Data Security & Privacy Plan
How SchoolCal protects personally identifiable information and student data across all schools and states we serve.
1. Implementation of Privacy and Security Requirements
SchoolCal, LLC (“SchoolCal”) implements data security and privacy protections over the life of each service contract through written data processing agreements, technical safeguards, employee training, and documented incident response procedures.
Our security and privacy program is reviewed no less than annually by company leadership and updated as needed to reflect changes in applicable federal and state law, regulatory guidance, and industry best practices. Each school or district (“LEA”) we serve receives a Data Processing Agreement (“DPA”) that specifies our mutual obligations before any student or staff data is exchanged.
2. Administrative, Operational, and Technical Safeguards
Administrative safeguards include role-based access policies, confidentiality agreements for all employees and contractors with access to PII, and annual security policy reviews approved by company leadership.
Operational safeguards include a least-privilege access model, controlled access to production data environments, vendor compliance requirements for all subprocessors, and documented procedures for onboarding and offboarding personnel with data access.
Technical safeguards include:
- HTTPS/TLS encryption for all data in transit
- Encryption at rest for sensitive data fields
- Multi-factor authentication (MFA) enforced on all critical systems and infrastructure
- Web Application Firewall (WAF) protecting publicly accessible services
- Network access controls including VPC segmentation and firewall rules
- Regular vulnerability scanning of code, infrastructure, and web services
- Centralized logging and alerting for anomalous or unauthorized activity
- Intrusion detection across production infrastructure
SchoolCal's infrastructure is hosted on Microsoft Azure, which maintains SOC 2 Type II, ISO 27001, and additional certifications for physical and environmental security.
3. Employee Training
All SchoolCal employees and contractors who will have access to Student Data or APPR Data receive training on applicable federal and state privacy laws — including FERPA, COPPA, and applicable state student data privacy statutes — prior to receiving access credentials.
Training is conducted at onboarding and reviewed on an annual basis. Training covers: data classification and handling, acceptable use, breach recognition and reporting obligations, and state-specific requirements for any states in which we have active LEA contracts. Completion of training is documented and maintained as part of employee records.
Employees and contractors are required to execute a confidentiality agreement as a condition of employment or engagement. Access to Student Data is restricted to the minimum necessary to perform job responsibilities.
4. Subprocessor Obligations
SchoolCal enters into written data processing agreements with all subprocessors who may access, store, or process Student Data on our behalf. These agreements require subprocessors to maintain data protections no less stringent than those in SchoolCal's customer DPAs, prohibit subprocessors from using Student Data for any purpose other than providing contracted services, and prohibit re-disclosure to subsequent third parties without written authorization.
SchoolCal monitors subprocessor compliance and, in the event a subprocessor fails to materially comply with applicable requirements, will notify affected LEAs, remove the subprocessor's access to Student Data, and take all necessary steps to retrieve or securely destroy data held by that subprocessor.
A current, maintained list of authorized subprocessors is available at: schoolcal.com/legal/subprocessors
5. Incident Management & Breach Notification
SchoolCal maintains a written incident response plan consistent with industry standards and applicable federal and state law. The plan covers detection, containment, investigation, notification, and post-incident review.
In the event of a confirmed data breach or unauthorized access to Student Data, SchoolCal will:
- Notify the affected LEA within 72 hours of confirmation, or sooner as required by applicable state law
- Provide notification details including: nature of the incident, data types involved, estimated scope, date of occurrence, steps taken to contain and remediate, and a designated point of contact
- Cooperate fully with the LEA, the NYSED Chief Privacy Officer (where applicable), and law enforcement throughout investigation and remediation
- Assist the LEA in fulfilling its obligations to notify affected students, parents, and guardians
- Bear the costs of notification and remediation where the breach is attributable to SchoolCal or its subprocessors, as required by applicable state law
SchoolCal will provide a summary of its written incident response plan to any LEA upon request.
6. Data Return & Transition
Upon written request from an LEA, SchoolCal will return or provide a mechanism to transfer all Student Data within 60 days (or within the timeframe specified in the applicable DPA or state supplement, whichever is shorter). Data will be provided in a readable, exportable format such as CSV or other mutually agreed format.
SchoolCal will not retain Student Data beyond the term of the Service Agreement unless expressly authorized in writing, required by law, or necessary to facilitate transfer of data back to the LEA. Upon termination, if no written request is received from the LEA, SchoolCal will provide the LEA with advance notice before disposing of Student Data per the terms of the applicable DPA.
7. Secure Destruction
Student Data that is no longer needed to provide services is securely deleted from active production systems and backup environments using industry-standard destruction methods. SchoolCal follows NIST SP 800-88 guidance for media sanitization where applicable.
Upon request, SchoolCal will provide written certification of the destruction of Student Data, including the date of destruction and the method(s) used. This certification will be delivered to the LEA within 30 days of destruction.
8. Alignment with LEA Policies
SchoolCal will review each LEA's Data Security and Privacy Policy and Parents' Bill of Rights for Data Privacy and Security upon execution of a DPA and implement any additional contractually required safeguards specific to that LEA.
For New York LEAs, SchoolCal's Data Security and Privacy Plan is incorporated by reference into the applicable DPA as Exhibit K. Provider warrants that this Plan: (a) implements all applicable state and federal data privacy and security requirements; (b) has operational and technical safeguards in place to protect PII; (c) complies with the LEA's Parents' Bill of Rights; (d) requires training for all employees and subprocessors with access to Student Data or APPR Data; (e) ensures subprocessors are bound to protect PII; (f) specifies how incidents are managed with prompt LEA notification; and (g) addresses Student Data return, deletion, and destruction. For New York, encryption of Student Data and APPR Data at rest and in transit is implemented using industry-standard protocols compliant with applicable New York laws and regulations.
9. NIST Cybersecurity Framework v1.1 Alignment
The following table documents SchoolCal's alignment with each category of the NIST Cybersecurity Framework v1.1, as required by New York Education Law § 2-d and the Regulations of the Commissioner at 8 NYCRR Part 121.
Identify (ID)
Understanding organizational risk to systems, assets, data, and capabilities
| Category | SchoolCal Response |
|---|---|
| Asset Management (ID.AM) | SchoolCal maintains an inventory of systems, devices, and software used to deliver services and process Student Data. Assets are classified by data sensitivity and assigned ownership. Inventory is reviewed annually and updated as changes occur. |
| Business Environment (ID.BE) | SchoolCal's mission is to provide scheduling, calendar management, and operations software to K-12 schools. Privacy and security responsibilities are integrated into product development and operations. Cybersecurity risk decisions are informed by our role as a data processor for Student Data. |
| Governance (ID.GV) | SchoolCal maintains a suite of internal policies covering data privacy, access control, acceptable use, and incident response. Policies are approved by company leadership annually, and legal and regulatory requirements are tracked and incorporated into policy updates. |
| Risk Assessment (ID.RA) | SchoolCal conducts annual risk assessments covering threats to the confidentiality, integrity, and availability of Student Data. Identified risks are documented, prioritized, and assigned remediation timelines. Vendor and subprocessor risks are assessed prior to engagement. |
| Risk Management Strategy (ID.RM) | Risk tolerances are established by leadership and factor into product development, infrastructure, and vendor decisions. Residual risk is monitored through ongoing vulnerability scanning, logging, and periodic review. |
| Supply Chain Risk Management (ID.SC) | All subprocessors with access to Student Data are evaluated prior to engagement, required to execute written DPAs, and monitored for ongoing compliance. SchoolCal maintains a public subprocessor list at schoolcal.com/legal/subprocessors and notifies LEAs of material changes. |
Protect (PR)
Safeguards to limit the impact of potential cybersecurity events
| Category | SchoolCal Response |
|---|---|
| Identity Management, Authentication & Access Control (PR.AC) | Access to Student Data and production systems is restricted to authorized personnel with a documented need. MFA is enforced on all critical systems. Role-based access controls and least-privilege principles are applied. User accounts are reviewed and de-provisioned upon role change or separation. |
| Awareness and Training (PR.AT) | All employees and contractors with access to Student Data receive privacy and security training at onboarding and annually thereafter. Training covers FERPA, applicable state laws, data handling requirements, and breach reporting obligations. Completion is documented. |
| Data Security (PR.DS) | Student Data is encrypted in transit using TLS and encrypted at rest for sensitive fields. Data is stored within the United States on Microsoft Azure infrastructure. Data minimization practices limit the collection of Student Data to what is necessary to provide contracted services. |
| Information Protection Processes and Procedures (PR.IP) | SchoolCal maintains documented security policies, data handling procedures, and an incident response plan. Policies are reviewed annually. Secure development practices including code vulnerability scanning are applied to the SchoolCal platform. |
| Maintenance (PR.MA) | System maintenance is performed by authorized SchoolCal personnel via controlled, logged access. Remote maintenance sessions use encrypted channels. Production systems are patched on a regular cadence based on vulnerability severity. |
| Protective Technology (PR.PT) | SchoolCal deploys a Web Application Firewall (WAF), network access controls (VPC, security groups, firewall rules), and centralized logging. Audit logs capture authentication events, administrative actions, and data access. Logs are retained per applicable requirements. |
Detect (DE)
Identifying the occurrence of a cybersecurity event
| Category | SchoolCal Response |
|---|---|
| Anomalies and Events (DE.AE) | SchoolCal's infrastructure generates logs across application, authentication, and network layers. Alerting thresholds are configured to detect anomalous patterns including unusual login activity, high-volume data access, and configuration changes. Alerts are routed to responsible personnel for review. |
| Security Continuous Monitoring (DE.CM) | Production systems are monitored continuously for security events. Vulnerability scanning runs regularly against code and infrastructure. SchoolCal monitors vendor security advisories and applies patches in a timely manner based on severity classification. |
| Detection Processes (DE.DP) | Detection procedures are documented within SchoolCal's incident response plan and tested periodically. Detection capabilities are reviewed following any confirmed security incident and updated as part of post-incident lessons learned. |
Respond (RS)
Actions taken following a detected cybersecurity incident
| Category | SchoolCal Response |
|---|---|
| Response Planning (RS.RP) | SchoolCal maintains a written incident response plan covering detection, triage, containment, investigation, notification, and remediation. The plan designates responsible roles and escalation paths. A summary is available to LEAs upon request. |
| Communications (RS.CO) | In the event of a confirmed breach affecting Student Data, SchoolCal will notify affected LEAs within 72 hours (or sooner per state law), coordinate with law enforcement as required, and cooperate with the NYSED Chief Privacy Officer where applicable. Internal communication protocols are defined in the incident response plan. |
| Analysis (RS.AN) | SchoolCal investigates confirmed incidents to determine scope, root cause, and impact. Analysis findings are documented and used to inform containment, remediation, and notification decisions. Forensic preservation practices are applied as appropriate. |
| Mitigation (RS.MI) | Upon confirmation of an incident, SchoolCal takes immediate steps to contain the event and prevent further exposure, including revoking compromised credentials, isolating affected systems, and engaging subprocessors as needed. Remediation actions are tracked to closure. |
| Improvements (RS.IM) | Post-incident reviews are conducted after any confirmed security incident. Findings are used to update policies, detection capabilities, and technical controls. Improvement actions are documented and assigned owners with completion timelines. |
Recover (RC)
Maintaining resilience and restoring capabilities after an incident
| Category | SchoolCal Response |
|---|---|
| Recovery Planning (RC.RP) | SchoolCal maintains documented recovery procedures as part of its overall incident response plan. Recovery procedures address system restoration priorities, backup verification, and LEA communication during service restoration. Backups are tested periodically for recoverability. |
| Improvements (RC.IM) | Recovery activities are reviewed following any incident. Lessons learned are incorporated into updated recovery procedures, technical configurations, and training materials. Recovery plan reviews are conducted at minimum annually. |
| Communications (RC.CO) | During recovery from a significant incident, SchoolCal maintains communication with affected LEAs regarding restoration status and timelines. Public communications, if any, are coordinated in a manner that does not compromise ongoing investigation or security. |
Questions about this plan?
If you have questions about SchoolCal's data security and privacy practices, need a copy of our incident response plan summary, or need to report a potential security concern, please contact us.
privacy@schoolcal.com