight Advisory and Consulting Inc, (referred to as “Foresight”, “we”, “our” and “us”) is contracted to provide the solution, Virtual Administrator, for data analysis for Queens Academy High School (“School”). The Virtual Administrator (“Analysis”) is an Analysis that provides insight into the School's overall performance, specific Cohort information and tracking, as well as the school's standing in respect to the New York State, Every Student Succeeds Act Accountability Metrics.
The Virtual Administrator is created by incorporating several reports generated by the School's internal systems including ATS and STARS. The reports will be prepared by a NYC DOE employee designated by the School. Virtual Administrator is then run on a desktop device that is located and owned by the School. The Virtual Administrator tool does not access or require the internet or any network. The analysis is provided to the School and is henceforth wholly owned by the school.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The Virtual Administrator tool is deployed on a NYC DOE device without the need to or ability to connect to internet or networks. Only authorized Foresight personnel are provided access to personal information and these employees have agreed to maintain the confidentiality of this information. The resulting analysis is saved on that same device and the tool does not record or store any data. Foresight ensures the safety of all internal processes with various cyber security solutions such as double encryption software, firewall protection, malware identification with machine learning (ML) and behavior protection software to name a few. However, the Virtual Administrator tool is administrated only on DOE desktop device and the data is not stored or transferred anywhere else. The Virtual Administrator is encrypted.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “The Virtual Administrator tool uses VBA and Excel macros, all of which has been scanned to ensure that there is no capacity to retain or record data.”
Foundations in Learning (for WordFlight)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Foundations in Learning, LLC provides WordFlight, an assessment/intervention system to help students become fluent readers. Foundations in Learning uses the Enrollment and Performance information collected within WordFlight in order to create a variety of reports and email communications for the students’ teachers in order to inform them of progress and assist them in providing a greater level of targeted assistance and instruction to the student. Depending on the program, we also use the information in order to adjust the program while the student is working within it in order to provide a more effective educational experience for the student. FIL may use de-identified student data for the purpose of improving the services only.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Any sensitive online information is transmitted over secure, encrypted channels via SSL as well as other layers of encryption. All student data are stored on secure servers utilizing encryption and firewall technology and are not publicly accessible. All student performance data is stored in a non-identifiable format. Security audits are continuously performed to ensure data integrity. Access to the hosting environment and encrypted data is currently limited to one employee. This access utilizes AWS authentication with MFA controls. This same employee has received FERPA 101 and 201 trainings, is preparing for the AWS security certification exam, and is generally knowledgeable with security best practices. An incident response plan will be implemented.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
FranklinCovey Education (for Leader in Me)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 1/1/2023 – 12/31/2029
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Leader in Me online is a web-based application that provides resources, professional development, curriculum, and an anonymous survey given to students, staff, and parents to assess the progress of the implementation of our services. Staff are provided logins to the Leaders in Me online to access all these resources. High School students are offered 4 courses either using a LTI integration into your LMS or if needed access to our LMS can be provided to students where we would collect student first name, last name, and email address so they can login and take the courses. We prefer the LTI method so student data stays in your LMS system. This is the only case where we might collect student data. All other data collected is staff data for the Leader in Me online which consists of first name, last name, and email address with phone number being optional.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontracted, i.e. AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data is stored in a Postgresql database using encryption of data at rest and encryption of data in transit. All database traffic is isolated in a private VPN behind a firewall. All web traffic is served over HTTPS, and no user information is available in the public domain. No PII data is transferred and used in any development environments or for any purposes outside of Production servers.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Fuel Education
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 9/1/2023 – 6/30/2030.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Processor providers digital core, world language, and elective content via our proprietary platforms. Processor requests a first name, last name, and email address to create a user profile. The data is required to ensure we know who we’re talking to when contacted for support and provides us with a way to contact a user with password reset requests.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: “Fuel Education LLC will securely delete obfuscate, de-identity, render unreadable or otherwise destroy PII.”
Challenges to Data Accuracy. “Fuel Education LLC is not the system of record for NYC DOE student/teacher/admin records. NYC DOE administrators will have access to update user data in real-time.”
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. To reduce the risk of unauthorized access, maintain data accuracy, and secure the correct use of information, Fuel Education LLC uses commercially reasonable physical, electronic, and managerial processes and procedures to protect the any PII collected by Fuel Education LLC. Fuel Education LLC also use Secure Sockets Layer (SSL) protocol on account information and registration pages to protect PII. Fuel Education LLC’s technologies, safeguards and practices align with the NIST Cybersecurity Framework.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
General Audit Tool
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. GAT Labs provides advanced auditing, security, and management tools that help every Google Workspace administrator gain a detailed overview of what's happening in the domain. To provide this service, PII is needed. We collect and store Personal Identifiable Information (PII) metadata that Google provides to us directly from customers' Google Workspace domains so that the administrator can use for analytical and reporting purposes.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google Cloud Platform.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- The data is encrypted at rest and in transit. Security protections include but are not limited to: firewalls, IDS, 2FA strict requirement, executing penetration tests on an annual basis (via external/independent company), using PoLP (Principle of Least Privilege) in access control, security awareness training for all staff, dedicated trainings for developers, having a secure SDLC in place, quarterly vulnerability management and patch management.
- Internal access control is in place, where all access is on a strictly as needed basis to the database level.
- An alerting system is in place that notify the entire management team for any potential access to customer metadata.
- The data is retained for 31 days from the license expiration date and then automatically deleted in full.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Geneva Worldwide
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2019 – 6/30/2025.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Interpretation services for students and parents, including in person and video remote interpretation, where we access student and parent information such as names.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Boost Lingo Interpreter Intelligence.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Geneva ensures that all safeguards are in place to protect the environment, as well as the physical workstations being used. Below is a list of routine checks that are performed on either a daily, weekly or monthly basis. Most are performed on a daily or weekly basis, specifically the firewall maintenance checks. This is to ensure that all protection and equipment is functioning at top quality. For the programs used for booking interpretation requests, there is a Chief Information Officer who is responsible for the overall security and compliance of systems and software. Their application development also includes reviews, manual testing and automated testing specifically focused on security. This is the platform where, if any information is stored that is applicable, this is where it would be located. Information is encrypted at rest and in transit. We also have a security policy in place and have a disclosure plan in place, should information be compromised.
Server Maintenance:
- Check airflow around the server to ensure proper cooling.
- Perform physical checks of the system’s hardware and connections.
- Verify the last backup of the server to ensure data is protected.
- Make sure that IPSec (IP Security) Services are running.
- Verify that virus protection is up to date.
- Monitor system performance to ensure it is running smoothly.
- Monitor system activity to detect any unusual behavior.
- Monitor system hard-drive space to ensure there is enough storage available.
- Monitor system resources, such as RAM (memory) and CPU, to ensure there is enough available.
- Monitor RAID alarms to detect any potential failures.
- Review event and audit logs to detect any issues.
- Visually inspect any hardware for potential failures.
- Check all APC systems to ensure they are functioning properly.
Workstation Maintenance:
- Verify that virus protection is up to date.
- Check for and install any necessary software updates.
- Perform disk cleanup to free up space on the hard drive.
- Defragment the hard drive to improve performance.
- Check for and remove any unnecessary programs or files.
Firewall Maintenance:
- Review firewall security logs to detect any issues.
- Check for and install any necessary software or firmware updates.
- Monitor firewall performance to ensure it is functioning properly.
- Review and update firewall rules as needed.
- Test firewall functionality to ensure it is providing adequate protection.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
GFactor Enterprises
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. We are a SaaS flywheel cloud-based learning management software and digital portfolio system. PII is used to login to our software platform and to link pre- and post-assessment data to student success outcomes.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS via Heroku.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Administrative Safeguards
- Employee Selection Process: We conduct thorough background checks and assess the data security competence of potential employees.
- Data Privacy Training: Regular training sessions are conducted to educate our staff on the importance of data privacy, the specifics of Protected Information, and their responsibilities in safeguarding it.
- Policy Dissemination: All relevant policies and procedures are readily accessible to staff, ensuring that they are well-informed about our data protection protocols.
- Performance Monitoring: Regular assessments are conducted to ensure that employees adhere to our data privacy and security policies.
- Operational Safeguards
- Access Controls: Strict controls are in place to ensure that only authorized personnel have access to Protected Information, and all access is logged for audit purposes.
- Incident Response Plan: A comprehensive incident response plan is in place, detailing procedures for addressing any security breaches or data privacy incidents.
- Vendor Management: We rigorously evaluate and monitor third-party vendors to ensure they meet our data security standards.
- Technical Safeguards
- Encryption: Data is encrypted both in transit and at rest, providing a high level of security against unauthorized access.
- Network Security: Our network is safeguarded with firewalls, intrusion detection systems, and regular security audits to detect and prevent unauthorized access.
- Data Integrity: We implement measures to ensure the accuracy and integrity of Protected Information, preventing unauthorized alterations.
- Regular Software Updates and Patches: We maintain up-to-date software and systems to protect against known vulnerabilities.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Giant Thinking
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 1/2023 – 6/2023
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. Giant Thinking will be providing Counseling and Mentoring service. For the purpose of providing services we require the names of participating students.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. “PII (students name) will be stored on a piece of paper that will be given to school staff or shredded immediately after programming.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All employees Giant Thinking will be trained and aware of confidentiality obligations. Paperwork will not leave the building. All paperwork will be given to school staff or shredded immediately after programming.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Gladeo
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The project is piloting the Gladeo FutureReady program, a comprehensive virtual career development course tailored for middle and high school students. Through on-demand video modules, quizzes, and supplementary digital tools on the Gladeo career navigation platform, the program seeks to transform students' career aspirations into actionable goals, emphasizing not just motivation but also the self-concept and motivation needed for career pursuit. The curriculum comprises over 40 hours of instruction covering topics from self-awareness and resilience to technology's role in the job market, including AI's influence. Integrated with a school's SSO and LMS, educators can monitor student engagement and progress. The course aligns with ASCA and state CTE standards and offers flexibility in pacing, allowing students to learn at their convenience. Our program does not traffic student PII other than their name.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS Govcloud, which is FedRAMP compliant.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- All PII information is limited to a need basis.
- All systems are password protected with multi-factor authentication strictly enforced.
- Passwords use NIST recommended settings for complexity.
- Routine scans are done of the system to find potential vulnerabilities, and patched or updated as soon as possible.
- All company personnel’s computers have antivirus software installed that also includes monitoring of unsafe website visits and assurance they are using a currently vendor supported version of the applicable OS. Alerts are monitored by devops teams and a weekly audit is done to ensure all users are up to date.
- All systems are protected via AWS, including applicable firewalls, intruder detection, and facility security.
- Regular scheduled audits to ensure hosting software is using latest patched editions.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Global Kids
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 8/1/2023 – 7/31/2028
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Global Kids will be providing services under its community school contract. This includes but is not limited to attendance improvement, parent engagement, academic enrichment and supports, college and career access programming and social/emotional wellness supports. We will need to access data to support core deliverables of the contract, which include attendance and academic interventions, and fulfilling reporting and evaluative requirements.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Microsoft; and using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Global Kids adheres to data security and privacy protocols ascribed by it contractors and funders. All data we have access to, is primarily accessed through portals made available by funders. In specific instances this data may be transferred and would live on our secure cloud-based network.
Implement all state, federal, and local data security and privacy contract requirements over the life of its contractual agreements, consistent with NYC DOE’s data security and privacy policy and specifies the administrative, operational, and technical safeguards and practices Global Kids has in place to protect the Protected Information that it will receive under contracts it is bound to.
- GK uses Microsoft 365 Cloud services for storage of all records.
- In addition, Global Kids saves backup copies of all storage on its on-premises servers which are in a locked server room with secure access only available to VP of IT and other approve personnel.
- Remote cameras with movement detection recording and remote access.
- Multiple locations where remote servers are located.
Children’s PII will be collected and disclosed only as necessary to achieve educational purposes in accordance with state and federal law.
- Global Kids implements a stringent password policy.
- All Global Kids data is encrypted while in transit and at rest.
- All authorized Global Kids staff Microsoft accounts with access to PII records are safeguarded with multi-Factor authentication (MFA), regarding accessing data from the Microsoft Cloud. MFA consists of either text based secondary authentication or using the Microsoft Authenticator Application for entering MFA codes.
Staff members and outside parties who handle children’s PII are trained in applicable laws, policies, and safeguards associated with industry standards and best practices.
PII information is permanently and securely deleted no later than when the contract ends.
- Global Kids trains its employees who have access to Protected Information on the federal and state laws governing confidentiality of such data prior to receiving access.
- Global Kids regularly monitors data security and for privacy incidents and has the following plans in place to identify breaches and unauthorized disclosures. Please see the following sections of this Data Security Plan:
- Global Kids does not maintain copies of children’s PII once it is no longer needed for the educational purpose for which the DOE has disclosed it to Global Kids. The data will be returned, deleted, or destroyed by Global Kids when the contract is terminated or expires, as per NYC DOE’s direction.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
GMetrix
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. GMetrix SMS Application – Used for student training, testing, and practice testing. We use student PII (For Students we collect: First Name, Last Name, Email Address (optional). For Teachers and Administrators we collect: First Name, Last Name, Email Address) to keep track of their test progress, content delivery preferences and results. While the GMetrix SMS Application Administrator portal are different interfaces, they use the same data store.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. “NYC DOE can request an export of all data at any time. If NYC DOE desires the deletion of the data, that request can be made via the GMetrix Support team, and the data will be purged/anonymized. All PII will be destroyed when the contract is terminated or expires.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. PII is hosted in Azure cloud, physical security is reliant on Microsoft. We use Azure Active Directory for authentication and select Multi-factor Authentication methods (SMS, OTP or Push Notifications) for additional security. To access PII our employees must authenticate to AAD and successfully complete MFA – once authenticated, we only authorize select employee accounts access to infrastructure hosting PII based on assigned Azure Role-Based Access Control (RBAC)..
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Goalsetter Foundation
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The D18 + Goalsetter Financial Freedom Project Pilot will begin with a launch in April 2023 and conclude in November 2023 engaging a spring and summer cohort of middle school students from schools across the district. In collaboration with each participating school, ~600 students will learn with selected lessons during weekly learning blocks dedicated to personal finance.
Each student and the teacher will have access to Goalsetter Classroom in which they will be able to explore learning modules related to the six National Standards for Personal Finance Education: Earning Income, Spending, Saving, Investing, Managing Credit, and Managing Risk. Students will explore the concepts by navigating through a learning progression in which they will develop a deeper understanding of not only personal finance content knowledge and key concepts, but they will also gain an aptitude for practically applying the skills they’ve been learning.
We look to expand beyond the pilot by Fall 2023 to a scale that accomplishes D18’s financial education goals. Participating in the 2023 pilot, D18 students, their families, and educators will experience the following activities and special offerings detailed below. We are excited to support the D18 community with financial wealth and wellness for all!
Type of PII that the Entity will receive/access: Student PII. GS Classroom: Student: First Name, Last Name, Classroom, Student inputted data (i.e. answers to quizzes, assignments, etc.) Employee: First Name, Last Name, Email address.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Microsoft Azure.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Goalsetter data policies align to industry best practices and standards for data security and privacy. Goalsetter restricts access to protected information based on its data classification, data protection and data retention policies; segregation of duties; and regular access reviews. Goalsetter does not sell or release personal identifiable information for any commercial purpose. Goalsetter restricts access to confidential information on a least privilege basis. Goalsetter enforces encryption of all personal identifiable information in transit and at rest. Goalsetter ensures that 3rd party contractors and 3rd party vendors that access customer PII adhere to Goalsetter standards as evidenced in our Vendor Management and Acceptable Use Policies.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Goddard Riverside Community Center
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2023 – 6/30/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Learning to Work (LTW) is a high school partnership with EARTHS to support every student in the school to graduate, develop college and career readiness skills, provide paid internship experience, and create meaningful post-secondary plan to support long term student success. EARTHS is one of the oldest transfer high schools in the city for 16–21 year old students who have fallen behind in credits at previous schools for various reasons including their needs not being met. The program provides:
- One to one counseling support and advising for students
- Group support through workshops focused on college and career readiness
- Postsecondary exploration
- Paid internships managed by at private and public employers
- Attendance outreach and support including one on one check ins, school wide attendance management, incentives, and ongoing outreach
- Family engagement and community building including outreach, parent teacher conference check ins and translation services
- Student engagement and community building including student council, trips, yearbook, and school wide celebrations
- Collaborate with school on student recruitment and enrollment including flyers, tabling, social media, admissions interview, new student orientations
Performance Targets:
- Student enrollment
- Student attendance
- Number of students enrolled in LTW
- Amount of LTW intern hours/funds spent
- Number of postsecondary plans created
- Number of graduates
- Number of graduates enrolling in postsecondary options
Accessing PII is necessary as student information is needed to successfully complete the above services. Most closely, student information is needed in order to monitor progress toward graduation – help develop effective postsecondary plans and ensure students are attending school regularly while meeting credit requirements.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Safeguards installed to ensure Personally Identifiable Information (PII) protection are the use of a database system (Grouptrails) for case notes that only students assigned as counselors and their supervisors can access with a username and password. Counselors are only privy to their assigned students’ data, and case notes are reviewed by supervisors only. The program director manages staff and student users’ access to this portal. Further, to mitigate privacy and security risks, student records are housed in file cabinets that are always locked and only authorized persons are granted access when needed to perform work tasks. Moreover, sensitive documents, for example copies of social security cards, are shredded when not needed to be retained to prevent identity theft.
Additionally, the organization’s workforce, including employees, students, volunteers, etc. are trained on the federal and state laws governing data privacy and security on an annual basis and as needed. Risk analyses are also conducted at least annually to identify threats to our IT systems, data and other resources and understand their potential impact, to enable the organization prioritize mitigation efforts to avoid costly business disruptions, data breaches, and to comply with regulatory requirements.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
GoGuardian (for GoGuardian Teacher and Pear Deck)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 8/1/2021 – 8/1/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. GoGuardian Teacher is a classroom management solution, helping teachers guide their students while gaining back valuable instructional time. This solution provides teachers with a way to view student online activity during their class sessions. Teachers can support and directly connect with their students. GoGuardian Teacher creates efficiency in instructional workflows and provides a variety of ways to deliver instruction. It is easy to use and it supports different learning environments. The purpose for which PII is received or accessed is to perform and support the services of GoGuardian Teacher.
Pear Deck Slides is our flagship product that converts slide-type content from a number of sources (Google Slides, Powerpoint, internal templates, into an interactive presentation. Pear Deck Vocabulary was designed to transform the way students engage with vocabulary. The teacher creates a file with the vocabulary words and definitions the students need to learn. Students then play the Flashcard Factory game, pairing up and working together to create flashcards with illustrations and example sentences. The app works with Google Apps for Education. The purpose for which PII is received or accessed is to perform and support the services of Pear Deck.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Google Cloud Platform.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. GoGuardian has administrative, operational and technical safeguards designed to protect Personally Identifiable Information that it receives during the Term, including:
- Administrative Safeguards: Data breach response plan, change management systems, security and privacy awareness training, employee background checks.
- Operational Safeguards: Office security guards, key cards, office surveillance.
- Technical Safeguards: access controls to Personally Identifiable Information, encryption in motion between endpoints via SSL and at rest of Personally Identifiable Information, authentication of desktops and laptops, penetration testing.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Good Shepherd Services
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2015 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. GSS has become recognized as a leader in providing services to off-track youth who have become disconnected from school and community and has worked with the New York City Board of Education (NYC BOE) to develop school models for young people who have not been successful in a traditional high school. As the largest provider of NYC DOE’s Multiple Pathways programs for overage, under-credited high school students, GSS works in partnership with the public education system. GSS transfer schools offer a full-day, year-round academic program that integrates intensive support services and youth development practices with personalized, standards-based instruction. As part of the Accelerated Achievement Model, academic programming is designed to challenge each learner and is implemented in a supportive environment that emphasizes the value of critical thinking skills, personal relationships, and student self-advocacy.
In serving the Young Adult Borough Centers (YABCs), GSS has provided quality programming serving overage and under-credited youth who attend school at night through student support services, youth and leadership development, postsecondary college and career planning, enhanced work readiness skills development, and work-based experience opportunities.
GSS accesses PII to support student attendance, communicate with students and families, track participant progress throughout their time in our programs, and provide students with internship and work opportunities. PII is also used to inform and support programs, continually assess overall program quality, and assess program impact.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. “All data will be destroyed after the contractually agreed upon retention period ends.”
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Salesforce and Exponent Case management, as well as Office 365.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All staff go through an extensive clearance and background check process to get hired, as well as to be cleared to work in a DOE building. Once hired, GSS has a confidentiality policy that is part of our Employee Handbook. GSS has a monthly Employee New Hire training monthly and new employees are expected to attend the first available session after they begin work. As per our handbook, covered areas include: the policies and procedures of GSS on confidentiality and disclosure of information on program participants; the legal rights of program participants, and the responsibility to abide by organizational and professional ethics.
Our IT department requires staff to train on topics related to data privacy and cybersecurity best practices from multiple perspectives, which includes short monthly trainings that staff complete online. Completion of online trainings is monitored by the IT department and staff will receive regular reminders if they haven’t completed. Security Awareness training is tested through monthly phishing simulations with corrective training where needed. IT also sends regular email overviews as needed, including instructions on how to properly send email that contain PII. As per DOE regulations, GSS will make sure all PII is encrypted, both in motion and at rest. Additionally, GSS also has a Data Loss Prevention feature, which flags certain words pertaining to PII and prevents emails from being sent unless encrypted.
Systems that are in contact with PII are protected by multiple layers and systems that have the ability to protect and remediate against attacks on PII, including our contracted security provider Artic Wolf that monitors our environment 24x7x365 for malicious activity. We also have an extensive firewall network, which prevents staff from accessing many outside nonwork- related websites from agency computers to further avoid any data breaches. There is also a multifactor authentication process that all staff have to go through when logging on to their computers or devices in order to prove their identity.
GSS staff are required to only access PII or participant information from their agency issued devices, both computers and phones. Staff are also not allowed to access participant PII in busy public spaces and staff are also required to lock all devices, even in workspaces, before stepping away from their computers. Staff also have regular supervision with their supervisors, at least bi-weekly, to over all things related to their jobs, which includes proper use of data.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Gradecam
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Summative and formative student assessment. We require the following data elements for our product: Student first name, Student last name, Student ID, Class name, Class ID – OPTIONAL, Class period – OPTIONAL, Grade level – OPTIONAL, Term, Student grade, Teacher/Administrator first name, Teacher/Administrator last name, Teacher/Administrator email address, Teacher/Administrator ID – OPTIONAL. The information above is required to assign a grade to a particular student in a class taught by a teacher.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third-party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using an entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Gradecam servers are hosted within SOC2 compliant data centers and require multiple factors of authentication to gain access to the data center and server cage. Individuals who are authorized to enter the data centers are very limited and is restricted to those responsible for operating the infrastructure. Gradecam also utilizes firewalls and RBAC based controls to limit the ability to connect to systems housing PII data. All data is encrypted both in transit and at rest using industry standard algorithms. Access to the database systems requires, in addition to a valid username and password, a valid certificate from an internal certificate authority (CA) which is strictly controlled.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Graduation Alliance
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The ENGAGE Attendance Recovery program has been designed to help school districts by stabilizing and improving student attendance and academic performance through outreach to and ongoing academic and social/emotional coaching support for district-referred students who are chronically absent or disengaged.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Salesforce.com, Five9, Microsoft Azure/Power PI.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data is stored and processed at data centers located in the continental United States. Data is encrypted at all times, at rest and in transit. Access to all data is via highly secure credentials using Multi-factor Authentication (MFA) and using a “zero trust” model which verifies all requests as if they originated from a network not controlled by Graduation Alliance. Passwords are strongly encrypted and cannot be known other than by the person who set the password. We perform criminal background checks for all employees. All staff who have direct access to students undergo further security and background checks as required by law in the state where Graduation Alliance provides such services. All staff receive information training upon hire, and periodic updates to their training, no less than annually. Furthermore, staff with elevated access to our technology and systems hold current certificates of completion of the US Department of Education’s FERPA 101 and 201 training courses.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Grand Street Settlement
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 7/1/2022 – 6/30/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Grand Street Settlement, Inc. was founded in 1916 by Rose Gruening to serve the immigrant and low income community of Lower Manhattan. Four decades ago, Grand Street Settlement, Inc. strategically expanded programs to Brooklyn in response to community needs. Across 50+ community centers, schools, and partnership sites, Grand Street's families can access a wealth of programs that provide them with resources and strategies for success: high-quality early education and childcare, safety net support and access to benefits, hands-on afterschool and summer learning, and a vibrant and supportive community for local seniors. www.grandsettlement.org. Information is collected from students to track their progress while participating in the program. Information is also collected from families to verify that they meet program enrollment criteria.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. No PII will be stored or hosted by Entity.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. GSS ensures that all student Protected Information is kept secure by storing / accessing this information solely through DOE managed and hosted systems. Paper documents containing this type of information are stored within a locked cabinet in a locked room, only accessible to individual staff members whose roles require access.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Great Minds PBC
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Great Minds PBC seek to ensure that all students in America’s public schools, regardless of their circumstances, receive a content-rich education in the full range of the liberal arts and sciences, including English, mathematics, history, the arts, science, and foreign languages. Great Minds does this by working with teachers, scholars, and schools to create curricula and instructional materials, conduct research, and promote policies that support a comprehensive and high-quality education.
Great Minds Digital Platform may be used by schools, school districts, or teachers in a classroom setting use as part of their selected educational curriculum.
Within the Great Minds Digital Platform, teachers have access to curriculum materials, within-application reports and visualizations to help them assess student learning and to assist in planning. Administrative reports and data extracts are also available to district and school admin users. Students may access complete assessments and other activities their teacher has assigned to them.
Great Minds digital products are hosted by Great Minds in the Amazon Web Services (AWS) cloud, in US-based data centers. Students and teachers access our products through the web browser. Ours is a multi-tenant solution. We ensure isolation of data through secure coding practices, industry-standard claims-based authorization techniques, and routine penetration tests. We support multiple integration options to authenticate and authorize users of our digital products.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities (including any cloud services providers) and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Amazon Web Services.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All data, including customer PII, is encrypted at rest and in transit using industry-standard encryption. Data is stored in AWS (Amazon Web Services) data centers, which have stringent physical security standards in place. More information on the physical security controls in place can be found here: https://aws.amazon.com/compliance/data-center/controls/. We have multiple administrative safeguards in place to protect access to PII. Access to sensitive information is restricted to those with valid business justification for doing so and only on a temporary basis. We also have automated systems in place that scan our infrastructure and our logs for any anomalies that could indicate a security event, as well as looking for potential vulnerabilities. Potential vulnerabilities or security incidents are alerted to our DevOps team via multiple channels and action is taken as appropriate.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
GRM Information Management Services, Inc
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 4/16/2023 – 4/15/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. GRM provides physical storages solutions for physically backed up data that is developed by the NYC DOE. We also provide deliveries of physical data from our storage facilities to the NYC DOE on an as needed basis. PII is not used or accessed by GRM, but is included in the physical back-ups.
Type of PII that the Entity will receive/access: Student PII. “GRM stores physical copies of data provided by NYC DOE, but has no access to the information.”
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will not share PII with subcontractors, outside persons, or third party entities.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity states: “GRM is unable to access data and cannot make changes.”
Security and Storage Protections. Describe where PII will be stored or hosted. Using an Entity-owned and/or internally hosted-solution.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- All physical data is kept in a temperature controlled vault in a secure location
- GRM does not have access to any data, only stores the physical data on behalf of the DOE.
- Access to data is restricted to necessary, authorized personnel only.
- All data is offline and cannot be accessed unless physically retrieved from the vault.
- When data is requested by DOE, GRM follows strict policies for verification of requests and conveyance.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Groundswell Community Mural Project
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 5/15/2021 – 5/14/2026
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Appropriate data is only collected and utilized for the expressed purpose of educational needs in providing the most effective programming to the constituents receiving programming services through Groundswell. Only basic statistical data will be collected and utilized internally by those individuals who are permitted and whose job duties require the data to evaluate overall program performance and development.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third-party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Groundswell Community Mural Project, Inc., together with its IT Service Provider shall investigate and remediate possible network security threats by means of capture, logging, and examination of files, communications, and other traffic and transmissions over or on the network including all student communications and component network activities relevant to the incident or breach.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
GrubEasy Interactive Lab (for FoodNiche-ED)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The PII we are receiving will enable us to provide individual access to our platform to student and also make it possible to put students in their respective categories while using the platform to ensure optimal experience. The product is a gamified online platform that drives engagement and interest in science education and its application in agriculture, and nutrition to improve health outcomes. This platform:
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and using an Entity-owned and/or internally hosted-solution. “We created our database using an open source system PostgreSQL, which is where the PII collected is stored. This is secure and only our team has access to it. However, our entire application is stored on Amazon Cloud Service Server."
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. We will be using the protocol described earlier in this NDA and listed below:
- Encryption:
- Data Encryption: Implement encryption for Protected Information both in transit and at rest using industry-standard encryption protocols.
- Key Management: Secure management of encryption keys to prevent unauthorized access.
- Network Security:
- Firewalls and Intrusion Detection: Use advanced firewalls, intrusion detection, and prevention systems to monitor and protect our network from unauthorized access.
- Endpoint Security:
- Antivirus and Anti-malware: Deploy antivirus and anti-malware software on all endpoints to detect and prevent malicious attacks.
- Access Controls and Authentication:
- Multi-Factor Authentication (MFA): Require multi-factor authentication for accessing systems that store or process Protected Information.
- Identity and Access Management (IAM): Implement robust IAM systems to manage user identities and control access to Protected Information.
- Monitoring and Logging:
- Continuous Monitoring: Implement continuous monitoring systems to detect and respond to security incidents promptly.
- Audit Logs: Maintain detailed audit logs of access and activity involving Protected Information to ensure accountability and traceability.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Happy Numbers
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 8/18/2023 – 6/30/2024
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The data is used to provide the functionality of the services. HappyNumbers.com is a PreK-5 online math supplement. It helps PreK-5 teachers differentiate instruction and deepen students’ conceptual understanding of math. Driven by pedagogy and supported by technology (not vice versa), it’s not a set of electronic worksheets or another “all dancing, all singing” resource. Instead, we teach students to “think math”: students explore the meaning behind the math, building upon simple concepts to create connections and develop deep understanding.
PII is used to provide access to HappyNumbers.com, to administer students’ membership, and to enable users to enjoy Happy Numbers and easily navigate it. PII is also used to monitor student progress in Math at HappyNumbers.com and assign them the certain topics for practice.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Google cloud servers.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All the data is stored in isolated VPC Google Cloud Servers, located in the United States. In addition, we use TLS v1.2 to transit data. To safeguard the data we keep, we use a restricted network, and to access it, we use a regularly updated VPN with encryption. Administrative and Operational Safeguards:
- Minimizing the Use, Collection, and Retention of PII: We only store the minimum information required for the proper functioning of our application. This includes students' first and last names (no students' emails, addresses, etc.), group names, and the names and emails of teachers, as well as the school name. This constitutes nearly all the data we store. We collect minimal information from single sign-on (SSO) systems such as ClassLink and Clever.
- Anonymizing Information: We have a special tool to prepare databases for test and development environments with complete anonymization of PII. Throughout the development lifecycle, developers and QA engineers do not have access to any real personal data.
- Access Enforcement: All employees have their own personal auditable accounts in all our systems. We use Single Sign-On to grant access to all internal systems. The critical applications, such as the admin panel, have RBAC for different access levels.
- Separation of Duties: We adhere to the principle of minimizing access, which means that, for instance, a content manager can access the BI system with de-identified student problem-solving logs, but they do not have access to the admin panel with actual data.
- Least Privilege: We use an RBAC model in our internal systems to grant each employee the minimum level of access they require.
- Remote Access: All types of communication with our servers and systems are encrypted using battle-tested protocols, such as enforced HTTPS with TLS 1.2, SSH, and OpenVPN.
- Auditable Events: We collect all change events in our SSO system and admin panel and store them in a database without making any modifications.
- Protection of Information at Rest: We store our backups in AWS S3 using the pgBackRest tool with AES-256-CBC encryption. Furthermore, our application servers transparently encrypt sensitive personal information, such as students' first and last names, using a symmetric cipher before storing it in an encrypted form in the database.
- Data Backup and Recovery: We continuously back up all production PostgreSQL databases using the pgBackRest tool and retain data for 30 days, including four weekly full backups.
- Change Management: Our infrastructure is entirely managed by Infrastructure as Code (IaaC) tools, including a custom in-house CLI tool, Terraform, and Ansible. This means that all changes can be reviewed through standard development procedures and are stored in GitHub.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Heartland Payment Systems (also called Heartland School Solutions)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 7/1/2024 – 7/1/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. MySchoolApps is an online tool that allows parents / guardians of K12 students to apply for meal eligibility. The application requests information to assist NYC DOE to successfully verify student meal eligibility (free & reduced) based on the USDA guidelines. The software supports collecting information to determine eligibility for the two main USDA programs NLSP and SBP.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor. “MySchoolApps will be hosted by Google Cloud and managed by Heartland.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks Consistent with industry standards, Heartland applies PCI DSS guidelines to secure confidential data. As prescribed by the PCS DSS framework, Heartland implements the following initiatives to address data security issues, including access, data storage, privacy and protection. Security Practices:
- Install and keep updated a firewall between the public network and the confidential information.
- Change vendor-supplied passwords that come with network and information processing systems.
- Safeguard the confidential data stored for business purposes or regulatory purposes.
- Encrypt all transmissions of customer data over any public network.
- Maintain antivirus software in all of your computers.
- Develop and maintain secure systems and applications.
- Limit access to the confidential data to as few people as possible on the "need- to-know" basis within your business.
- Identify and authenticate access to system components.
- Restrict physical access to the systems.
- Track and monitor access to network resources and confidential data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Helen Keller International
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 67/1/2023 – 6/30/2025
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Helen Keller International will provide visual acuity screenings, examinations, and eye eyeglasses to students. Limited PII is required in order to create an individual record of the vision screening and examination results along with the specific eyeglass prescription for each student served by our program and to ensure the proper glasses are provided to them.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS and Clearbuilt Technologies.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. For the screening database application, physical security is the responsibility of Amazon (AWS), and we have reviewed the AWS security/privacy policies, and confirm that they are in alignment with the requirements of the NDA. The security of the application itself is maintained through constant application of our security policies, including timely software updates, strong password policies, encryption of data at rest where possible, code reviews, security-focused development practices, highly limited access to production servers and data, and other best practices for software development security.
Devices used for data capture and reporting are managed under the Helen Keller Intl security systems that include standard and secure device configurations, device/account/password policies, multi-factor authentication, advanced anti-malware protection, mobile device management policies and cyber security and best practices training for staff.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Henry Street Settlement
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Henry Street Settlement will be providing after prosocial enrichment programming services on site to students in DOE community schools. The programs offer a wide range of hands-on academic enrichment, youth development, family engagement, and professional development (PD), aiming to complement school day offerings and provide youth with additional resources that promote self-confidence, a sense of hope, and opportunities and resources that support their future success. Student PII is only used to track attendance in our programs, generate rosters or contact parents and/or guardians.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Microsoft Enterprise platform, including OneDrive storage.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- All physical data is stored in a locked, secure location with limited access.
- All electronic data is stored securely with limited access
- Henry Street Settlement implements technical safeguards including encryption at rest and in-motion, Multi-factor authentication, firewalls and malware protections.
- All staff receive data privacy and security training and are obligated to follow data protection policies outlined in our employee handbook
- A robust incident response plan and policy is in place
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Hidden Gems II (for We Intervene)
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The agreement covers multiple products, services, and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The application, We Intervene, allows schools to share needs assessment survey links with parents and have the survey responses uploaded into the application. The PII information, such as an address, phone number, email address, and student demographic information, is needed to connect families - students and guardians - to resources in the immediate area.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Security management processes to identify and analyze risks to and implementing security measures to reduce risks.
- Staff training to ensure knowledge of and compliance with policies and procedures
- Information access management to limit access to records to protect information
- User Policies, Access permissions as per the user workflow process and standards
- Access controls to restrict access to authorized personnel only
- Audit controls to monitor activity on systems containing student and parent’s record
- Integrity controls to prevent improper alteration or destruction of information
- Transmission security measures to protect records when transmitted over an electronic network.
- AWS stores our secured data in storage locations in US regions. They have their storage facilities secured.
- Secured Backup and Storage has been implemented as part of our AWS services
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
High School E-Sports League
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. High School E-Sports League will receive PII in order to provide tournament services to NYC DOE. These tournament services include, but are not limited to, the High School Esports League, the Middle Schools Esports League, and NYC DOE special events. The PII will be used to confirm identity and competitive integrity of the tournaments.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. At Generation Esports, we are committed to ensuring the protection of Personally Identifiable Information (PII) and mitigating data privacy and security risks. Our safeguards are built on a multi-layered approach that includes administrative, technical, and physical measures.
Administrative Safeguards:
- Policies and Procedures: We have established comprehensive data protection policies and procedures, which are reviewed and updated periodically.
- Training: All employees undergo mandatory data privacy and security training, including awareness of their roles and responsibilities in protecting PII.
- Access Control: We follow the principle of least privilege, granting access to PII only to authorized personnel with a legitimate need for the information.
- Third-Party Management: We conduct due diligence on all third-party vendors, ensuring they adhere to strict data privacy and security standards.
Technical Safeguards:
- Data Encryption: PII is encrypted both at rest and in transit, using industry-standard encryption methods.
- Network Security: We use firewalls, intrusion detection, and prevention systems to protect our networks from unauthorized access and potential threats.
- Regular Audits and Vulnerability Assessments: We conduct periodic audits, vulnerability assessments, and penetration testing to identify and address potential risks.
- Secure Development: We adhere to secure coding practices and conduct thorough code reviews to ensure the security of our applications.
Physical Safeguards:
- Access Control: Physical access to our data centers is monitored and controlled by our cloud provider: AWS.
- Surveillance: AWS monitors access to physical hardware housed in data centers.
- Disaster Recovery and Business Continuity: We maintain backups of critical data and systems and have a robust disaster recovery plan in place to ensure business continuity in case of an emergency.
We continuously work to improve our security practices and protocols to protect PII, and we promptly address any identified risks. By implementing this comprehensive approach, we ensure the confidentiality, integrity, and availability of the PII we process, mitigating data privacy and security risks.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Hiperware Labs
Type of Entity: Commercial Enterprise
Contract / Agreement Term: 2/1/2023 – 1/31/2030
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Delivering differentiated math practice to each student individually.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Heroku (Salesforce), IBM (compose.com), Amazon Web Services.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. The physical safeguards are done by cloud providers: Heroku, IMB and Amazon. The administrative safeguards include access limited by role-based security, continuous backup and failover within the cloud providers. The technical safeguards include two-factor authentication, encryption in storage, transit, and communication, as well as of backups.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Hive Class
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Hive Class is a standards-based curriculum aid for use in k-12 schools. PII is used in tracking student progress within the product, and for transparency and accountability tools for teachers.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., AWS; Cloudflare.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Hive Class and its third party partners utilize all required reasonable measures to protect PII, including but not limited to:
- password protection of the application,
- double factor authentication on all cloud services and devops accounts
- encryption in motion and at rest of all PII
- Regular review of site admin access permissions
- Regular review of all cloud services account access permission
- Termination processes in place that include access revocation
- Automated cloudwatch alarms to alert of attacks/breaches
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Home for Little Wanderers
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term:
- Learning to Work: 3/27/2023 - 7/1/2024
- Mental Health services: 7/1/2023 - 6/30/2025
- Community Schools services: 7/1/2015 - 6/30/2025, extended to 6/30/2027
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII.
Learning to Work: Wediko at the Home for Little Wanderers Learning to Work program supports students work placement internships and post-secondary planning. In order to be eligible for the program, students need to meet and maintain attendance and academic requirements. We access PII in order to track attendance and academic records to both select at-risk students in need of services as well as track progress.
Mental Health services: Wediko at the Home accesses PII in order to track attendance and academic records to both select at-risk students in need of services as well as track progress.
Community Schools services: Through our Community School contracts the Home for Little Wanderers provides supports for students, staff, and families in several schools in NYC. These contracts are designed to support the whole child by supporting them inside and outside the classroom, including family support. The Home places social workers and advocate counselors in the schools to support social emotional needs as well as activity specialists in afterschool to support out of school time. Wediko at the Home accesses PII in order to track attendance and academic records to both select at-risk students in need of services as well as track progress.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. DrCloudEHC.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All PII is tracked in electric health care platform DrCloudEHC. Access to this platform is restricted to active Wediko at the Home employee. The system is maintained by our Data Coordinator. This position is responsible for system maintenance and employee access.
- Passwords are changed every 90 days.
- Wediko at the Home uses Multifactor Authentication.
- Active employees have unique log-in IDs and have to re-log-in if inactive for more than 15 minutes .
- Access is blocked after five unsuccessful log-in attempts .
- Employees are prohibited from having PII on their personal hard drives.
- Only the IT Director, IT vendor, Data Coordinator have the ability to allow access to PII to those employees with proper authorization.
- Work stations shall be configured to prevent unauthorized access to PII. Employees shall turn their monitors away from open spaces or use privacy screens.
- Employees are strongly discouraged from accessing PII in public spaces with limited privacy.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Horizon Prep (also called Horizon Education)
Type of Entity: Private, for-profit educational assessment and curriculum organization.
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. Horizon Education will use this information to allow students and teachers to use the test prep platform for SAT and ACT preparation. Teachers must see their students and their progress reports.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. Amazon Web Services and LINODE.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. Horizon Education implements encryption, strong passwords, software updates, monitoring, regular audits, incident response plan, staff training, compliance with data security regulations, and compliance with NYCDOE’s Parents’ Bill of Rights to protect PII and mitigate data privacy and security risks.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
The Horticultural Society of New York
Type of Entity: Community Based Organization or Not-for-Profit
Contract / Agreement Term: 8/1/2023 – 7/31/2028
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. The Apple Seed program is based on plant science (function and anatomy), environmental science, green infrastructure, outdoor education, natural sciences, lifecycle studies, urban studies and all aspects of science content. The Horticultural Society of New York will have access to student’s names, emergency contact information, and allergens for the purpose of our summer camp programming. This information is necessary for us to have to coordinate student pick up with parents or in the event of an emergency when students at our programs.
The Greenhouse program is a year-round vocational training and education program for students/participants enrolled in a high school or Treatment Alternatives for Safe Communities (TASC) program. The Horticultural Society of New York will have access to students’ names, date of birth, and booking code from the Department of Corrections through our intake form. The students have the option to provide contact information (phone number, address, email address) on the same form so after the program is complete, we can send them a certificate of completion or a letter of recommendation. It is necessary for us to have this information so we can coordinate with the Department of Corrections while providing services.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e., Matthijssen, Inc.
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks.
- Up-to-date, active firewall technology
- Patch management procedures
- Multi-factor login for privileged access
- Remote access limited to VPN
- Updated anti-virus software active on all computers and networks
- Intrusion detection software
- Valuable/Sensitive data backup procedures
- Procedure to test or audit network security controls
- Locked filing cabinets
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”
Houghton Mifflin Harcourt Publishing Company
Type of Entity: Commercial Enterprise
Contract / Agreement Term: The Agreement covers multiple products, services and/or DOE schools and offices, and so Start and End Dates vary by product, service, and DOE schools and/or offices.
Describe briefly the project/evaluation/research you are conducting or participating in, and/or the commercial product or service you are providing. Describe the purposes for which you are receiving or accessing PII. or accessing PII. HMH will use the Protected Information exclusively in accordance [with] NYC DOE’s use of HMH’s products on the following platforms: Ed, ThinkCentral, myHRW, SAM, Amira, Waggle, Writable.
Type of PII that the Entity will receive/access: Student PII.
Subcontractor Written Agreement Requirement. In accordance with New York Education Law 2-d, the Entity may not share PII with subcontractors without a written agreement that requires each of its subcontractors to adhere to, at a minimum, materially similar—and no less protective—data protection obligations imposed on the Entity by the Agreement with the NYC DOE and by applicable state and federal laws and regulations. Vendor selected “The Entity will utilize subcontractors or third party entities and agrees not share PII unless similar data protection obligations contained herein are imposed on each subcontractor or third party, in compliance with applicable New York State and federal law and using industry standard best practices for data privacy and security.”
Data Transition and Secure Destruction. Upon expiration or termination of the Agreement, the Entity shall: Securely transfer PII to NYC DOE, or a successor contractor at the NYC DOE’s option and written discretion, in a format agreed to by the parties; and securely delete and/or destroy PII. In its agreement with the DOE, this entity has agreed to return and securely delete or destroy PII whenever any of the following occurs first:
- whenever requested by the DOE
- whenever the entity no longer needs the PII to provide services to the DOE
- whenever a DOE school or office ceases use of a product or service of the entity, for the PII that pertains to that school or office
- no later than upon termination of this Agreement
In addition, the entity has agreed that to the extent practicable, it will not retain PII for more than one school year after the school year in which the data was received, unless it is required to retain it for longer by law.
Challenges to Data Accuracy. The Entity agrees to the procedures outlined below: In accordance with N.Y. Education Law 2-d, parents, students, eligible students, teachers, or principals may seek copies of their PII, or seek to challenge the accuracy of PII in the custody or control of the Entity. Typically, they can do so by contacting the NYC DOE using the email address or mailing address below. If a correction to PII is deemed necessary, the Entity agrees to facilitate such corrections within 21 days of receiving the NYC DOE’s written request. The Entity must forward the request to the NYC DOE as soon as practicable in order for the DOE to authenticate the identity of the student or parent, and to advise the Entity on how to process the request. All requests for copies of PII or requests to challenge the accuracy of PII should be directed to the following email address: studentprivacy@schools.nyc.gov or in writing to the Office of the Chief Information Officer, the Division of Instructional and Information Technology, New York City Department of Education, 335 Adams Street, Brooklyn NY 11201.
Security and Storage Protections. Describe where PII will be stored or hosted. Vendor selected “Using a cloud or infrastructure owned tool hosted by a subcontractor; i.e. AWS.”
Describe the administrative, technical and/or physical safeguards to ensure PII will be protected and how the Entity will mitigate data privacy and security risks. All Protected Information will be located in the US. Contractor has implemented and maintains technical, administrative, and physical security controls that are designed to protect the security, confidentiality, and integrity of personal information collected through our learning platforms from unauthorized access, disclosure, use, or modification. Our data management procedures include the following: all user data are encrypted using standard Internet protocols; all user data on our interface are transferred over HTTPS; all user data in transit are protected by TLS 1.2; all user data are housed on a scalable hosting architecture; all user data are stored behind AES-256 encryption algorithms. For additional information, please refer to HMH’s K–12 Learning Platforms Privacy Policy at https://www.hmhco.com/privacy-policy-k12-learning-platforms. Additionally, access to data is based on a least-privileged model, where individuals are only granted the rights necessary to complete their job functions.
Encryption. Pursuant to New York Education Law 2-d, PII must be encrypted while in motion and while at rest. By checking the box below, Entity agrees that PII will be encrypted using industry standard data encryption technology while Protected Information is in motion and at rest. Vendor selected “Entity agrees that PII will be encrypted in motion and at rest using industry-standard data encryption technology.”