New York Parents Bill of Rights.

Statutory basis

New York Education Law § 2-d and the regulations of the Commissioner of Education (8 NYCRR Part 121) require that every third-party contractor receiving personally identifiable information (PII) from a New York educational agency provide a Parents Bill of Rights for Data Privacy and Security. This page is that document. It supplements the Data Processing Addendum; if there is any conflict between this addendum and the DPA for New York operators, this addendum governs.

Definitions

For purposes of this Bill of Rights:

• Educational agency means a New York school district, board of cooperative educational services, charter school, or other entity defined in NY Ed Law § 2-d(1)(c). For independent microschools and learning pods serving New York families, the term refers to the school operator entering this addendum.
• PII means personally identifiable information from student records, as defined in 8 NYCRR § 121.1(o), and includes any teacher or principal APPR data the educational agency provides.
• CohortLedger refers to the software product operated by Ravencord Inc., a Delaware C-corporation.

Parents’ rights under NY Ed Law § 2-d

A parent (or, where applicable, an eligible student) of a student whose PII is processed through CohortLedger by a New York school is entitled to the following rights:

1. A student’s PII cannot be sold or released for any commercial purpose.
2. The parent has the right to inspect and review the complete contents of their child’s education record stored or processed by CohortLedger. Requests are submitted to the school, which routes them to CohortLedger’s support team for fulfillment within the school’s response window.
3. State, federal, and local laws (including FERPA) protect the confidentiality of PII. CohortLedger maintains administrative, technical, and physical safeguards designed to satisfy NIST Cybersecurity Framework controls applicable to small-scale K-12 service providers.
4. A complete list of all student data elements collected by the New York State Education Department is available for public review at nysed.gov/data-privacy-security and from the school’s data protection officer.
5. Parents have the right to have complaints about possible breaches of student data addressed. Complaints should be directed to the school’s data protection officer in the first instance, and may also be directed to the NYS Chief Privacy Officer at the New York State Education Department, privacy@nysed.gov.

Supplemental information required by 8 NYCRR § 121.3

1. Exclusive purposes

CohortLedger will use PII transferred from the New York educational agency solely for the purposes of providing the contracted services: enrollment, family billing, attendance tracking, compliance recordkeeping, quarterly invoicing, and audit-packet generation. PII will not be used for any other purpose, including advertising, commercial marketing, or model training.

2. Subcontractors and oversight

CohortLedger uses the subprocessors listed at cohortledger.com/subprocessors. Each subprocessor is bound by data protection obligations no less protective than those imposed on CohortLedger by this addendum. CohortLedger remains responsible for the acts and omissions of its subprocessors with respect to PII.

3. Contract term and data destruction

On expiration or termination of the contract between CohortLedger and the New York educational agency, CohortLedger will return or securely destroy PII within ninety (90) days, except where the educational agency requests extended retention in writing or where applicable law requires longer retention. A written certificate of destruction will be provided to the educational agency on request.

4. Parent challenge to data accuracy

A parent who believes that information about their child held in CohortLedger is inaccurate may request a correction through the school. The school will review the request, instruct CohortLedger to correct or annotate the record as appropriate, and notify the parent of the outcome.

5. Where PII is stored and how it is protected

PII is stored in the United States within infrastructure operated by the subprocessors listed at cohortledger.com/subprocessors. All PII is encrypted in transit (TLS 1.2 or higher) and encrypted at rest in the production database. Production access is restricted to a small number of authorized Ravencord personnel through audited role-based access controls.

6. Breach notification

CohortLedger will notify the New York educational agency in writing of any confirmed breach of PII within seventy-two (72) hours of confirmation, and will provide all information reasonably necessary for the agency to satisfy its own statutory notification obligations under NY Ed Law § 2-d.

7. Data Protection Officer of CohortLedger

The Ravencord Inc. point of contact for matters under NY Ed Law § 2-d is:

Privacy & Data Protection
Ravencord Inc.
Brentwood, Tennessee, United States
privacy@cohortledger.com

Signature

For schools that need a signed counterpart of this addendum, email legal@cohortledger.com with the school’s legal name and the name of the data protection officer who will sign. We will return a counter-signed PDF within two business days.