Parents Bill of Rights for Data Privacy and Security

A student's personally identifiable information cannot be sold or released by an educational agency or third-party contractor for any commercial or marketing purpose.

Parents have the right to inspect and review the complete contents of their child's education record stored or maintained by an educational agency. Parents wishing to inspect their child's records should contact the school district directly; Manage1to1 does not interact with parents on behalf of districts.

State and federal laws protect the confidentiality of personally identifiable information. Safeguards associated with industry standards and best practices — including encryption, firewalls, role-based access controls, and password protection — must be in place when data is stored or transferred.

A complete list of all student data elements collected by the State of New York is available for public review at the New York State Education Department's Information and Reporting Services page, or by writing to the Office of Information and Reporting Services, New York State Education Department, 89 Washington Avenue, Albany, NY 12234.

Parents have the right to have complaints about possible breaches of student data addressed. Complaints to the New York State Education Department should be directed in writing to:

Chief Privacy Officer
New York State Education Department
89 Washington Avenue
Albany, NY 12234
Email: privacy@nysed.gov

Complaints about Manage1to1's handling of district or student data may be directed in writing to the school district or to Manage1to1 at info@manage1to1.com.

Educational agency workers and third-party contractors that handle PII will receive training on the applicable federal and state laws (including FERPA, COPPA, PPRA, and NY Ed Law §2-d), the policies of the educational agency, and safeguarding best practices. Manage1to1 employees with access to district or student PII complete this training at the start of employment and annually thereafter.

District and student PII processed by Manage1to1 is used solely to provide the K-12 device management, help desk, asset tracking, incident management, invoicing, and reporting services authorized by the district under its SaaS Agreement. Manage1to1 does not sell, share, license, or commercially exploit district or student data for any other purpose, and does not use student data for targeted advertising.

Manage1to1 engages a limited number of subprocessors to deliver the service. Each subprocessor is contractually bound to confidentiality, encryption-in-transit-and-at-rest, breach- notification, and data-handling obligations consistent with those Manage1to1 owes the district. The specific categories of subprocessors and the controls they are bound to are described in our Data Security and Privacy Plan. A complete subprocessor list with specific vendor names is available to districts on written request to info@manage1to1.com.

The duration of any individual district's engagement with Manage1to1 is specified in the underlying SaaS Agreement. For a period of thirty (30) days following termination or expiration, all district and student data remains available for full export to standard formats. After the 30-day export window, all district and student data is securely deleted from production servers, off-site backups, and operational databases. Written confirmation of deletion is provided to the district on request.

Per the Family Educational Rights and Privacy Act (FERPA), parents and eligible students who believe data in a student record is inaccurate, misleading, or in violation of the student's right to privacy may challenge the data through the educational agency that owns the record (the school district). The district retains full control over its records. Manage1to1 acts solely as a data processor on behalf of the district and does not adjudicate accuracy challenges.

District and student data is stored in certified cloud hosting infrastructure located within the United States. Hosting facilities hold SOC 2 (Type II) with HIPAA controls, PCI Merchant, CSA Star Level 1, and ISO/IEC 27001:2022 certifications. Specific facility names are disclosed to districts under the SDPA / DPA on request.

Security protections include:

• Encryption in transit (TLS 1.3 only) on every connection to the platform, the Parent Portal, the staff application, and every integration endpoint
• Full-disk and database-level encryption at rest
• Multi-factor authentication on all administrative access paths
• Role-based access controls limiting access to authorized Manage1to1 personnel on a strict need-to-know basis
• Continuous vulnerability scanning and third-party uptime monitoring
• 72-hour breach notification in writing to the district's designated contact(s)

Full technical detail is available on our Security & Compliance page and in the Data Security and Privacy Plan.