Data Security and Privacy Plan

Manage1to1's security controls map to the National Institute of Standards and Technology Cybersecurity Framework, version 1.1 (the “NIST CSF”), across its five core functions: Identify, Protect, Detect, Respond, and Recover. This is the cybersecurity framework CISA recommends for K-12 districts and the framework expressly named in 8 NYCRR §121.3.

We also use the Center for Internet Security (CIS) Critical Security Controls to translate the CSF into prioritized, actionable safeguards. The CIS K-12 sector guide informs how we prioritize remediation work for school-district customers.

Specific control implementations — encryption, access controls, monitoring, personnel — are described in our Security & Compliance page.

All Manage1to1 employees with access to district or student PII complete annual privacy and data-security training covering FERPA, COPPA, PPRA, NY Ed Law §2-d, and Manage1to1's own data-handling policies. Training is required at the start of employment and renewed annually thereafter.

All Manage1to1 employees undergo a background check at the start of employment, with subsequent checks performed regularly. Access to systems containing district data is granted on a strict need-to-know basis and is governed by role-based access controls with multi-factor authentication.

Every Manage1to1 employee is also a former K-12 school district staff member. The personnel handling district data have direct, first-hand understanding of what is at stake.

Manage1to1 engages a small number of subprocessors to deliver the service. Each subprocessor is contractually bound to confidentiality, encryption-in-transit-and-at-rest, breach-notification, and data-handling obligations consistent with those Manage1to1 owes the district.

The categories of subprocessors are:

• Certified cloud hosting infrastructure — primary hosting for the application and district data. Facilities hold SOC 2 (Type II), PCI Merchant, CSA Star Level 1, and ISO/IEC 27001:2022 certifications.
• Encrypted object storage at a certified cloud provider — used for ticket attachments and general file uploads only. Encrypted at rest. Not used for roster, SIS, or other student-identifying data.
• Transactional email delivery — used to deliver invoice notifications, password resets, and ticket replies. Provider holds SOC 2 Type II certification.

A complete subprocessor list, including specific vendor names, is provided to districts as an attachment to the SDPA / DPA or on written request to info@manage1to1.com. We do not publish vendor names on this Plan in order to limit unnecessary disclosure of infrastructure detail.

Districts may authorize Manage1to1 to integrate with third-party services the district itself contracts with. In these cases the district holds the underlying vendor contract; Manage1to1 acts only at the district's direction. These vendors are not Manage1to1 subprocessors, but they are documented here so the data flow is fully transparent:

• Mobile Device Management vendors — JAMF Pro, JAMF School, Google Workspace (Chrome Device Console), and Apple School Manager. The district owns the MDM relationship; Manage1to1 syncs device data from the MDM into the platform with district authorization.
• Student Information System / OneRoster rostering — including ClassLink. The district holds the contract with the rostering vendor; Manage1to1 receives the roster sync the district authorizes.
• Payment processors for online invoice payment — including Vanco / ConnexPoint and PayPal. When a district enables online invoice payment, the district holds the merchant account; Manage1to1 routes payment requests to that merchant account on the district's behalf.

For a period of thirty (30) days following the termination or expiration of a district's agreement with Manage1to1, all district data — including student-identifying data — remains available for full export to standard formats (CSV and similar). Districts may self-serve the export through the Manage1to1 application, or request administrator-assisted export by emailing support@manage1to1.com.

Export covers districts records (users, devices, incidents, tickets, invoices, custom fields, and attachments) and the audit metadata associated with each. Districts are responsible for ensuring the export is completed within the 30-day window; extension may be granted in writing upon request.

After the 30-day export window described above, all district data — including student-identifying data — is securely deleted from production servers, off-site backups, and operational databases on a schedule that meets industry best practice for secure media sanitization.

Upon written request to info@manage1to1.com, Manage1to1 will provide the district with written confirmation that deletion has been completed, identifying the date deletion occurred and the systems from which data has been removed.

Encryption in transit. All district data in transit is encrypted using TLS 1.3 for every connection to manage1to1.com, the Parent Portal, the staff application, and every integration endpoint. Older versions of TLS are blocked.

Encryption at rest. All district data at rest is encrypted using full-disk and database-level encryption.

Access controls. Multi-factor authentication is required for administrative access to systems containing district data. Role-based access controls (RBAC) limit access to authorized Manage1to1 personnel on a strict need-to-know basis. SSO via Google Workspace, Microsoft 365, or ClassLink is supported for district sign-in.

Infrastructure monitoring. Automated vulnerability scanning runs continuously against the platform and its infrastructure. Third-party uptime and availability monitoring provides an independent observer for availability incidents.

Physical security. Physical access to data equipment, backup equipment, and servers is restricted to engineers and hardware personnel with an expressed, documented need to access. Hosting facilities hold SOC 2+, PCI Merchant, CSA Star Level 1, and ISO/IEC 27001:2022 certifications.

In the event of a confirmed or suspected unauthorized access to, acquisition of, use of, or disclosure of district or student data that compromises the security, confidentiality, or integrity of that data, Manage1to1 will notify the affected school or district without unreasonable delay — and in no event later than seventy-two (72) hours after discovery.

Notification will be provided in writing to the contact(s) designated in the district's SDPA or DPA, and will include the nature and timing of the incident, the categories of data involved, and the remediation steps Manage1to1 has taken or is taking. Manage1to1 will cooperate fully with the district's investigation and remediation, including supporting the district's own notification obligations under FERPA, NY Ed Law §2-d, and other applicable laws.

Manage1to1 publishes a Parents Bill of Rights for Data Privacy and Security in alignment with NY Ed Law §2-d. The Bill of Rights describes parents' rights with respect to their child's personally identifiable information, including the right to inspect and review education records, the right to be free from commercial use of student data, and the right to file complaints about possible breaches of privacy.

The full Parents Bill of Rights, including Manage1to1-specific supplemental information about how PII is used, stored, and protected, is available at /parents-bill-of-rights/.

Manage1to1 complies with the federal foundation (FERPA, COPPA, PPRA) and the state-specific student-privacy laws listed below. This Plan is structured around the most prescriptive of these (New York Education Law §2-d), so the controls described satisfy the substantive requirements of each state law. Districts in states not listed can rely on the same Plan; if your state has additional requirements you need addressed, contact info@manage1to1.com.

This list is not exhaustive — additional state student-privacy laws (TN, UT, ME, NH, etc.) impose comparable operator obligations that are satisfied by the controls described in this Plan. Districts in those states should request the Manage1to1 SDPA / DPA for their state-specific addenda.

Exclusive purposes for which PII will be used. District and student PII processed by Manage1to1 is used solely to provide the K-12 device management, help desk, asset tracking, incident management, invoicing, and reporting services authorized by the district under its SaaS Agreement. PII is never sold, shared, licensed, or commercially exploited for any other purpose, and is never used for targeted advertising.

Duration of the contract. The duration of any individual district's engagement is specified in the underlying SaaS Agreement. The 30-day export window and subsequent secure-deletion timeline described above apply from the date of termination or expiration.

Where data will be stored. District data is stored in certified cloud hosting infrastructure within the United States. Specific facility names are disclosed to districts under the SDPA / DPA on request.

How parents may challenge accuracy. Per FERPA, parents and eligible students with concerns about the accuracy of education records contact the school district directly. Manage1to1 does not interact with parents or students on behalf of districts and does not adjudicate accuracy challenges; districts retain full control over the records.