Effective Date: January 1, 2025
Last Updated: December 8, 2025
INTRODUCTION
This Data Privacy and Security Plan has been prepared by EDforTech Corp (“EDforTech,” “Provider,” “we,” “us,” or “our”) in compliance with New York Education Law § 2-d and Section 121.6 of the Commissioner’s Regulations. This plan demonstrates our commitment to protecting personally identifiable information (PII) and outlines our alignment with the NIST Cybersecurity Framework v1.1.
Important Note About Our Service Model: EDforTech provides STEM curriculum, educational materials, and professional development services to school districts. We deliver curriculum content through Buzz Agilix, a third-party Learning Management System (LMS). EDforTech does not directly collect, access, or process student personally identifiable information (PII). Teachers access our curriculum through the Buzz Agilix platform for teacher-led instruction. All student data, if any, resides with and is managed by Buzz Agilix under their own data privacy and security protocols.
1. IMPLEMENTATION OF DATA SECURITY AND PRIVACY CONTRACT REQUIREMENTS
EDforTech will implement all applicable data security and privacy requirements over the life of the contract through the following mechanisms:
1.1 Contract Compliance Framework
• Annual review of contract terms and regulatory requirements with legal counsel • Quarterly internal audits of data handling practices • Documented procedures for contract compliance monitoring • Designated Data Privacy Officer responsible for oversight
1.2 Subprocessor Management
EDforTech utilizes Buzz Agilix as our LMS platform subprocessor. We ensure:
• Written agreements with Buzz Agilix requiring compliance with FERPA, COPPA, and NY Education Law § 2-d • Annual certification from Buzz Agilix of their data security practices • Review of Buzz Agilix’s privacy policies and security certifications • Verification that Buzz Agilix maintains appropriate data protection measures
1.3 Ongoing Compliance Activities
• Immediate notification to LEAs of any material changes to data practices • Regular updates to this Data Privacy and Security Plan as regulations evolve • Participation in available cybersecurity frameworks and assessments • Continuous monitoring of federal and state education privacy law developments
2. ADMINISTRATIVE, OPERATIONAL, AND TECHNICAL SAFEGUARDS
2.1 Administrative Safeguards
• Designated Data Privacy Officer with oversight authority • Written information security policies reviewed annually • Risk assessment procedures conducted at least annually • Incident response plan with defined roles and responsibilities • Background checks for employees with potential access to educational data • Confidentiality agreements required for all employees and contractors
2.2 Operational Safeguards
• Role-based access controls limiting data access to authorized personnel only • Multi-factor authentication for all systems containing sensitive information • Regular access reviews and prompt deprovisioning of terminated employees • Physical security controls at business premises (locked facilities, visitor logs) • Secure disposal procedures for physical documents containing sensitive information • Clean desk policy and screen-locking requirements
2.3 Technical Safeguards
• Industry-standard encryption for data in transit (TLS 1.2 or higher) • Encryption for data at rest where applicable • Regular security patches and updates for all systems • Firewalls and intrusion detection/prevention systems • Antivirus and anti-malware software on all company devices • Regular vulnerability scanning and penetration testing • Secure backup procedures with encrypted storage • Network segmentation and access controls
2.4 Subprocessor Requirements
We require Buzz Agilix to maintain equivalent or superior safeguards including: • SOC 2 Type II or equivalent security certification • FERPA and COPPA compliance attestation • Data encryption in transit and at rest • Regular third-party security audits • Incident response capabilities with notification procedures
3. EMPLOYEE AND SUBCONTRACTOR TRAINING
3.1 Initial Training
All new employees and contractors receive comprehensive training on: • FERPA requirements and obligations • COPPA compliance for services used by children under 13 • New York Education Law § 2-d requirements • EDforTech data privacy policies and procedures • Recognizing and reporting security incidents • Proper handling of confidential information • Secure password practices and multi-factor authentication
3.2 Ongoing Training
• Annual refresher training on data privacy and security • Quarterly security awareness updates and phishing simulations • Immediate training on new regulatory requirements or policy changes • Role-specific training for employees with data handling responsibilities • Documentation of all training completion maintained for audit purposes
3.3 Subcontractor Training Requirements
We require Buzz Agilix to provide evidence of: • Employee training on FERPA, COPPA, and state privacy laws • Security awareness training programs • Regular updates on education data privacy best practices • Training completion tracking and certification
4. CONTRACTING PROCESSES AND WRITTEN AGREEMENTS
4.1 Employee Agreements
All employees are bound by: • Confidentiality and non-disclosure agreements signed upon hiring • Employee handbook acknowledging data privacy and security policies • Acceptable use policies for company systems and data • Written acknowledgment of responsibility for protecting confidential information • Ongoing obligation to comply with contract requirements and privacy laws
4.2 Subcontractor Agreements
Our agreement with Buzz Agilix includes: • Requirements to comply with all applicable privacy laws and regulations • Obligation to maintain industry-standard security measures • Prohibition on unauthorized use or disclosure of any educational data • Right to audit subcontractor’s compliance with data protection requirements • Requirement for prompt notification of security incidents • Data return and deletion obligations upon contract termination • Flow-down provisions ensuring these requirements apply to any sub-subcontractors
5. DATA SECURITY AND PRIVACY INCIDENT MANAGEMENT
5.1 Incident Identification
We maintain procedures to identify potential breaches through: • Continuous monitoring of system access logs and anomalous activities • Intrusion detection systems with alerting capabilities • Employee reporting mechanisms for suspected incidents • Regular vulnerability assessments and security audits • Monitoring of subprocessor (Buzz Agilix) security notifications
5.2 Incident Response Procedures
Upon discovery or notification of a potential incident:
• Immediate activation of incident response team • Containment actions to limit exposure and prevent further unauthorized access • Forensic investigation to determine scope, cause, and impact • Documentation of all incident details, timeline, and response actions • Coordination with law enforcement if criminal activity is suspected
5.3 Notification Obligations
EDforTech will provide notification to the Educational Agency within 72 hours of confirming an incident, including:
• Date of the breach or estimated date range • Types of information potentially compromised • Number of individuals potentially affected (if determinable) • Description of incident circumstances • Containment and remediation measures taken • Resources available to affected individuals • Contact information for EDforTech’s incident response coordinator
5.4 Remediation and Recovery
• Implementation of corrective measures to prevent recurrence • Post-incident review and lessons learned documentation • Updates to security controls and procedures as needed • Ongoing monitoring for related suspicious activity • Cooperation with Educational Agency and regulatory investigations
6. DATA TRANSITION PROCEDURES
Given EDforTech’s service model where we provide curriculum content through the Buzz Agilix LMS platform:
6.1 EDforTech Curriculum Content
• Curriculum materials provided by EDforTech remain accessible to the LEA through their Buzz Agilix instance • Upon contract termination, EDforTech will coordinate with the LEA to ensure continued access to purchased curriculum materials • LEAs may export or download curriculum content according to their agreement with Buzz Agilix
6.2 Student Data (If Any)
As EDforTech does not directly collect or store student PII: • Any student data resides with Buzz Agilix, not EDforTech • LEAs should follow Buzz Agilix’s data transition procedures for student information • EDforTech will cooperate with reasonable requests to facilitate data transfer from Buzz Agilix to the LEA or another system
6.3 Transition Timeline
• Upon written request, EDforTech will provide data transition assistance within 90 days • Format and method of data transfer will be agreed upon by both parties • EDforTech will document all data transitions for audit purposes
7. SECURE DESTRUCTION PRACTICES AND CERTIFICATION
7.1 Data Retention and Destruction
EDforTech maintains the following practices:
• No retention of student PII beyond what is necessary for providing services • Deletion of any incidentally collected information within 30 days • Coordination with Buzz Agilix to ensure proper data destruction upon contract termination • Secure deletion using industry-standard methods (NIST 800-88 guidelines)
7.2 Destruction Methods
Digital Data: • Cryptographic erasure for encrypted data • Overwriting data storage media multiple times • Physical destruction of storage media when appropriate • Verification that data cannot be recovered
Physical Records: • Cross-cut shredding of paper documents • Use of certified document destruction services • Certificates of destruction maintained for audit trail
7.3 Certification Process
Upon completion of data destruction, EDforTech will provide the LEA with: • Written certification of data destruction • Description of destruction method used • Date of destruction • Confirmation that data has been rendered unrecoverable • For Buzz Agilix-held data, we will obtain and forward their destruction certification
8. ALIGNMENT WITH EDUCATIONAL AGENCY POLICIES
EDforTech aligns with Educational Agency policies through:
8.1 Policy Review and Compliance
• Review of each LEA’s Data Security and Privacy Policy and Parents’ Bill of Rights • Adaptation of service delivery to meet specific LEA requirements • Regular communication with LEA data privacy officers • Participation in LEA-requested audits or compliance reviews
8.2 Specific Compliance Areas
• Adherence to LEA data retention and destruction schedules • Compliance with LEA-specified security standards • Respect for parental rights regarding student information • Support for LEA transparency requirements • Cooperation with LEA incident response procedures
8.3 Ongoing Coordination
• Quarterly check-ins with LEA data privacy contacts (when requested) • Immediate notification of any policy or practice changes • Participation in LEA data governance committee meetings (when invited) • Annual attestation of compliance with LEA policies
9. NIST CYBERSECURITY FRAMEWORK V1.1 ALIGNMENT
EDforTech’s data security and privacy program materially aligns with the NIST Cybersecurity Framework v1.1. The following table details our alignment with each framework category:
| Function | Category | EDforTech Response |
| IDENTIFY | Asset Management (ID.AM)Data, personnel, devices, systems, and facilities managed consistent with organizational objectives | • Maintain comprehensive inventory of hardware and software assets • Document curriculum content and its storage locations • Track employee roles and system access permissions • Identify all systems that may process educational data • Review and update asset inventory quarterly • Coordinate with Buzz Agilix to understand their asset management practices |
| Business Environment (ID.BE)Mission, objectives, and stakeholders understood and prioritized | • Primary mission: Provide STEM curriculum and professional development • Stakeholders: K-12 schools, teachers, students, parents • Service delivery model documented and communicated • Organizational structure with clear data protection responsibilities • Understanding that student privacy is paramount to educational mission | |
| Governance (ID.GV)Policies and processes to manage regulatory and operational requirements | • Written information security policies approved by executive leadership • Compliance with FERPA, COPPA, NY Education Law § 2-d, and other applicable regulations • Data Privacy Officer designated with authority and resources • Regular policy reviews and updates (at least annually) • Board oversight of privacy and security matters • Legal counsel review of data protection practices | |
| Risk Assessment (ID.RA)Cybersecurity risks to operations, assets, and individuals understood | • Annual risk assessments conducted by qualified personnel • Identification of threats and vulnerabilities to systems • Assessment of potential impact to educational data • Documentation of risk findings and mitigation strategies • Evaluation of subprocessor (Buzz Agilix) security posture • Regular threat intelligence monitoring for education sector | |
| Risk Management Strategy (ID.RM)Priorities and tolerances established for operational risk decisions | • Risk tolerance levels defined and approved by leadership • Prioritization framework for addressing identified risks • Resource allocation decisions informed by risk assessment • Risk mitigation strategies documented and tracked • Acceptance criteria for residual risks • Continuous improvement approach to risk management | |
| PROTECT | Identity Management & Access Control (PR.AC)Access to assets limited to authorized users and managed based on risk | • Role-based access control (RBAC) implemented • Multi-factor authentication required for all system access • Least privilege principle enforced • Regular access reviews and recertification • Immediate deprovisioning upon employee termination • Physical access controls at business facilities • Secure authentication credentials management • Remote access through VPN only |
| Awareness and Training (PR.AT)Personnel provided cybersecurity awareness education and training | • Mandatory privacy and security training for all employees • Initial training upon hire covering FERPA, COPPA, and data protection • Annual refresher training required • Quarterly security awareness updates • Phishing simulation exercises conducted regularly • Role-specific training for staff with data access • Training completion tracked and documented • Ongoing education about emerging threats | |
| Data Security (PR.DS)Information managed to protect confidentiality, integrity, and availability | • Encryption in transit using TLS 1.2 or higher • Encryption at rest for sensitive data • Data classification scheme implemented • Secure data backup procedures with encryption • Data loss prevention measures • Network segmentation to isolate systems • Regular integrity verification of critical data • Coordination with Buzz Agilix for data security | |
| Information Protection Processes (PR.IP)Security policies and procedures maintained and used | • Comprehensive information security policy suite • Incident response plan with defined procedures • Disaster recovery and business continuity plans • Change management procedures for systems • Configuration management and baseline security standards • Vulnerability management program • Regular policy review and update process • Executive management commitment and oversight | |
| Maintenance (PR.MA)System maintenance and repairs performed per policies | • Scheduled maintenance windows with LEA notification • Patch management program for timely security updates • Preventive maintenance procedures • Secure disposal of hardware containing data • Vendor maintenance performed under supervision • Maintenance logs and documentation maintained • Testing of maintenance changes before production deployment | |
| Protective Technology (PR.PT)Technical security solutions managed for system security and resilience | • Firewalls deployed at network perimeter and internally • Intrusion detection/prevention systems (IDS/IPS) in place • Anti-malware software on all endpoints • Email security and spam filtering • Web content filtering for malicious sites • Automated security monitoring and alerting • Regular vulnerability scanning • Security information and event management (SIEM) logging | |
| DETECT | Anomalies and Events (DE.AE)Anomalous activity detected and potential impact understood | • Baseline network activity established • Anomaly detection systems monitor for unusual patterns • Automated alerting for suspicious activities • User behavior analytics for insider threat detection • Analysis of detected anomalies to determine severity • Correlation of events across multiple systems • Documented escalation procedures for anomalies |
| Security Continuous Monitoring (DE.CM)Systems monitored to identify cybersecurity events | • 24/7 monitoring of critical systems and networks • Real-time log aggregation and analysis • Monitoring of physical access to facilities • Network traffic analysis and inspection • System file integrity monitoring • External vulnerability scanning services • Monitoring of subprocessor (Buzz Agilix) security notifications • Regular review of monitoring effectiveness | |
| Detection Processes (DE.DP)Detection processes maintained and tested for awareness of events | • Detection processes documented and regularly updated • Testing of detection capabilities (at least annually) • Tabletop exercises for incident scenarios • Communication procedures for detected events • Roles and responsibilities clearly defined • Detection system tuning to reduce false positives • Coordination with Buzz Agilix for their detection capabilities | |
| RESPOND | Response Planning (RS.RP)Response processes executed and maintained for detected incidents | • Documented incident response plan reviewed annually • Incident response team identified with defined roles • Response procedures for various incident types • Integration with business continuity planning • Regular testing and updates of response plans • Coordination procedures with LEAs and law enforcement • Lessons learned process after incidents |
| Communications (RS.CO)Response activities coordinated with stakeholders | • LEA notification within 72 hours of confirmed incident • Communication templates for various scenarios • Designated incident communications coordinator • Coordination with law enforcement when appropriate • Public relations strategy for significant incidents • Information sharing protocols established • Regular status updates to affected parties | |
| Analysis (RS.AN)Analysis conducted to ensure effective response | • Forensic analysis capabilities (internal or contracted) • Root cause analysis for all incidents • Impact assessment methodologies • Evidence preservation procedures • Documentation of analysis findings • Categorization and prioritization of incidents • Trend analysis to identify systemic issues | |
| Mitigation (RS.MI)Activities performed to prevent event expansion and resolve incidents | • Containment strategies to limit incident impact • Isolation of affected systems when necessary • Temporary account suspension capabilities • Patch deployment for exploited vulnerabilities • Eradication of malware or unauthorized access • Network filtering and blocking of malicious traffic • Coordination with Buzz Agilix for their systems | |
| Improvements (RS.IM)Response activities improved by incorporating lessons learned | • Post-incident review for all significant events • Documentation of lessons learned • Update of response procedures based on experience • Implementation of corrective actions • Sharing of lessons learned with staff • Regular review of response effectiveness • Continuous improvement of detection capabilities | |
| RECOVER | Recovery Planning (RC.RP)Recovery processes executed and maintained for system restoration | • Business continuity and disaster recovery plans • Recovery time objectives (RTO) and recovery point objectives (RPO) defined • Backup and restoration procedures tested regularly • Alternative processing arrangements when needed • Coordination with Buzz Agilix for LMS recovery • Critical function prioritization for recovery • Regular testing of recovery procedures |
| Improvements (RC.IM)Recovery planning improved by incorporating lessons learned | • Post-recovery analysis and documentation • Updates to recovery plans based on test results • Incorporation of incident lessons learned • Regular review of recovery strategies • Technology improvements for faster recovery • Training updates based on recovery experiences | |
| Communications (RC.CO)Restoration activities coordinated with internal and external parties | • Communication plan for recovery activities • Status updates to LEAs during recovery • Coordination with Buzz Agilix and other vendors • Public communications if required • Internal communications to staff • Documentation of restoration activities • Notification of successful recovery completion |
CONCLUSION
EDforTech is committed to maintaining the highest standards of data privacy and security in our provision of STEM curriculum and educational services. This Data Privacy and Security Plan demonstrates our alignment with the NIST Cybersecurity Framework v1.1 and our comprehensive approach to protecting educational data.
Given our service delivery model through the Buzz Agilix LMS platform, we recognize the importance of maintaining strong oversight of our subprocessor relationships and ensuring that all parties involved in service delivery maintain appropriate data protection measures.
We welcome questions about this plan and encourage Educational Agencies to contact us for clarification or additional information.
CONTACT INFORMATION
EDforTech Corp 555 Conger St Eugene, OR 97402
Data Privacy Officer Contact:
Email: privacy@edfortech.com
General Support:
Email: support@exploringrobotics.com
Phone: 760-650-2687
This Data Privacy and Security Plan will be reviewed and updated at least annually or as needed to reflect changes in our services, technology, or applicable regulations.
