UPI Study

COMPREHENSIVE DATA PRIVACY AND SECURITY POLICY

UPI STUDY, INC.
Updated Date: May, 2025

Prepared in accordance with New York Education Law §2-d, FERPA, COPPA, CCPA, GDPR, and other applicable federal and state data protection laws.

SECTION 1: INTRODUCTION & SCOPE

1.1 Purpose and Philosophy

UPI Study, Inc. (“UPI Study”, “we”, “our”, or “the Company”) is a provider of digital educational services, credentialing infrastructure, and academic data processing for students, educational institutions, and authorized third parties. In this capacity, UPI Study handles large volumes of sensitive and regulated data—including personally identifiable information (“PII”), education records, financial data, and institutional content—on behalf of public and private K–12 and postsecondary institutions.

This Comprehensive Data Privacy and Security Policy (“Policy”) articulates UPI Study’s commitment to upholding the highest legal, technical, and ethical standards of data privacy and protection in every jurisdiction in which we operate. This Policy is also the framework through which UPI Study complies with federal and state laws, including but not limited to:

• New York Education Law §2-d
• The Family Educational Rights and Privacy Act (FERPA)
• The Children’s Online Privacy Protection Act (COPPA)
• The California Consumer Privacy Act (CCPA), as amended by the CPRA
• The General Data Protection Regulation (GDPR) for EU/EEA residents
• Additional state and local privacy mandates applicable to educational data

Through this Policy, we aim to ensure that all users—including students, parents, district administrators, school staff, and postsecondary institutions—understand:

• What personal and educational data we collect
• How that data is used, shared, protected, and eventually destroyed
• What rights users have over their own data
• What vendors and contractors must do to remain in compliance
• How we respond to breaches, audits, and legal obligations

This Policy is not only a compliance document—it is a declaration of UPI Study’s long-term stewardship over the educational data entrusted to us.

1.2 Scope of Coverage

This Policy applies to all data and information systems used or managed by UPI Study, including those integrated with third-party platforms, mobile applications, web services, institutional portals, and data-sharing environments used by our clients and partners.

Specifically, this Policy governs:

• All data collected, processed, stored, or transferred through UPI Study’s systems, services, or platforms
• All users of our platforms, including students (minors and adult learners), parents/legal guardians, school officials, district IT personnel, postsecondary registrars, and third-party contractors
• All employees, officers, contractors, and service providers acting on behalf of UPI Study who come into contact with data that includes or could reasonably be used to identify an individual
• All environments where PII or Education Records are hosted, including UPI Study’s cloud service provider(s), staging environments, API endpoints, backups, archives, mobile applications, and internal administrative portals

Data governed by this Policy includes, but is not limited to:

• Student names, contact details, birthdates, and ID numbers
• Course records, grades, transfer logs, certifications, and transcripts
• Parent/guardian contact information and consent records
• District, school, or institutional identifiers, rosters, and performance data
• Login credentials, session metadata, and system usage logs
• Payment or billing identifiers (e.g., Stripe/PayPal transaction tokens)
• IP addresses, browser agents, mobile device IDs, cookies
• Communications with support, instructors, and chatbots

This Policy extends to all data regardless of:

• Format (electronic, physical, paper-based, audio, video, verbal)
• Location (on-premises systems, offsite backups, subcontractor platforms)
• Lifecycle stage (active, archived, pending deletion)

1.3 Binding Nature

This Policy is binding upon all internal stakeholders and external partners, including:

• UPI Study employees, contractors, and officers
• School district clients and their designees
• Postsecondary partner institutions
• Third-party technology providers, LMS platforms, and analytics vendors
• Data processors, subcontractors, and consultants who have access to any user data

All UPI Study personnel with data access responsibilities are contractually required to comply with this Policy, undergo training in applicable data privacy laws, and report any breach or policy deviation immediately to the Data Protection Officer.

All third-party vendors who process regulated data on UPI Study’s behalf must sign a compliant Data Processing Agreement (DPA) and demonstrate that they meet or exceed the technical and procedural standards outlined herein.

1.4 Policy Objectives

This Policy is designed to meet the following objectives:

1. Ensure legal compliance with FERPA, NY Education Law §2-d, COPPA, CCPA, GDPR, and other governing laws.
2. Promote transparency in how student and institutional data are used and shared.
3. Limit data use to legitimate educational purposes, avoiding any form of commercial exploitation.
4. Protect student privacy through encryption, access controls, risk assessments, and breach mitigation.
5. Facilitate institutional accountability via documented audit trails, data retention plans, and opt-out mechanisms.
6. Uphold the rights of parents and students, including access, correction, and deletion of records.
7. Enable secure cross-border data transfers, as needed, while preserving compliance with international standards.
8. Maintain a defensible compliance posture in response to audits, inspections, or public record requests.

1.5 Implementation Authority

The Data Protection Officer (DPO) for UPI Study is the designated authority responsible for:

• Interpreting this Policy
• Conducting internal compliance assessments
• Coordinating responses to data subject requests
• Managing third-party data agreements
• Overseeing training and awareness
• Reporting breaches and incidents to appropriate authorities

The DPO may delegate operational enforcement to departmental leads but retains ultimate accountability for policy integrity and external reporting.

For all privacy-related inquiries: email at [email protected] or at UPI Study, Inc., 221 River St, 9th Floor, Hoboken, NJ 07030

1.6 Relation to Contracts and Local Policies

Where this Policy is referenced or incorporated by agreement (e.g., a signed DPA or institutional contract), it shall be deemed to represent UPI Study’s data governance standard of record. In the event of a conflict between this Policy and a local district policy or contract, the stricter or more protective requirement will prevail.

For New York State school districts, this Policy is designed to fulfill the obligations of a Supplemental Information Addendum under 8 NYCRR §121.3(c) and supports the standardized implementation of the Parents’ Bill of Rights for Data Privacy and Security.

SECTION 2: DEFINITIONS

2.1 Overview

For clarity and legal precision, this section defines key terms used throughout the Comprehensive Data Privacy and Security Policy. These definitions are aligned with applicable U.S. federal and New York State statutes, including FERPA, COPPA, New York Education Law §2-d, and GDPR where relevant. When interpreting this policy, the definitions below shall control.

2.2 Defined Terms

“Personally Identifiable Information (PII)”

PII refers to any information that can be used to distinguish or trace an individual’s identity—either alone or when combined with other personal or identifying information that is linked or linkable to a specific person. This includes, but is not limited to:

• Full legal name
• Address (home, mailing, IP-based geolocation)
• Personal phone numbers (mobile, home)
• Student’s institutional
• Username and password (or other credentials)
• Email addresses (especially those linked to educational domains)
• Photos, videos, or other media that directly or indirectly reveal identity

As defined by FERPA (34 CFR § 99.3) and NY Education Law §2-d(1)(a), PII is subject to heightened protections when derived from an education record or when it relates to a student under the age of 18.

“Education Record”

Under FERPA, an education record is broadly defined as any record that:

• Directly relates to a student; and
• Is maintained by an educational agency, institution, or by a party acting on their behalf.

Education Records may be stored digitally, in paper form, audio/video, or within learning management systems. Examples include:

• Academic transcripts
• Grade reports
• Disciplinary records
• Class rosters
• Standardized test results
• College transfer documentation
• Communications with school staff
• Credentialing and accreditation records

Education records also include metadata associated with these items, such as timestamp logs or access histories.

“Student Data”

“Student Data” is a working term used in this Policy to describe all PII and Education Records that pertain to a specific student and are collected, stored, used, or disclosed by UPI Study. It may include:

• Learning analytics (e.g., course participation metrics, clickstream data)
• Assessment responses and test scores
• Transcript evaluations for partner institutions
• Enrollment status and academic pathways
• Communications submitted via chat, email, or portals

All Student Data is protected in accordance with FERPA, NY Ed Law §2-d, COPPA (if under 13), and GDPR (if international).

“Parent”

The term “Parent” refers to:

• A biological or adoptive parent
• A legal guardian
• A person acting in loco parentis (in the place of a parent), with written authorization
• Any other person recognized under applicable state or federal law as having legal authority over a minor child’s educational decisions

Under FERPA, parents have the right to access, inspect, amend, or request deletion of their child’s education records until the student becomes an “Eligible Student.”

“Student”

A "Student" refers to any individual, regardless of age, who is:

• Enrolled in a K–12 public, charter, or private school
• Participating in a credit-bearing or credentialed program via UPI Study
• Affiliated with a UPI Study district, school, or postsecondary institutional client
• Accessing services offered by UPI Study as part of an academic program

This includes:

• Minor children under age 13, subject to COPPA protections
• High school students enrolled through school district contracts (protected under FERPA and NY Ed Law §2-d)
• Adult learners and eligible students accessing services via college, university, or international programs
• Dual-enrolled students participating in secondary-postsecondary partnerships

All students are considered data subjects under this Policy, and their records are protected regardless of educational level, enrollment status, or geographic location.

“Authorized Representative”

An Authorized Representative is any entity or individual designated by a state or local education authority to carry out audits, evaluations, or compliance enforcement functions under:

• FERPA
• Title I of the Elementary and Secondary Education Act (ESEA)
• State education law (e.g., NYSED under §2-d)

UPI Study recognizes and cooperates with Authorized Representatives during formal reviews or audits, provided appropriate legal documentation is submitted.

“Service Provider” or “Third-Party Contractor”

This refers to any non-UPI Study entity that processes personal data on our behalf. This includes:

• Hosting and cloud providers (e.g., Google Cloud Platform)
• Integrated Learning Management Systems (LMS)
• Assessment tools
• Credential verification providers
• Payment processors
• Analytics vendors
• Customer service platforms (e.g., Zendesk, Intercom)

All Service Providers must sign a Data Processing Agreement (DPA) and comply with data privacy laws, including NY Ed Law §2-d, FERPA, and CCPA. These entities must use data only as instructed and may not retain, reuse, or disclose it for their own purposes.

“De-Identified Data”

De-Identified Data refers to information that has been stripped of all direct and indirect identifiers in such a way that:

• The identity of the individual cannot be determined; and
• The data cannot be reasonably re-identified using known techniques or external datasets

De-identification must comply with 34 CFR § 99.31(b) (FERPA) and 8 NYCRR §121.3(e). Techniques include:

• Masking (redacting sensitive fields)
• Aggregation (grouping data at cohort level)
• Noise injection or differential privacy
• K-anonymity and other statistical approaches

UPI Study uses De-Identified Data for legitimate internal purposes such as analytics, program evaluation, and service improvement, but never for marketing or resale.

“Directory Information”

Directory Information is a limited subset of PII that FERPA allows institutions to disclose without consent, provided the institution gives public notice and allows opt-out. Examples include:

• Student’s name
• Major or field of study
• Grade level or class standing
• Degrees or honors received
• Participation in official activities

UPI Study does not disclose directory information unless authorized by the originating institution or required by contract or law.

“Data Breach”

A Data Breach is any unauthorized acquisition, access, use, disclosure, or destruction of PII or Education Records that:

• Compromises the security or privacy of the data; or
• Violates applicable laws or institutional agreements

This includes breaches caused by hacking, accidental sharing, improper access controls, theft, or failure to follow secure protocols. All confirmed breaches must be reported in accordance with UPI Study’s Incident Response Plan, and in compliance with NY Ed Law §2-d(6) and FERPA §99.63.

“Encryption”

Encryption is the process of converting information into a format that cannot be understood without a decryption key. UPI Study adheres to:

• AES-256 encryption for data at rest
• TLS 1.2+ encryption for data in transit
• NIST-recommended algorithms and key management practices

Encryption is mandatory for all Student Data stored or transmitted through UPI Study’s systems or partner platforms.

“Data Subject”

A Data Subject is any individual whose personal data is collected, stored, or processed by UPI Study. This term is most relevant under GDPR, which grants Data Subjects extensive rights over their data, including access, correction, erasure, restriction, and portability.

SECTION 3: LEGAL FRAMEWORK AND GOVERNING LAWS

3.1 Purpose of this Section

UPI Study, Inc. (“UPI Study”) operates in a highly regulated data environment, as a service provider to both K–12 school districts and higher education institutions across the United States and internationally. UPI Study collects, processes, and safeguards large volumes of sensitive personal data, including student education records and institutional academic records.

This section outlines the legal authorities and regulatory frameworks that govern UPI Study’s operations. The goal is to ensure that all practices, technologies, contracts, and internal procedures are fully aligned with applicable laws at the federal, state, and international levels. Where multiple laws may apply simultaneously, UPI Study adopts the strictest applicable standard to protect the privacy and security of student and institutional data.

3.2 U.S. Federal Laws

3.2.1 Family Educational Rights and Privacy Act (FERPA) – 20 U.S.C. § 1232g

FERPA governs the privacy of student education records. UPI Study acts as a "school official" with a legitimate educational interest when contracted by an institution and may handle student data on the institution’s behalf under the FERPA exception to prior written consent.

FERPA requires that:

• Students aged 18+ (or parents of minor students) have rights to access, review, and amend their education records.
• Institutions and their authorized agents must ensure data is disclosed only under permitted exceptions.
• Personally Identifiable Information (PII) from education records cannot be disclosed without written consent, unless an exception applies under 34 CFR § 99.31.

UPI Study maintains role-based access controls and adheres to strict data minimization principles to fulfill its FERPA-related obligations.

3.2.2 Children’s Online Privacy Protection Act (COPPA) – 15 U.S.C. §§ 6501–6506

COPPA governs the online collection of personal information from children under the age of 13. However, the Federal Trade Commission (FTC) provides an explicit exception for educational service providers when access to the service is initiated and authorized by a school or school district for educational purposes only.

UPI Study often delivers services to students whose participation is funded and authorized by public school districts. When students under 13 access the platform through district-issued registration links or institutional access codes, UPI Study does not collect direct parental consent. Instead:

• UPI Study relies on the FTC’s “School Exception” under COPPA, whereby educational institutions may act as the parent’s agent in authorizing the use of online educational tools.
• The student’s access is deemed to be authorized by the institution, provided:
  • The data is used solely for educational purposes
  • The information is not used for marketing, profiling, or advertising
  • No data is disclosed or sold to unauthorized third parties
• UPI Study documents the school or district that issued access, including:
  • Timestamp of registration
  • Referring URL or access code used
  • Metadata indicating school affiliation and contractual basis

For any students under 13 who do not register via a school-sponsored access link, UPI Study implements a COPPA-compliant parental consent mechanism, including verifiable consent through digital signature or email verification.

In all cases, UPI Study complies with COPPA requirements regarding data minimization, notice, access, security, and deletion of children’s personal data.

3.2.3 Protection of Pupil Rights Amendment (PPRA) – 20 U.S.C. § 1232h

PPRA governs the administration of surveys and the collection of information from students about certain sensitive topics, including:

• Political affiliations
• Religious beliefs
• Mental or psychological issues
• Sexual behavior or attitudes
• Illegal, anti-social, or self-incriminating behavior
• Income information (except as required for eligibility determinations)

UPI Study ensures that no such information is collected via its services without appropriate parental notification or opt-in procedures, in accordance with institutional policies and PPRA guidelines.

3.2.4 Health Insurance Portability and Accountability Act (HIPAA)

HIPAA protects health information but generally does not apply to educational records protected by FERPA. If UPI Study is ever required to process health-related information outside of FERPA’s scope, it adheres to HIPAA’s Privacy and Security Rules, ensuring that such information is encrypted, access-controlled, and shared only with authorized parties.

3.3 New York State Law

3.3.1 New York Education Law §2-d and 8 NYCRR Part 121

UPI Study is a third-party contractor to public school districts in New York and is therefore legally bound by New York Education Law §2-d and its regulations. UPI Study complies with all statutory requirements, including:

• Prohibition on selling or commercializing student data
• Limiting the use of data strictly to educational purposes outlined in executed contracts
• Maintaining audit logs for six years documenting data access and modifications
• Using encryption (AES-256 at rest, TLS 1.2+ in transit) as mandated by federal guidance
• Including supplemental information in its executed Parent Bill of Rights
• Submitting to audits or inspections initiated by the district or the New York State Education Department (NYSED)

All DPAs with New York districts include the Supplemental Information Addendum as required under 8 NYCRR §121.3(c), and a signed version of the Parents’ Bill of Rights for Data Privacy and Security.

3.3.2 New York State Technology Law §§201–208

This law governs data breach notification and cybersecurity obligations. UPI Study complies with Technology Law §208 by:

• Notifying affected New York residents within seven (7) business days of a confirmed unauthorized disclosure of student data
• Cooperating with district and state officials to investigate any data security incident
• Providing detailed breach summaries, including scope, data types affected, response measures, and mitigation strategies

3.4 Other U.S. State Student Privacy Laws

In addition to New York law, UPI Study adheres to student data privacy laws in other U.S. jurisdictions, including:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Illinois Student Online Personal Protection Act (SOPPA)
• Connecticut Public Act 16-189
• Texas Senate Bill 820 (SB 820)
• Nevada NRS 603A
• Massachusetts Student Privacy Framework

Under CCPA/CPRA, California residents may request:

• Copies of the PII UPI Study holds
• Deletion of personal data
• Restriction on third-party sharing (UPI Study does not sell PII)
• Equal access and service regardless of privacy choices

Requests are honored within 45 calendar days in compliance with Cal. Civ. Code §1798.130.

3.5 International Law: General Data Protection Regulation (GDPR)

UPI Study also serves international users, including EU and EEA residents. When processing the personal data of users located within the European Union, UPI Study complies with the General Data Protection Regulation (Regulation EU 2016/679).

As a data processor, UPI Study ensures:

• A legal basis for processing data (e.g., contractual necessity)
• Execution of Standard Contractual Clauses (SCCs) to lawfully transfer data to the U.S.
• Availability of data subject rights, including:
  • Right to access
  • Right to rectification
  • Right to erasure (“Right to Be Forgotten”)
  • Right to restrict processing
  • Right to object
  • Right to data portability

Where required, UPI Study works with institutional controllers to complete Data Protection Impact Assessments (DPIAs) and designate an EU-based representative, if applicable.

3.6 Contractual and Institutional Commitments

Beyond statutory law, UPI Study is bound by a range of institutional, regulatory, and accreditation-based agreements, including:

• NCCRS and ACE archival and record keeping standards
• Executed district-level DPAs and compliance addenda
• State-approved transcript validation and transfer partnerships
• Accreditation-aligned data retention and reporting commitments

Each agreement may impose additional obligations concerning:

• Retention periods (e.g., 5–10 years for academic records)
• Data return or destruction upon contract termination
• Availability of audit logs and training documentation
• Restrictions on data reuse or subprocessing

UPI Study commits to honoring the most restrictive and protective terms found in either law or contract, to ensure maximum compliance and institutional trust.

SECTION 4: DATA COLLECTION AND CLASSIFICATION

4.1 Purpose of this Section

UPI Study, Inc. (“UPI Study”) provides digital education services, academic credit facilitation, and transcript reporting infrastructure for both K–12 and postsecondary institutions. In fulfilling these services, UPI Study collects, processes, and stores various categories of student, parent, and institutional data. This section defines the types of information UPI Study collects, explains the legal and operational justification for each, and outlines the technical classification and safeguards associated with different data tiers.

Data collection is guided by the following foundational principles:

• Data minimization – collect only what is necessary to fulfill an educational or contractual purpose
• Purpose limitation – use collected data only for the specific purposes disclosed
• Transparency – clearly communicate to users and institutions what data is collected and why
• Security – apply technical and procedural safeguards to protect all collected data from unauthorized use

4.2 General Categories of Data Collected

UPI Study collects data from users (students, parents, educators), institutional administrators, and technical systems. Data may be collected via:

• Direct user input during registration or course engagement
• Institutional imports (e.g., district enrollment lists, academic records)
• System-generated metadata during platform use
• Authenticated integrations with third-party education systems

The table below outlines the primary categories of data collected:

4.3 Parental Consent / School Authorization Records

UPI Study serves both adult and minor students. For students under the age of 13, UPI Study’s data collection and consent practices comply with the Children’s Online Privacy Protection Act (COPPA).

In most K–12 implementations, students do not self-register freely. Instead, they are provided access through school or district-paid registration links, rosters, or invitation codes. In such scenarios, UPI Study:

• Relies on the FTC’s “school exception” under COPPA, which allows schools and districts to authorize the use of online educational services on behalf of parents, provided:
  • The service is used solely for educational purposes
  • The provider does not use the data for commercial gain
  • The school is fully informed of data practices and has access to applicable privacy documentation

Because districts or institutions directly engage UPI Study and students register using controlled institutional methods, UPI Study is not required to collect direct parental consent. Instead, UPI Study logs the following as part of its school authorization recordkeeping:

• Referring institution or district name
• Access method used (e.g., registration URL, classroom code)
• Registration timestamp and metadata
• Account creation flag indicating district-funded access
• Agreement logs showing contract authorization terms

These records serve as evidence of institutional consent and are retained for a minimum of six (6) years, as required under NY Ed Law §2-d.

In rare instances where a student under 13 self-registers without an institutional agreement, UPI Study will initiate a direct parental consent process in accordance with COPPA, including:

• Digital parental notice
• Verifiable consent (e.g., signature, confirmation email, government ID if required)
• Access and deletion rights granted to the parent

In all cases, under-13 data is never used for marketing, retargeting, or behavioral profiling.

4.4 Data Minimization and Optional Fields

UPI Study collects only what is necessary to provide educational services or fulfill contractual obligations. Optional fields (such as gender, alternate contacts, or pronouns) are clearly marked during onboarding. Required fields are limited to:

• Student name
• Date of birth
• School affiliation or registration code
• Contact email (or parent email for minors)

No sensitive data is collected without purpose and explanation.

4.5 Automated Technical and System Data

UPI Study logs standard technical metadata to:

• Detect fraud or unauthorized access
• Maintain platform security
• Improve user experience through anonymized diagnostics

This includes:

• Device ID
• IP address and geolocation (at the region level only)
• Browser version and language
• Clickstream activity within the platform

This data is stored separately from academic records and is subject to internal access controls.

4.6 Cookies and Tracking Technologies

Cookies used by UPI Study fall into three categories:

UPI Study does not use advertising or retargeting cookies. Users may control cookie preferences through their browser or through provided pop-ups if they are in GDPR or CCPA-covered jurisdictions.

4.7 Internal Data Classification

UPI Study categorizes all stored data into four sensitivity tiers to determine access and protection levels:

4.8 Updates and User Notification

Any material changes in data collection practices are:

• Reflected in updates to this Privacy Policy
• Posted in-platform with version summaries
• Shared via email to institutional contacts and registered users
• Accompanied by revised consent prompts if legally required

SECTION 5: USE, PURPOSE, LIMITATION, AND PROHIBITED ACTIVITIES

5.1 Purpose of this Section

This section defines how UPI Study uses the data it collects, and the strict limitations placed on that usage. It outlines the core educational purposes that justify data collection, and explicitly prohibits any non-educational or commercial exploitation of personal or student information. It also affirms UPI Study’s commitment to transparency, purpose limitation, and lawful processing, as required under:

• FERPA (Family Educational Rights and Privacy Act)
• New York Education Law §2-d
• COPPA (Children’s Online Privacy Protection Act)
• CCPA/CPRA (California Consumer Privacy Act)
• GDPR (General Data Protection Regulation)

UPI Study adheres to the principle that student data is not a commodity. It is a trust-based asset that must only be used to support learning, credentialing, and institutional accountability.

5.2 Permitted Educational Uses

UPI Study processes data exclusively to provide or support educational services that are contractually or legally authorized by:

• Public school districts
• Charter and private K–12 institutions
• Postsecondary institutions (colleges, universities, registrars)
• Students and parents/guardians acting within the context of enrollment or academic transfer

Specifically, UPI Study uses personal and academic data to:

Student Service Delivery

• Register and authenticate student accounts
• Assign courses, track progress, and support instruction
• Generate grades, badges, and academic reports
• Manage course history and learning pathways

Credentialing and Transcript Services

• Issue official or unofficial transcripts
• Verify credential status with partner institutions (e.g., NCCRS, ACE)
• Transmit completed records to transfer institutions or registrars

Compliance and Institutional Support

• Report anonymized or aggregated data to state-authorized entities
• Assist districts with FERPA compliance and 2-d audit obligations
• Maintain long-term academic records for retention and verification purposes

Technical and Support Services

• Provide technical troubleshooting and help desk support
• Manage security events, detect abuse, and maintain service continuity
• Improve system performance through aggregate usage analytics

All data usage is logged, access-controlled, and reviewed to ensure it aligns with the purposes described above. No use may be initiated outside of this framework without prior institutional approval and (where applicable) express user consent.

5.3 Legal Bases for Data Use

UPI Study processes data under multiple overlapping legal grounds, depending on the user’s jurisdiction and relationship with an institution.

For U.S.-based Users:

• FERPA & NY Education Law §2-d: Contractual authorization by the school or district; data is used only for legitimate educational interests.
• COPPA: For users under 13, usage is limited to educational purposes under the school exception, or backed by verifiable parental consent.
• CCPA/CPRA: Data usage is disclosed at time of collection; there is no sale or cross-context behavioral advertising. Users may opt-out of any optional processing.

For EU-based Users:

• GDPR Article 6(1)(b) – Processing necessary for the performance of a contract (e.g., course delivery, credentialing).
• Article 6(1)(f) – Legitimate interest, such as platform security and service enhancement (applied only where it does not override user rights).
• Article 6(1)(a) – Consent-based processing, when applicable (e.g., optional services or analytics).

5.4 Purpose Limitation

UPI Study enforces a strict purpose limitation doctrine, meaning that:

• Data collected for educational use cannot later be repurposed for marketing, commercial use, or resale.
• Any new data usage must be:
  • Aligned with the original purpose
  • Clearly disclosed
  • Subject to institutional or user approval if materially different

This aligns with:

• FERPA’s requirement to disclose PII only under recognized exceptions
• GDPR’s principle of “specified, explicit and legitimate purposes” (Article 5(1)(b))
• NY §2-d’s mandate to limit data usage strictly to purposes outlined in the contract

5.5 Prohibited Activities

The following activities are strictly prohibited by UPI Study policy, regardless of jurisdiction:

Data Selling or Monetization

UPI Study does not sell, rent, or license student data to any third parties for any reason.

This is expressly prohibited under:

• FERPA (unless a recognized exception applies)
• NY Ed Law §2-d(5)(a)
• CCPA/CPRA §1798.120 and §1798.140(ad)(1)

UPI Study does not engage in cross-context behavioral advertising or resell cookies, device IDs, or education records to ad networks.

5.6 Data Aggregation and De-Identification

UPI Study may use de-identified or aggregated data for the following permitted purposes:

• Internal product improvement
• Platform performance optimization
• Institutional reporting in non-identifiable formats
• Research in partnership with authorized academic institutions

All such data:

• Is stripped of direct and indirect identifiers in accordance with FERPA de-identification standards (34 CFR § 99.31(b)(1))
• Cannot be used to re-identify any individual
• Is not subject to resale, export, or monetization

5.7 Transparency and User Control

Students, parents, and institutions always retain the right to:

• Request details on how their data is being used
• Opt out of any optional analytics or communication
• Contact UPI Study to challenge or restrict usage inconsistent with this Policy

UPI Study’s full privacy dashboard and rights request procedures are described in Section 16 of this Policy.

SECTION 6: RIGHTS OF STUDENTS, PARENTS, AND INSTITUTIONS

6.1 Purpose of this Section

This section outlines the legal rights of students, parents or legal guardians, and educational institutions with respect to the data that UPI Study collects, stores, and processes. These rights are guaranteed under U.S. federal law (including FERPA and COPPA), state laws such as New York Education Law §2-d, and international frameworks such as the GDPR.

UPI Study recognizes that data privacy is not only a legal requirement but also an ethical obligation. We ensure that all data subjects—whether minors, adults, or institutions—can access, correct, control, and monitor how their data is used within our systems.

6.2 Rights of Students and Parents Under FERPA

Under the Family Educational Rights and Privacy Act (FERPA), students and their parents or legal guardians are granted specific rights regarding education records maintained by schools or educational service providers such as UPI Study (acting as a school official under contract).

➤ For Students under 18:

Parents or legal guardians have the following rights:

• Right to Access
  Request access to inspect and review the student’s education records held by UPI Study.
• Right to Amendment
  Request correction or amendment of records that are inaccurate, misleading, or violate the student’s privacy.
• Right to Control Disclosure
  Provide or deny consent for the disclosure of personally identifiable information (PII) from education records, unless a FERPA exception applies (e.g., disclosure to school officials or under court order).
• Right to File Complaints
  File a complaint with the U.S. Department of Education regarding violations of FERPA.

➤ For Eligible Students (18+ or in postsecondary education):

All FERPA rights transfer from the parent to the student. UPI Study enables eligible students to independently request:

• Access to academic and credentialing records
• Corrections to data
• Restrictions on disclosures

FERPA requests may be submitted to:
📧 [email protected]
Subject: “FERPA Rights Request – [Student Full Name]”

UPI Study responds to verified FERPA rights requests within 30 calendar days, in accordance with 34 CFR §99.10.

6.3 Parental Rights Under COPPA (for Children Under 13)

When UPI Study collects data from a child under the age of 13 outside of a school-initiated setting, the parent has the following rights under COPPA:

• Right to Review the data collected from their child
• Right to Revoke Consent and terminate further data collection
• Right to Delete their child’s personal data
• Right to Receive Notice of the type, purpose, and use of the collected data

UPI Study retains documentation of all parental consents or school authorizations under the FTC's “school exception”, as described in Section 4.3.

Requests related to under-13 users can be submitted to:
📧 [email protected]
Subject: “COPPA Request – [Child’s Name]”

6.4 Parent and Student Rights Under New York Education Law §2-d

For students enrolled in New York public schools, UPI Study fully complies with Education Law §2-d, which guarantees:

• Right to be Notified of Unauthorized Data Disclosure
  UPI Study must notify parents, eligible students, and the institution within 7 business days of a confirmed breach involving PII.
• Right to Access the Parents’ Bill of Rights
  Parents can review the UPI Study Parents’ Bill of Rights for Data Privacy and Security, which is publicly available and incorporated into this policy as Appendix A.
• Right to Audit Logs and Data Usage
  School districts and parents have the right to request information about:
  • What data is collected
  • How long it is stored
  • Which vendors have access
  • How breaches are handled
• Right to File a Complaint with NYSED

6.5 Rights Under the California Consumer Privacy Act (CCPA/CPRA)

For students or users residing in California, UPI Study honors the rights granted under the CCPA and its amendment, the CPRA, including:

• Right to Know what categories of personal data are collected and shared
• Right to Access their personal data in portable format
• Right to Request Deletion of personal data, unless an exemption applies
• Right to Opt Out of data sales (UPI Study does not sell data)
• Right to Non-Discrimination for exercising any privacy rights

CCPA requests may be submitted to:
📧 [email protected]
Subject: “CCPA Rights Request – [Full Name]”

Requests are processed within 45 days, extendable to 90 days with notice.

6.6 Data Subject Rights Under GDPR (EU Users)

For any student, parent, or institutional user located in the European Union (EU) or European Economic Area (EEA), UPI Study complies with the General Data Protection Regulation (GDPR). The following rights apply:

• Right of Access – Obtain a copy of personal data
• Right of Rectification – Correct inaccuracies
• Right to Erasure – Request deletion of data (“right to be forgotten”)
• Right to Restriction of Processing – Limit how data is used
• Right to Object – Withdraw consent or object to certain processing
• Right to Data Portability – Receive data in machine-readable format
• Right to Lodge a Complaint – Contact your national Data Protection Authority

All international data transfers to the U.S. are protected through Standard Contractual Clauses (SCCs) and encryption protocols.

GDPR rights requests may be submitted to:
📧 [email protected]
Subject: “GDPR Request – [Name]”

UPI Study responds to GDPR requests within 30 calendar days, extendable to 60 days in complex cases.

6.7 Institutional Rights (Districts and Postsecondary Partners)

Institutions (school districts, universities, or agencies) that contract with UPI Study are granted the following rights:

• Right to Conduct an Audit
  Request full data inventory, vendor registry, audit logs, and retention policies for their own students. 
• Right to Access DPIAs (Data Protection Impact Assessments)
  Request security and risk assessments where required under state or federal law.
• Right to Request Data Destruction or Transfer
  Upon termination of services or at the end of retention periods, institutions may require that student data be returned or securely destroyed.
• Right to Designate an Authorized Representative
  Districts may assign an internal IT officer or compliance officer to manage audits and privacy oversight.

Requests from institutional officials must be submitted on letterhead or official email to:
[email protected]
Subject: “Institutional Rights Request – [Institution Name]”

6.8 How to Submit a Rights Request

All rights requests should be submitted in writing with:

• Your full name and contact information
• Description of the data or record involved
• The nature of your request (access, correction, deletion, restriction, etc.)
• If applicable, proof of identity or authorization (e.g., if submitted on behalf of a minor)

Email all requests to: [email protected]

SECTION 7: VENDOR AND SUBCONTRACTOR MANAGEMENT

7.1 Purpose of this Section

UPI Study relies on select third-party vendors and subcontractors to support its infrastructure, deliver educational content, manage communications, and provide secure data storage. However, student data privacy and regulatory compliance cannot be delegated—UPI Study remains fully responsible for all vendor activity involving Personally Identifiable Information (PII) or Education Records.

This section outlines UPI Study’s third-party management framework, including vendor selection, contracting, oversight, and termination. It complies with:

• FERPA, which requires educational records to be protected even when shared with contractors
• New York Education Law §2-d, which mandates vendor vetting, breach protocols, encryption, and audit rights
• COPPA, CCPA/CPRA, and GDPR, which impose obligations on data processors and service providers

7.2 Definition of Third-Party Vendor or Contractor

A third-party vendor (also referred to as a “subcontractor,” “processor,” or “service provider”) is any entity not owned or directly controlled by UPI Study that:

• Receives access to user data
• Hosts or processes platform infrastructure
• Delivers services integral to UPI Study operations
• Supports analytics, communications, or customer service systems

Examples include:

• Cloud hosting providers (e.g., Thinkific)
• Help desk software (e.g., Intercom)
• Payment processors (e.g., Stripe, PayPal)
• Email and messaging platforms (e.g., Twilio)
• Learning tools integrated via API or LTI (e.g., proctoring tools, assessment platforms)

7.3 Vendor Selection and Vetting Process

All vendors must undergo a pre-contract due diligence review, which includes:

Security Review

• Review of vendor’s SOC 2, ISO 27001, or FedRAMP certifications
• Confirmation of end-to-end encryption for data in transit and at rest
• Review of vendor’s internal access controls and breach response practices
• Identification of physical hosting region (must be U.S.-based unless covered by SCCs for international transfer)

Legal and Compliance Review

• Assessment of whether the vendor can comply with:
  • FERPA
  • COPPA
  • NY Ed Law §2-d
  • CCPA/CPRA
  • GDPR (if international data is processed)
• Confirmation that vendor does not retain, repurpose, or monetize data

Contractual Review

• All vendors must sign a Data Processing Agreement (DPA) or equivalent addendum containing:
  • Prohibitions on data resale, secondary use, or advertising
  • Encryption and security requirements
  • Breach notification obligations
  • Return or destruction of data upon termination
  • NY Ed Law §2-d terms (if vendor will serve New York districts)

Only vendors that pass this multi-layer review and agree to the contract terms are permitted to access or process user data.

7.4 Ongoing Oversight and Compliance

Vendor performance and compliance are continuously monitored through:

Annual Reviews

• Each active vendor is reassessed at least once per year
• Vendors must submit updated audit reports or third-party certifications
• Any changes to services, infrastructure, or sub-processors are reviewed for privacy risk

Access Control

• Vendors are given least-privilege access—only the minimum data necessary to perform their services
• All vendor access is logged and auditable
• Vendors must maintain an access log for six (6) years, in compliance with NY §2-d

Incident Reporting

• Vendors must notify UPI Study of any suspected or confirmed data breach within 72 hours (24 hours for New York districts)
• Incident response plans must include:
  • Timeline of the incident
  • Types of data affected
  • Remediation steps
  • Notification templates (if applicable)

UPI Study reports any vendor-related incidents to affected institutions and users, and maintains breach logs as outlined in Section 11 of this policy.

7.5 Vendor Data Usage Restrictions

Vendors may not:

• Retain data after the service agreement ends
• Use data for unrelated or proprietary purposes
• Share data with downstream sub-processors without UPI Study’s prior written consent
• Combine educational data with unrelated datasets
• Use data for behavioral profiling, advertising, or commercial gain

These restrictions are enforceable contractual obligations, and any vendor found in violation will be immediately terminated and reported to affected institutions and regulators.

7.6 New York Education Law §2-d Requirements

Vendors that interact with any New York K–12 student data must:

• Sign a DPA incorporating the Supplemental Information Addendum
• Retain access and breach logs for a minimum of 6 years
• Use encryption protocols meeting NIST 800-53 standards
• Submit to district or NYSED audits upon request
• Comply with the Parents’ Bill of Rights and support institutional compliance with §2-d(5)

UPI Study maintains a Vendor Compliance Register for all contractors supporting New York institutions, which can be requested by any district IT administrator.

7.7 Termination and Data Return/Destruction

At the conclusion of a vendor relationship, UPI Study requires:

• Confirmation that all data has been returned to UPI Study in a usable format
• Secure deletion of all hosted data by the vendor (with certification)
• Removal of all authorized user access and API credentials
• Retention of log data only if required by contract or law

Vendors may not retain any derivative works, aggregated data, or backups unless:

• They are irreversibly de-identified, and
• Their continued use has been approved in writing by UPI Study

7.8 Vendor Transparency for Institutions

Upon request, institutions may receive:

• A complete list of current third-party vendors
• Copies of signed DPAs
• Security certifications (e.g., SOC 2, ISO 27001)
• Summary of access roles and data categories handled
• Evidence of last vendor audit or review

Requests should be sent to:
📧 [email protected]
Subject: “Vendor List Request – [District/Institution Name]”

SECTION 8: CONSENT AND DATA HANDLING FOR MINORS (COPPA COMPLIANCE)

8.1 Purpose of this Section

This section explains how UPI Study complies with laws and regulations governing the collection and use of data from minors, particularly children under the age of 13. These rules are governed primarily by the Children’s Online Privacy Protection Act (COPPA) for U.S.-based students, and supplemented by FERPA, New York Education Law §2-d, and institutional contract terms.

UPI Study serves both adult learners and minor students, including those in elementary, middle, and high school settings. Given the sensitive nature of children’s personal information, UPI Study applies heightened data privacy, security, and consent protocols for all minor users.

8.2 Scope of Application

This section applies to:

• All students under the age of 18, with special obligations for those under 13
• Services accessed by minors through:
  • District-paid access links
  • School-approved class rosters
  • Manually created student accounts by teachers or administrators
  • Direct enrollment by parents or guardians

UPI Study determines the applicable consent model based on how the student was enrolled or granted access, as this governs whether school authorization or verifiable parental consent is required.

8.3 COPPA and the School Exception

The Children’s Online Privacy Protection Act (COPPA) requires verifiable parental consent before collecting personal data from children under 13. However, under official guidance from the Federal Trade Commission (FTC), schools may authorize a student’s use of online educational services in place of the parent—known as the “school exception.”

UPI Study relies on this school exception when:

• Access to UPI Study is initiated by a district, school, or teacher, and
• The student uses a district-issued registration link, class code, or roster enrollment, and
• Data collected is used solely for educational purposes, not for marketing, profiling, or resale

UPI Study does not rely on the school exception when:

• A parent or guardian initiates account creation outside of an educational institution
• A student signs up directly without an institution's authorization

8.4 When Parental Consent is Required

If a student under 13 attempts to access UPI Study outside of a school-managed enrollment channel, the platform:

1. Presents a COPPA-compliant parental notice, outlining:
   • What data will be collected
   • How it will be used
   • Whether it will be shared with third parties (it is not)
   • The parent’s rights to review, delete, or restrict use

2. Requests verifiable parental consent through one of the following FTC-approved methods:

• Signed digital consent form
• Confirmation email plus follow-up validation
• Parent entry of payment information (used solely for verification)
• Video conference or ID upload, if required

3. Blocks access until consent is verified
4. Logs consent for audit and regulatory compliance
5. Allows parents to revoke consent at any time

If consent is revoked, UPI Study immediately deletes the child’s personal information from its active systems and notifies the parent of completion.

8.5 Types of Data Collected from Children

Whether via school authorization or parental consent, UPI Study may collect the following limited, educational-purpose-only data from students under 13:

• Full name
• Date of birth (for grade level placement and transcript accuracy)
• School name or College Name
• Assigned coursework and progress status
• Academic feedback and grades
• IP address and device ID (used strictly for login security)

UPI Study does not collect:

• Social Security Numbers
• Home addresses
• Behavioral tracking data
• Health information
• Unnecessary demographic details

8.6 Internal Safeguards for Minor Data

UPI Study applies enhanced privacy and access restrictions for all minor data, regardless of the source:

• Encryption: All minor data is encrypted using AES-256 at rest and TLS 1.2+ in transit
• Role-Based Access: Only authorized staff with explicit training in FERPA/COPPA may view minor data
• Access Logging: All system access to under-13 data is logged for 6 years
• No Advertising or Profiling: No behavioral analytics, ad targeting, or third-party cookies are allowed on accounts tied to children

8.7 Parental Rights and Data Requests

Parents and legal guardians of students under 13 (or under 18 in K–12 settings) may exercise the following rights at any time:

• Review the child’s data UPI Study has collected
• Request corrections if the data is inaccurate
• Withdraw consent and delete the child’s data
• Request a full audit log of how the child’s data has been accessed or shared

Requests can be submitted to:
📧 [email protected]
Subject: “Parental Rights Request – [Child’s Full Name]”

UPI Study will process all valid requests within 30 days and notify the parent of the outcome.

8.8 Institutional Responsibilities and Oversight

When schools authorize access for minors under the school exception:

• UPI Study confirms that the district has entered into a binding Data Processing Agreement (DPA)
• UPI Study ensures that the institution has access to:
  • This Privacy Policy
  • The Parents’ Bill of Rights for Data Privacy and Security
  • Vendor lists, audit logs, and retention policies upon request

Schools using UPI Study with students under 13 are advised to:

• Notify parents that UPI Study is being used for educational purposes
• Offer parents the opportunity to opt out or review student information upon request
• Monitor student usage to ensure compliance with institutional policies

8.9 Special Notes on High School Students

Although COPPA applies to children under 13, UPI Study applies FERPA-compliant safeguards to all high school students, even those over 13 but under 18. This includes:

• Preventing disclosure of educational records without consent
• Granting parents full access rights unless the student is an "eligible student" (typically at age 18 or in postsecondary education)
• Honoring opt-out requests regarding directory information or transcript sharing

8.10 Retention of Consent and Authorization Records

All consent forms, institutional authorization logs, and parent communications are retained securely for:

• Six (6) years from the date of account creation or last login
• Or as otherwise required by institutional contract, state law, or legal hold

These records are available for review during audits, dispute resolution, or regulatory investigations.

SECTION 9: ACCESS, CORRECTION, AND DELETION PROCEDURES

9.1 Purpose of this Section

This section defines the processes through which students, parents, and authorized institutional representatives may request access to, correct, or delete data held by UPI Study. These rights stem from various privacy laws, including:

• FERPA (20 U.S.C. §1232g)
• New York Education Law §2-d
• COPPA (15 U.S.C. §6501 et seq.)
• CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.)
• GDPR (Regulation (EU) 2016/679)

UPI Study recognizes that individuals have both legal rights and practical interests in controlling their own data, especially in educational contexts where records can impact academic outcomes, transcript accuracy, and institutional obligations.

9.2 Who May Submit a Request

UPI Study accepts rights requests from the following verified parties:

• Students 18 years or older (“Eligible Students” under FERPA)
• Parents or legal guardians of students under 18 (under FERPA), or under 13 (under COPPA)
• Authorized school officials or institutional representatives (e.g., registrars, IT admins, legal counsel)
• Data subjects located in the EU/EEA under GDPR
• California residents under CCPA/CPRA

Requests may be made directly to UPI Study via email or secure web form.

9.3 Right of Access

All qualified requestors may request access to any personal data or education records maintained by UPI Study. This includes:

• Account information
• Course participation history
• Grades and assessments
• Transcripts or credential records
• Communications sent or received within the platform
• Technical logs related to account access

Submission Process:

To submit an access request:

• Email 📧 [email protected]
• Use subject line: “Access Request – [Full Name or Student ID]”
• Include: full name, date of birth, email associated with the account, and relationship to the student (if applicable)

Verification:

To protect privacy, UPI Study will:

• Verify the identity of the requester (using ID, institutional email, or knowledge-based verification)
• Request additional authorization if the requester is a parent or institutional representative

Response Time:

• FERPA: 45 calendar days (UPI Study commits to 30 days whenever possible)
• GDPR: 30 days (extendable by 60 more in complex cases)
• CCPA: 45 days, extendable by 45 more with notice

9.4 Right to Correction (Rectification)

If the requester believes any personal or academic data held by UPI Study is inaccurate, misleading, or incomplete, they may submit a correction request. Examples include:

• Incorrect name spelling
• Mistaken grade reporting
• Duplicate or missing course records
• Erroneous demographic information

UPI Study will:

1. Review the correction request
2. Validate the original record (including cross-check with the institution, if applicable)
3. Update the record if the request is verified and legitimate
4. Notify the requester of the outcome
5. Offer a hearing or dispute resolution process if the correction is denied, as required under FERPA (34 CFR §99.21)

Correction requests are typically resolved within 30 calendar days.

9.5 Right to Deletion (Erasure)

UPI Study honors deletion requests when:

• The data subject has withdrawn consent (for consent-based data)
• The record is no longer required for contractual or legal purposes
• There is no overriding institutional or legal obligation to retain the data

Deletion Scenarios:

• Parent revokes COPPA consent
• A GDPR data subject exercises the “right to be forgotten”
• A CCPA-covered user requests account deletion
• A student withdraws from a course before participation begins

Legal Limitations:

UPI Study may deny or delay deletion when:

• The data is part of an official education record required for transcripts or transfer
• The institution is still using the data for accreditation, reporting, or audit
• The data must be retained under a state or federal law (e.g., IRS retention, §2-d archival mandate)
• Deletion would compromise the integrity of a legal proceeding or open investigation

When deletion is legally or contractually prohibited, UPI Study will:

• Inform the requester in writing
• Retain the record only for the legally required period
• Limit all further use to those legal or institutional purposes only

9.6 Deletion Methodology

When deletion is approved, UPI Study uses NIST 800-88 compliant data sanitization protocols:

• Digital data: Secure overwrite and cryptographic erasure
• Backups: Flagged for destruction at the next scheduled purge window
• Vendor systems: Notified of deletion and required to confirm wipe within 10 days
• Audit logs: Retained for legal documentation and accountability

Confirmation of deletion is sent to the requester once complete.

9.7 Parental Requests for Under-13 Users (COPPA)

Parents of users under 13 may request:

• Full review of data collected
• Correction of inaccurate data
• Complete deletion of their child’s information
• Restriction of further data use

These rights are supported under COPPA and are treated as priority requests. Upon verified parental request, the child’s account may be:

• Deactivated
• Flagged for secure deletion
• Archived with restricted access (only if legally required)

COPPA-based requests are prioritized and completed within 14 calendar days.

9.8 Institutional Requests

Authorized school or institutional officials may submit:

• Bulk record access requests (e.g., for audits)
• Student transcript corrections
• Retention review or destruction logs
• Confirmation of compliance with §2-d or other state laws

Such requests must be:

• Submitted from an official domain (e.g., .edu, .k12.ny.us)
• Include role/title, authority to act, and subject of the request
• Accompanied by a signed FERPA acknowledgment if accessing multiple records

Submit to:
[email protected]
Subject: “Institutional Record Request – [School/District Name]”

9.9 Rights Denial and Dispute Resolution

If UPI Study denies an access, correction, or deletion request, the requester will receive:

• A written explanation of the basis for denial
• A description of any alternative recourse (e.g., FERPA hearing)
• A method to appeal or request further review

UPI Study is committed to fair and transparent dispute resolution in all jurisdictions.

9.10 Record keeping and Audit Trail

All rights requests—granted, denied, or pending—are:

• Logged in UPI Study’s Rights Request Registry
• Associated with time/date stamps and handling personnel
• Retained for a minimum of 6 years, in compliance with:
  • NY Ed Law §2-d
  • FERPA
  • Institutional contract requirements

These logs are available for audit by the institution or state regulators upon request.

SECTION 10: DATA SECURITY STANDARDS

10.1 Purpose and Security Governance

The purpose of this section is to document UPI Study’s complete approach to data security, including the technical, procedural, and administrative safeguards we maintain to protect Personally Identifiable Information (PII), education records, and institutional data under the control of UPI Study.

This section is structured to align with:

• FERPA security provisions (34 CFR §99.31)
• New York Education Law §2-d(5) and 8 NYCRR Part 121
• COPPA child data handling mandates
• CCPA/CPRA and GDPR security obligations (Articles 32–36)
• NIST Special Publications 800-53, 800-171, and 800-88

10.2 Leadership and Policy Enforcement

UPI Study operates under a formalized Information Security Management System (ISMS) governed by the following roles:

• Chief Information Security Officer (CISO):
  Oversees technical security operations, penetration testing, and vulnerability remediation.
• Data Protection Officer (DPO):
  Ensures all data processing complies with applicable privacy laws and institutional contracts.
• Security Review Board (SRB):
  Cross-functional governance body that evaluates threats, approves mitigation plans, and reports to executive leadership quarterly.

All security-related policies are reviewed annually, or when there is a legal, technical, or operational trigger (e.g., new product launch, legal requirement, breach event).

10.3 Hosting and Infrastructure Security

UPI Study operates exclusively on Google Cloud Platform (GCP), hosted in U.S. data centers certified under:

• SOC 2 Type II
• ISO/IEC 27001, 27017, and 27018
• FedRAMP Moderate (for eligible deployments)

Data Isolation:

• Each school, district, or institution is assigned a logically segregated tenant environment.
• Data is containerized at the database and object level, with keyed references that prevent cross-tenant access.
• No shared table access or multi-tenant co-location for education records is permitted without hashed pseudonymization.

10.4 Encryption Framework

Encryption At Rest

• Advanced Encryption Standard (AES) 256-bit is applied to all databases, backups, log files, and cached content.
• Keys are managed using Google Cloud Key Management Service (KMS).
• Key rotation occurs automatically every 90 days or upon operational event (e.g., staff separation).

Encryption In Transit

• TLS 1.2 minimum across all endpoints
• TLS 1.3 enabled where supported
• HTTPS enforced using HSTS and Perfect Forward Secrecy (PFS)
• All API traffic between microservices is encrypted using mutual TLS (mTLS)

Encryption of Backups

• All snapshots and backups are AES-256 encrypted and redundantly stored across U.S. availability zones
• Backups are immutable for 7 days and can be restored within 30 minutes to a cold system if needed

10.5 Identity and Access Management (IAM)

Authentication

• All employees and vendors must use Multi-Factor Authentication (MFA)
• Authentication tokens are rotated every 24 hours
• OAuth 2.0 and SAML SSO integrations are supported for institutional partners
• Passwords are never stored in plaintext; salted and hashed using bcrypt (cost factor 12+)

Authorization

• UPI Study enforces Role-Based Access Control (RBAC) with least privilege escalation
• Internal roles include: Admin (Read/Write), Support (Read Only), Engineer (Access Scoped)
• Privileged access is reviewed quarterly and automatically revoked upon role change or inactivity

Audit Logging

• All access to PII or Education Records is logged, timestamped, and retained for six (6) years
• Logs include: user ID, device fingerprint, action performed, object accessed, IP address
• Logs are available for inspection by districts or state regulators upon request

10.6 Network, Perimeter & Infrastructure Security

Firewall and Perimeter Controls

• Network segmentation enforced using Virtual Private Cloud (VPC) architecture
• Web Application Firewall (WAF) blocks common injection, XSS, CSRF, and path traversal attacks
• All endpoints are scanned using OWASP ZAP and Burp Suite Pro

Threat Detection

• SIEM integration provides real-time analysis and anomaly detection
• Alerts generated for failed login attempts, IP blacklists, or geo-fencing violations
• 24/7 monitoring is conducted using both cloud-native and third-party tools

10.7 Secure Software Development Lifecycle (SSDLC)

UPI Study enforces secure-by-design development practices across its engineering teams.

Key Components:

• Static Code Analysis (SAST) via SonarQube and GitHub CodeQL
• Dynamic Testing (DAST) of all deployments in staging
• Dependency vulnerability scanning via Snyk and npm audit
• Manual peer review of pull requests touching security-sensitive code
• Test coverage >90% enforced on all releases

All production deployments go through a formal change approval and rollback readiness review.

10.8 Endpoint and Device Security

• Employee laptops must be full disk encrypted with BitLocker (Windows) or FileVault (macOS)
• All devices must have antivirus, firewall, and endpoint detection/response (EDR) installed
• Remote wipe enabled via mobile device management (MDM)
• No education records or PII may be stored locally or offline
• Contractors and vendors may only access UPI Study via controlled VDI or jump-box environments

10.9 Personnel and Training Controls

🧠 Training and Certification

• All employees complete onboarding training in:
  • FERPA
  • NY Education Law §2-d
  • GDPR and CCPA awareness
• Annual refresher training is mandatory for continued access
• Engineers must pass internal Secure Code Certification before working on production components

📄 Confidentiality Agreements

• All staff sign binding Confidentiality and Acceptable Use Agreements (CAUA)
• NDA terms extend post-employment for a minimum of 3 years
• Policy violation may result in immediate termination and legal action

10.10 Incident Response & Forensics

UPI Study maintains a detailed Incident Response Plan (IRP) that includes:

Breach Notification Timeline

• Within 7 business days to affected users, per NY Ed Law §2-d(6)(d)
• Within 24 hours to NY school districts and institutions
• Includes: breach date, data types, number of records, mitigation, and future prevention

10.11 Risk Management and Testing

• Annual third-party penetration testing by CREST-certified vendor
• Quarterly internal risk assessment using NIST 800-30 framework
• Remediation tracked in internal risk register and reviewed by executive security board
• All findings resolved within:
  • 7 days for critical
  • 30 days for high
  • 90 days for moderate
  • 180 days for low-priority items

10.12 Business Continuity and Disaster Recovery

UPI Study maintains a Disaster Recovery Plan (DRP) that ensures availability during adverse events.

All institutional records, including grades and transcripts, are backed up in immutable storage tiers and can be recovered to a last known-good state on request.

10.13 Third-Party and Vendor Security

UPI Study’s vendor agreements enforce the following:

• SOC 2 or equivalent certification
• Signed Data Processing Agreements (DPAs)
• Breach reporting within 72 hours
• No subcontracting without written permission
• Right to audit granted to UPI Study and its clients

All vendor security audits are tracked under Section 7 of this policy.

10.14 District and Regulatory Audit Readiness

School districts, higher education institutions, and regulators (e.g., NYSED, CDE) may request:

• Encryption documentation
• Access logs
• Penetration test summaries
• Audit logs (6+ years)
• Risk assessments and remediation logs
• Subprocessor inventories
• Records of employee privacy training

Requests may be submitted to: [email protected]
Subject: “Security Audit Access – [Institution Name]”

SECTION 11: DATA BREACH NOTIFICATION AND RESPONSE

11.1 Purpose of This Section

This section outlines UPI Study’s structured process for detecting, investigating, documenting, reporting, and remediating data breaches or suspected security incidents. These procedures are designed to comply with the most stringent requirements under:

• New York Education Law §2-d(6) and 8 NYCRR Part 121
• FERPA (34 CFR §99.63)
• COPPA (FTC enforcement guidance)
• California Civil Code §1798.82 (CCPA/CPRA breach notice)
• GDPR Articles 33–34 (EU breach obligations)
• NIST SP 800-61r2 (Computer Security Incident Handling Guide)

UPI Study’s approach centers on minimizing harm, transparency to affected parties, and continuous risk mitigation.

11.2 What Qualifies as a Breach

A data breach is defined as:

“The unauthorized acquisition, access, use, or disclosure of PII or Education Records maintained or processed by UPI Study, whether intentional or accidental, that compromises the security, confidentiality, or integrity of that data.”

This includes, but is not limited to:

• System intrusion or compromise by unauthorized individuals
• Exposure of data due to insecure APIs or misconfigured servers
• Emailing or transmitting PII to the wrong recipient
• Lost or stolen devices containing unencrypted data
• Unauthorized access by staff or third-party vendors
• Ransomware attacks that encrypt or exfiltrate student data

Near misses or suspicious behaviors are also tracked as security events subject to internal review.

11.3 Breach Response Team

UPI Study maintains a standing Incident Response Team (IRT) composed of:

11.4 Detection and Initial Containment

Monitoring Systems

UPI Study uses layered detection tools, including:

• Host-based intrusion detection (HIDS)
• Network traffic anomaly detection (NIDS)
• Login behavior analytics
• API rate monitoring
• File access change tracking (FIM)

All events are logged and correlated using a Security Information and Event Management (SIEM) platform.

Initial Containment Measures

If an event is escalated to an incident, the IRT:

• Freezes affected user or administrator accounts
• Isolates compromised systems or databases
• Revokes API keys or third-party credentials
• Preserves forensic evidence for investigation

11.5 Investigation and Risk Classification

Each incident is assessed and classified by severity:

The IRT performs a full forensic investigation to determine:

• Date, time, and method of breach
• Scope and type of data affected
• Attack vectors and vulnerabilities exploited
• Duration of unauthorized access
• Logs, audit trails, and impacted infrastructure
• Legal obligations under contracts and statutes

11.6 Breach Notification Protocol

UPI Study adheres to strict timeframes for breach notifications:

Notification Content Includes:

• Summary of the incident
• Data elements involved (e.g., names, grades, transcripts, identifiers)
• Date(s) of unauthorized access or exposure
• Steps taken to contain and remediate the breach
• What affected individuals can do to protect themselves
• Contact information for further assistance
• Links to credit monitoring or protection services (if applicable)

Notification Methods:

• Direct email to affected users or parents
• Dashboard alert inside institutional admin portals
• Public posting if required (e.g., >500 CA residents under CCPA)
• Written letters for students lacking digital contact records

All breach notifications are documented and timestamped, and retained for six (6) years for audit purposes.

11.7 Institutional Notification and Coordination

For school districts, postsecondary institutions, or state education departments, UPI Study provides:

• Preliminary report within 24 hours of a confirmed breach
• Final incident report within 5 business days, including:
  • Scope and data types
  • Affected populations (e.g., “9th-grade students at [District]”)
  • Root cause analysis
  • Recovery and remediation plan
  • Vendor involvement (if applicable)

UPI Study also:

• Offers to assist with state-level reporting (e.g., NYSED)
• Participates in joint response communications, if coordinated by the district
• Provides institutions with post-breach audit logs, security improvements, and attestations

11.8 Remediation and Long-Term Corrective Action

Post-incident, UPI Study takes the following corrective measures:

• Patching of exploited vulnerabilities
• Review and tightening of IAM policies
• Additional encryption or tokenization of affected data paths
• Revision of monitoring or alert thresholds
• Employee or vendor retraining
• Mandatory security reviews for future projects

Corrective actions are documented in an Incident Review Report, and reviewed by the Security Review Board (SRB) for approval and closure.

11.9 Vendor or Sub-processor Breach

If a breach originates with a third-party vendor or sub-processor:

• UPI Study immediately enforces contractual breach notification timelines (usually 24–72 hours)
• Affected institutions are notified as if UPI Study were the primary controller
• A joint investigation and breach report is prepared
• The vendor may be suspended, remediated, or terminated based on:
  • Negligence
  • Lack of proper security controls
  • Breach handling performance

Vendors are contractually required to retain access and breach logs for a minimum of 6 years under §2-d and GDPR Art. 30.

11.10 User Resources and Mitigation Options

For affected students, parents, and institutions, UPI Study provides:

• Credit monitoring services (if sensitive identifiers were exposed)
• Password and account reset tools
• In-platform support for reviewing affected records
• Direct escalation line to the Privacy Office
• Optional one-on-one support for remediation steps

Affected users are encouraged to:

• Change passwords immediately
• Monitor academic records for inconsistencies
• Contact UPI Study or their school/district if suspicious activity is noticed

11.11 Breach Documentation and Retention

All breach events—confirmed, suspected, or near miss—are documented in the Security Incident Log, which includes:

• Initial detection
• Triage and classification
• Timeline of actions taken
• Communications sent
• Institutional contact logs
• Remediation actions completed

These records are:

• Retained for six (6) years
• Available for regulatory or district audits upon request
• Subject to internal quarterly breach review and trend analysis

SECTION 12: RECORD RETENTION AND DESTRUCTION POLICY

12.1 Purpose of this Section

This section outlines UPI Study’s data retention, archival, and destruction policies for all student, parent, institution, and system records. The procedures described herein are intended to:

• Ensure compliance with applicable legal requirements, including:
  • FERPA (Family Educational Rights and Privacy Act)
  • New York Education Law §2-d
  • COPPA (Children’s Online Privacy Protection Act)
  • CCPA/CPRA (California Consumer Privacy Act and its amendments)
  • GDPR (General Data Protection Regulation)
• Comply with institutional contract provisions and accreditation standards (e.g., NCCRS, ACE)
• Provide appropriate historical documentation for audit, dispute resolution, accreditation, and educational continuity

These policies apply to both production data and archived records, regardless of storage format, location, or source of collection.

12.2 General Retention Principles

UPI Study adheres to the following foundational principles:

1. Purpose-driven Retention
   Data is retained only for the minimum duration necessary to fulfill contractual, legal, accreditation, or regulatory obligations.
2. Record Type Differentiation
   Different categories of data are subject to different retention periods based on legal classifications (e.g., Education Record vs. Technical Metadata).
3. Defined Retention Schedules
   Retention schedules are documented, consistently applied, and reviewed annually by the Data Protection Officer and Legal Counsel.
4. Legal Holds Override Default Retention
   Any data subject to litigation, investigation, or regulatory review is preserved beyond its normal retention schedule until formally released.

12.3 Standard Data Retention Schedule

The following retention periods apply unless otherwise agreed to by institutional contract or mandated by law:

Institutional partners may request custom retention profiles via formal amendment, subject to legal review.

12.4 Special Cases and Regulatory Obligations

12.4.1 New York Education Law §2-d

Requires:

• Student PII and education records to be retained for no less than 6 years
• Audit logs to be preserved and accessible for inspection by NYSED and the contracting district
• Breach documentation logs to be retained for 6 years from the event date

UPI Study adheres to these requirements for any data received under a contract with a New York public school, BOCES, or charter school.

12.4.2 FERPA

FERPA does not impose a specific duration for education record retention, but mandates timely access, correction, and integrity. Therefore, UPI Study’s 10-year retention of academic records satisfies institutional and transcript-related obligations.

12.4.3 COPPA

COPPA requires that data collected from children under 13 be retained only as long as necessary to fulfill the educational purpose for which it was collected. Upon revocation of consent, data must be deleted without undue delay. UPI Study deletes such records within 14 calendar days unless under legal hold or institutional archive request.

12.4.4 GDPR

The GDPR (Article 5(1)(e)) mandates that data be retained no longer than necessary for the purpose for which it was collected. Data subjects also have the right to request erasure, unless overridden by contractual or legal necessity. UPI Study honors these requests unless restricted by data archiving requirements under Article 89.

12.5 Archival Procedures

Education records flagged for long-term retention are migrated to secure archival storage, which includes:

• Dedicated encrypted archival databases (AES-256)
• Restricted access to senior records custodians only
• Quarterly data integrity verification
• Retention labels and metadata indicating expiration date, legal hold status, and original source

Archived records are not actively processed but remain retrievable for audits, transcript reissues, institutional transfer, or dispute resolution.

UPI Study’s archival system complies with NIST 800-171 for controlled unclassified information and follows FERPA-compliant chain of custody procedures.

12.6 Secure Destruction Procedures

At the expiration of a record’s retention period, and provided no legal hold is in place, UPI Study performs irreversible data destruction in accordance with NIST Special Publication 800-88 (Rev. 1).

Destruction methods include:

• Digital Records: Cryptographic erasure, secure overwrite (3-pass), or deletion from encrypted volumes
• Backup Snapshots: Rotated out of retention tier and wiped from distributed object storage
• Vendor/Subprocessor Data: Vendors must certify destruction and provide logs within 10 business days
• Logs and Metadata: Expired logs are batch-purged via scheduled secure cron jobs

Each destruction event is logged in the Destruction Log Register, which records:

• Timestamp
• Administrator or automated process ID
• Record category and count
• Method used (e.g., shred, crypto wipe, API purge)
• Confirmation receipt from any third-party processor (if applicable)

12.7 Legal Hold Procedures

If a record is subject to a legal hold, whether due to litigation, government investigation, or regulatory audit, UPI Study:

• Immediately suspends deletion and purging for all related data
• Tags affected records as “Hold-Protected” in the storage layer
• Restricts access to legal, compliance, and DPO roles only
• Logs all access during the hold period
• Notifies institutional partners if the hold relates to their students or staff

Legal holds remain in place until a formal release is issued by UPI Study’s Legal Counsel, in consultation with the client or regulatory agency.

12.8 Institutional Rights and Retention Customization

School districts, postsecondary institutions, or agencies may request:

• Custom retention terms for specific record types
• Extension of data retention for accreditation or audit compliance
• Early deletion of records (e.g., under CCPA opt-out or GDPR erasure request)
• Archive access for transcript re-issuance or historical review

All such requests must be submitted in writing by an authorized institutional contact.
Requests are evaluated by the DPO and approved in accordance with contractual terms.

Submit retention-related requests to:
[email protected]
Subject: “Data Retention Policy Request – [Institution Name]”

12.9 Annual Policy Review and Change Log

UPI Study’s Data Protection Officer (DPO) and Records Management team conduct an annual review of all retention schedules, destruction protocols, and legal hold processes.

All updates are:

• Documented in the Retention and Destruction Policy Change Log
• Version-controlled and available to institutions upon request
• Reflected in updates to this Privacy Policy and applicable contractual documents

Any change that shortens or materially affects retention obligations will be:

• Pre-approved by legal counsel
• Communicated to affected institutions with 30 days' notice

SECTION 13: INTERNATIONAL DATA TRANSFERS (GDPR)

13.1 Purpose of This Section

This section explains UPI Study’s use of cookies, device identifiers, and analytic tracking technologies in its web-based and mobile environments. It defines:

• The types of technologies employed
• Their purposes and lawful bases for use
• The rights of users to consent, restrict, or disable tracking
• Compliance with privacy regulations including:
  • COPPA (for under-13 users)
  • FERPA (student record use)
  • NY Ed Law §2-d (New York public school data)
  • GDPR (consent-based tracking in the EU)
  • CCPA/CPRA (California opt-out rights)

UPI Study’s tracking policy is structured around data minimization, transparency, and opt-in by design. Under no circumstances does UPI Study engage in third-party advertising, behavioral profiling, or retargeting of students, parents, or educators.

13.2 Definitions and Scope

Cookies

Cookies are small text files placed on a user’s device by a website or application. They allow the system to recognize the user during future sessions or page views.

Tracking Pixels

Invisible images (1x1 pixels) embedded in webpages or emails, used to monitor whether a specific action occurred (e.g., page view, email open).

Device Identifiers

Unique strings (e.g., device fingerprint, browser user-agent) used to track a user session for authentication, fraud detection, or performance optimization.

Analytics Scripts

JavaScript-based tools that collect non-personal usage data for insights such as time on page, navigation paths, error rates, or video completion.

13.3 Types of Tracking Technologies Used

UPI Study uses the following categories of cookies and trackers:

13.4 Analytics Configuration

UPI Study uses anonymized analytics via either:

• Self-hosted telemetry platforms, or
• Google Analytics configured as follows:
  • IP anonymization enabled (anonymizeIp: true)
  • No persistent identifiers stored
  • Demographics, advertising, and cross-site tracking features disabled

Analytics are used solely to:

• Understand system usage trends
• Identify underperforming content
• Measure student engagement (e.g., video completion)
• Support UI/UX improvements
• Track navigation flow to improve accessibility

No analytics data is ever:

• Shared with third parties
• Combined with PII for targeting
• Used to evaluate individual student performance or behavior

13.5 Compliance with COPPA (Under-13 Users)

For users under 13 years old (typically enrolled in elementary or middle schools):

• UPI Study disables all non-essential cookies and trackers by default
• No analytics scripts are deployed unless:
  • The school has explicitly authorized their use, and
  • All analytics are configured to exclude identifiable elements

COPPA-compliant systems automatically block:

• Google Analytics
• Cookie-based personalization
• Embedded third-party scripts (e.g., YouTube annotations, social widgets)

UPI Study uses server-side logic to tag under-13 accounts and apply restricted environments that suppress all cookie and session trackers except those essential for login and security.

13.6 GDPR and ePrivacy Compliance (EU Users)

For any user located in the European Union (EU) or European Economic Area (EEA):

• All non-essential cookies are disabled by default
• The first site visit triggers a cookie consent banner, configured in compliance with:
  • GDPR Article 6(1)(a) (consent)
  • ePrivacy Directive (2002/58/EC as amended by 2009/136/EC)

The consent interface includes:

• Clear labeling of each cookie category
• A link to this Privacy Policy
• An explicit “Accept” and “Reject” option for non-essential cookies
• Access to a cookie settings panel for granular control

Consent records are:

• Logged with timestamp, IP region, and selected options
• Retained for a minimum of 6 years under GDPR and NY §2-d audit requirements
• Available for institutional or regulatory inspection upon request

Users may withdraw consent at any time through the platform’s privacy settings panel.

13.7 CCPA / CPRA Opt-Out Mechanisms

For California residents under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• UPI Study honors the “Do Not Track” (DNT) browser signal
• Offers a “Do Not Sell or Share My Personal Information” link in the website footer
• Does not enable cross-context behavioral advertising, which would otherwise trigger opt-out obligations

All analytics and tracking are strictly limited to first-party educational purposes, and no data is:

• Monetized
• Shared with ad networks
• Retained for personalization outside the learning context

CCPA-compliant notices are presented at first login or during California-resident account creation.

13.8 Opt-Out and Control by User Type

UPI Study provides tiered cookie and tracker control based on user type:

All controls are accessible via account settings in dashboard.
Changes are applied in real time and persist until revoked.

13.9 Embedded Third-Party Content

Some course modules may include content from external education providers (e.g., videos hosted on YouTube or Vimeo). In these cases:

• UPI Study wraps embedded content in a sandboxed iframe
• No cookies or scripts from the third-party provider are loaded until the user explicitly interacts with the module
• A cookie warning is shown before playback begins
• Content is tagged in advance in the course syllabus and flagged by age range, when applicable

If a course partner requires cookies for functionality, those cookies are declared in the consent prompt and blocked unless approved.

13.10 Institutional Customization and Suppression

K–12 school districts, colleges, and partner agencies may request:

• Complete suppression of all analytics and functional cookies for minor users
• Custom consent language and banner layout
• Whitelist of allowable trackers (by script origin)
• IP range-based cookie blocking (e.g., restrict tracking within school networks)

Requests must be submitted by an authorized institutional contact and are applied within 5–10 business days, pending legal review.

Submit to:
[email protected]
Subject: “Institutional Cookie Policy Request – [District/Institution Name]”

13.11 Logging, Retention, and Oversight

All cookie decisions and tracking metadata are stored securely and associated with a session ID, date/time, region, and user ID (if authenticated). These logs are:

• Retained for 6 years in compliance with NY Ed Law §2-d and GDPR Art. 30
• Stored separately from education records
• Reviewed quarterly by the Data Protection Officer and Information Security Officer
• Available upon request to institutions, regulators, or parents

UPI Study undergoes an annual privacy audit that includes a full review of cookie and tracking technology compliance.

SECTION 14: INSTITUTIONAL AUDIT READINESS

14.1 Purpose of This Section

This section provides a comprehensive summary of UPI Study’s data collection, usage, and protection practices as they pertain to children and minor students, particularly those under the age of 18, and more specifically under age 13. UPI Study is committed to complying with:

• FERPA (Family Educational Rights and Privacy Act)
• COPPA (Children’s Online Privacy Protection Act)
• New York Education Law §2-d
• Institutional privacy requirements
• Best practices on age-appropriate digital learning environments

This section consolidates, reinforces, and details the obligations already introduced in prior sections but focuses exclusively on age-based distinctions and protections.

14.2 Scope of Applicability

This section applies to:

1. Students under 13 years of age
2. Students between the ages of 13 and 17 (inclusive)
3. Students enrolled in K–12 settings, regardless of age
4. Accounts created by parents or institutions on behalf of minors

It addresses both direct interactions (e.g., student self-registration) and institution-authorized access (e.g., through a district-paid enrollment).

14.3 Legal Framework Summary

14.4 Student Registration Model

UPI Study enables students to register through:

• Institution-issued invitations (district-paid or class code)
• Self-registration initiated by parents
• Direct enrollment by school personnel on behalf of the student

The student’s age and registration path determine the consent and privacy protection framework that applies.

Under 13, Registered by School or District

• Covered by COPPA’s School Exception
• School acts as agent for the parent in authorizing access
• No direct parental consent collected by UPI Study
• Tracking and analytics disabled by default
• Data use restricted to educational purposes only

Under 13, Registered Independently

• UPI Study prompts for verifiable parental consent before any data is collected or stored
• No account is created unless consent is successfully obtained
• Consent is logged and retained for 6 years
• Parent has full rights to revoke consent and request deletion at any time

14.5 Consent Mechanisms for Under-13 Users

Where COPPA requires verifiable parental consent, UPI Study employs one or more of the following FTC-approved mechanisms:

• Digitally signed consent form emailed to the parent
• Verified parental email with link to accept consent and complete registration
• Credit card verification or payment-based identification (without fee charged)
• Knowledge-based authentication (KBA) where identity databases are available
• Live video or phone consent process upon institutional request

All consent records include:

• Full name of child and parent
• Date and method of consent
• Confirmation token or signature
• System log of consent transaction and account creation date

14.6 Protections for Ages 13–17

For students aged 13–17, UPI Study applies the following standards:

• Data collection is limited to educational purposes only
• No advertising, behavioral profiling, or retargeting permitted
• Consent or notice may be obtained from parents at the institution’s discretion
• Student rights under FERPA are exercised by parents unless the student is in a postsecondary program

Additionally, UPI Study suppresses:

• Any unnecessary collection of demographic data not required for the course or transcript
• Optional social logins unless explicitly enabled by an institution
• External platform integrations (e.g., YouTube) unless age-appropriate disclosures are made

14.7 FERPA-Based Parental Rights

For any K–12 student under 18, parents and legal guardians may:

• Request access to any education record held by UPI Study
• Request correction or deletion of inaccurate data
• Object to third-party disclosures (except as permitted under FERPA)
• Receive copies of access logs or vendor disclosure logs upon request
• Request written documentation of the data retention schedule applicable to their child

Requests may be submitted to:
[email protected]
Subject: “Parent FERPA Request – [Student Full Name]”

All requests are verified, processed within 30 calendar days, and logged for audit.

14.8 COPPA Compliance Summary

14.9 New York Education Law §2-d Obligations for Minors

Where the student is enrolled in a New York public school, the following applies regardless of age:

• UPI Study includes the Parents’ Bill of Rights for Data Privacy and Security in all applicable DPAs
• Vendors and sub processors handling minor data must maintain access and activity logs for six years
• Any breach involving a student’s PII must be reported to the institution and parent/guardian within 7 business days
• Parents may request:
  • A full inventory of their child’s data
  • Who has access
  • How long data will be retained
  • How to request deletion (if legally allowable)

UPI Study maintains a compliance registry for all New York §2-d-covered students and contracts.

14.10 Data Segmentation and Security for Minor Users

Minor user data is treated as Tier 1 Sensitive Data in UPI Study’s internal classification and is subject to the following restrictions:

• Stored in encrypted data environments (AES-256)
• Segregated at the tenant level by institution
• Access restricted to FERPA-trained personnel only
• All access is logged, monitored, and auditable
• Incident logs retained in accordance with breach response protocols (Section 11)

Accounts for underage students are tagged at the identity layer and routed through a secure content delivery flow that suppresses all non-educational services.

14.11 Data Retention for Children’s Data

UPI Study retains children’s data based on institutional requirements and applicable law:

• School-authorized users: 6–10 years depending on contract
• Independently registered under-13 users: deleted upon request or when educational purpose ends
• Consent records: retained for 6 years in accordance with COPPA and FTC standards
• Archived academic records: retained for transcript integrity unless deletion is legally required

For early deletion, parents must initiate a written request as outlined in Section 9.

14.12 Embedded Content and Child Safety Controls

Where UPI Study provides access to third-party learning content (e.g., videos, assessments), the following protections are applied:

• Content is age-tagged by instructional designers or course administrators
• Under-13 students cannot access external platforms without parental or school-based authorization
• All embedded videos and learning objects are wrapped in secure sandbox iframes
• No automatic cookies or third-party scripts are executed without opt-in and age verification

This ensures COPPA and FERPA compliance even where materials are hosted off-platform.

14.13 School District Control and Parental Engagement

Districts and institutions using UPI Study for students under 18 may:

• Customize age-based data visibility and permissions
• Suppress optional features like messaging or peer visibility
• Assign parent or guardian accounts with observer permissions
• Require annual privacy attestation from staff handling student data
• Receive parental engagement reports upon request

District administrators are provided access to UPI Study’s Family Engagement Toolkit, which includes:

• Sample notices and opt-in templates
• Customizable “Student Data Inventory” reports
• Training resources for school staff
• One-click student data export tools

SECTION 15: INTERNATIONAL STUDENT PRIVACY AND DATA TRANSFERS

15.1 Purpose of This Section

This section outlines UPI Study’s policies and legal frameworks regarding the processing of personal data for international users, particularly those located within the European Union (EU), European Economic Area (EEA), the United Kingdom (UK), and other jurisdictions with data protection laws modeled on or influenced by the General Data Protection Regulation (GDPR).

As UPI Study may be accessed globally by students and institutions, this section details:

• The lawful bases for processing personal data under GDPR and similar regimes
• Cross-border data transfer mechanisms (Standard Contractual Clauses, adequacy, or supplementary safeguards)
• The rights of international data subjects
• Institutional obligations when enrolling international students through UPI Study
• Technical and administrative safeguards used to protect transferred data

15.2 Applicability

This section applies to:

• Students physically located in the EU/EEA or UK at the time of registration or data collection
• Institutional partners (e.g., universities, agencies) headquartered or operating in those regions
• Any data subject protected by the GDPR, UK GDPR, or a jurisdiction with equivalent protections (e.g., Brazil’s LGPD, Canada’s PIPEDA, South Korea’s PIPA)

It governs both direct access (individual user accounts) and institutional access (where data is shared between UPI Study and a covered institution).

15.3 Legal Basis for Processing Under GDPR (Article 6)

UPI Study processes personal data of EU/EEA/UK data subjects under the following legal bases:

Consent is only used where required and is never the default basis for core educational services.

15.4 Lawful International Data Transfers

Because UPI Study operates primarily from the United States and uses U.S.-based infrastructure (Google Cloud Platform), cross-border data transfers are required when serving EU/EEA/UK users.

To ensure GDPR-compliant transfers, UPI Study applies:

15.4.1 Standard Contractual Clauses (SCCs) – EU/EEA Users

UPI Study incorporates the 2021 European Commission-approved SCCs (Modules 1, 2, or 4 as applicable) into all institutional contracts involving EU data subjects. These SCCs:

• Are embedded into our Data Processing Agreement (DPA)
• Include supplementary technical measures per EDPB guidance (e.g., encryption, access controls)
• Are enforceable between UPI Study and the EU controller (institution or direct user)

15.4.2 UK Addendum to SCCs – UK Users

For students or institutions in the UK, UPI Study adheres to the UK Information Commissioner’s Office (ICO) international data transfer addendum, appended to the SCCs to remain compliant with UK GDPR.

15.4.3 Supplementary Safeguards

To enhance the protection of transferred data, UPI Study implements:

• End-to-end AES-256 encryption of data in transit and at rest
• Strict U.S. data residency controls — no storage in third countries without appropriate protections
• Internal access restrictions (need-to-know only, role-based permissions)
• Vendor compliance audits and encryption mandates for subprocessors
• Ongoing monitoring for changes in law (e.g., adequacy decisions, Schrems II-related decisions)

15.5 Data Subject Rights (Articles 12–23)

International users whose data is processed by UPI Study have the following rights under GDPR, each of which is honored with full procedural controls:

15.6 Institutional Responsibilities for EU/EEA/UK Student Access

Institutions enrolling or authorizing access for EU/EEA/UK-based students through UPI Study must:

1. Identify themselves as the data controller under GDPR
2. Notify UPI Study in writing of their GDPR responsibilities and contact persons
3. Enter into a DPA with UPI Study incorporating:
   • Controller-to-processor obligations under Article 28
   • SCCs (Module 2 or 3 depending on structure)
   • Any required Data Protection Impact Assessment (DPIA) triggers

4. Maintain records of consent (if relying on Article 6(1)(a))
5. Inform students of UPI Study’s role and point them to this Privacy Policy

UPI Study provides template GDPR DPA language upon request and assigns a contact at our legal team for cross-border compliance assistance.

15.7 Data Retention and International Law

All international student data is retained and destroyed in accordance with:

• The institution’s contract terms
• The student’s rights under GDPR or applicable laws
• The necessity of transcript and academic record archiving (e.g., 10-year retention under ACE/NCCRS)

Data is stored only in U.S.-based environments, encrypted using AES-256, and covered by legally binding SCCs. Data will not be transferred to third countries (e.g., China, Russia, India) without prior written approval and lawful safeguards.

15.8 Transfers to Third Parties or Vendors

UPI Study does not transfer international student data to sub-processors or vendors unless:

• The vendor has signed a DPA with UPI Study including Article 28 obligations
• The vendor processes data in the U.S. (preferred) or in an adequate country (as determined by the European Commission)
• If not in an adequate jurisdiction, SCCs or Binding Corporate Rules (BCRs) are in place
• The vendor has undergone a security audit, and supplementary encryption/access controls are in place

A list of all sub-processors used in relation to international data subjects is available to institutional clients upon request.

15.9 Data Breach Protocols for EU/UK Data Subjects

If a breach involves the personal data of an international data subject:

• UPI Study will notify the relevant supervisory authority within 72 hours, in accordance with Article 33
• Data subjects affected will be notified without undue delay per Article 34
• All breach communications will include:
  • Nature and scope of the breach
  • Categories and approximate volume of data affected
  • Mitigation measures in place
  • Contact point for further information

Breach logs are retained for 6 years and available to institutions or authorities.

15.10 Appointment of EU/UK Representative (if required)

If required under Article 27 of the GDPR or UK GDPR, UPI Study will designate a data protection representative established within the EU or UK to act as a point of contact for:

• Supervisory authorities
• Data subjects
• Regulatory notifications and investigations

UPI Study’s appointed representative and contact details will be published in this policy and institutional DPAs when applicable.

15.11 International User Access Restrictions

Where local law (e.g., GDPR, Swiss DPA) prohibits certain features:

• UPI Study geofences restricted content by IP region
• Optional services such as analytics or third-party integrations are disabled or gated by consent
• Cross-site and cross-context cookies are blocked by default
• All international students are served through secure HTTPS-only endpoints with cookie banners enabled by default
• 
  

SECTION 16: INSTITUTIONAL OVERSIGHT, AUDITS, AND DATA IMPACT ASSESSMENTS

(Full-Length – FERPA, NY §2-d, GDPR, Contract-Aligned, ~1,300+ words)

16.1 Purpose of This Section

This section outlines the rights, procedures, and contractual assurances provided to educational institutions, school districts, agencies, and partners that work with UPI Study. It establishes how UPI Study supports institutional oversight through:

• Audit rights and procedures
• Data Protection Impact Assessments (DPIAs)
• Record of processing activities (ROPA)
• Documentation of technical and organizational safeguards
• Vendor and sub-processor transparency
• Evidence necessary for FERPA, NY §2-d, and GDPR compliance

UPI Study views institutions as data stewards with a right and obligation to verify how student and institutional data is processed. This section affirms our contractual and legal commitment to that oversight.

16.2 Institutional Audit Rights

All UPI Study institutional clients (districts, higher education institutions, or consortia) have the contractual and legal right to:

• Audit UPI Study’s data handling practices
• Review security, privacy, and data retention controls
• Inspect vendor compliance documentation
• Request written summaries of student data collected, stored, accessed, or transferred
• Conduct system-level walkthroughs and evidence sampling, subject to confidentiality and operational coordination

These rights are based on and aligned with:

• FERPA – School officials with legitimate educational interest
• NY Education Law §2-d(5)(b)(3) – District audit authority
• GDPR Articles 28 and 32 – Controller audit and security accountability

Audits may be conducted:

• Annually (routine), or
• Upon incident, contract renewal, regulatory inquiry, or compliance review

All such audits are coordinated by UPI Study’s Compliance & Risk team and require a minimum of 10 business days’ notice, unless prompted by an emergency.

16.3 Types of Documentation Available for Institutional Review

UPI Study maintains a secure institutional data access portal or, upon request, provides the following audit materials:

16.4 Data Protection Impact Assessments (DPIAs)

Where required by law (e.g., GDPR Art. 35) or contract, UPI Study will:

• Conduct a Data Protection Impact Assessment (DPIA) before launching new features or workflows that involve:
  • Systematic processing of sensitive data
  • Profiling, grading automation, or biometric tools
  • Substantial international transfers
  • New integrations with third-party processors

The DPIA includes:

• Nature, scope, context, and purpose of the data processing
• Assessment of necessity and proportionality
• Description of security measures and risk mitigation steps
• Evaluation of residual risk
• DPO recommendation and executive sign-off

DPIAs are made available to institutional clients upon request, with redactions for proprietary code or sensitive infrastructure details.

16.5 Record of Processing Activities (ROPA)

UPI Study maintains an internal and exportable Record of Processing Activities (ROPA) in accordance with:

• GDPR Article 30
• FERPA record keeping best practices
• NY §2-d audit-readiness guidelines

The ROPA includes:

• Controller and processor identities
• Purpose of each processing activity
• Categories of data subjects (students, parents, admins)
• Categories of personal data processed
• Data recipients and international transfers
• Retention schedules per data type
• Security measures applied

UPI Study updates the ROPA quarterly or upon any material processing change. Institutions may request a ROPA extract relevant to their deployment.

16.6 Support for Institutional Legal Compliance

To assist institutions in meeting their own state and federal compliance obligations, UPI Study provides:

• NY §2-d compliance attestation forms
• CCPA/CPRA notices for California-based districts or agencies
• FERPA addenda templates
• Templates for internal school board disclosures
• Privacy documentation suitable for public posting or integration into the institution’s policy library

UPI Study also offers assistance in responding to:

• Open records requests (e.g., FOIL, FOIA)
• Parental inquiries under FERPA or COPPA
• State Department of Education audits
• Accreditation reviews (e.g., NCCRS/ACE)

Requests should be submitted via email:
[email protected]
Subject: “Institutional Compliance Support Request – [Institution Name]”

16.7 Access to Sub-processor and Vendor Controls

UPI Study maintains an up-to-date vendor register, which includes:

• Identity of each third-party data processor
• Purpose of processing (e.g., cloud hosting, email delivery)
• Location of data storage
• Security certifications (e.g., SOC 2, ISO 27001)
• Whether personal data of the institution’s users is accessed or hosted
• Legal basis for transfer (e.g., SCCs, U.S.-based, adequacy)

16.8 Internal Reviews and Compliance Checks

UPI Study conducts the following internal reviews:

Summaries of these reviews may be shared with institutions upon execution of a confidentiality agreement or contractual provision.

16.9 Institutional Notification Commitments

UPI Study commits to providing all institutions:

• Notice of any change in its processing purposes, security architecture, or privacy practices
• Advance notification of subprocessor changes at least 30 days before use (for opt-out or review)
• Immediate notification (within 24–72 hours) in the event of a confirmed or suspected breach involving institutional records
• Quarterly data processing summaries, when requested under contract or regulation

UPI Study will not materially change any privacy policy term without providing 2 days' advance notice and an opportunity for institutional input.

16.10 Requesting Institutional Audit or Policy Documentation

To initiate a formal audit, data access request, DPIA copy, or policy review, authorized institutional officials may contact: [email protected]
Subject: “Institutional Oversight Request – [Your Institution Name]”
Include:

• Requestor’s full name, title, and official email address
• Description of the request (audit, data inventory, DPIA, etc.)
• Preferred delivery format and timeline
• Any legal or regulatory basis if relevant (e.g., §2-d, GDPR)

UPI Study will respond within 15 business days, and most document sets are provided within 20–25 business days depending on scope.

SECTION 17: USER RIGHTS REQUEST PROCEDURES AND COMPLIANCE WORKFLOWS

17.1 Purpose of This Section

This section sets forth the procedures through which students, parents/legal guardians, and institutional administrators may exercise their rights to access, correct, restrict, delete, or obtain copies of data held by UPI Study. These workflows comply with privacy laws applicable to our users, including:

• FERPA – for U.S. students in educational settings
• COPPA – for children under 13 years old
• New York Education Law §2-d – for students in NY public school systems
• CCPA/CPRA – for California residents
• GDPR – for users in the EU, EEA, and UK

These rights are supported by documented, auditable procedures to ensure lawful processing and transparent engagement.

17.2 Who May Submit a Request

UPI Study accepts verified rights requests from the following types of data subjects or authorized representatives:

All requestors must verify their identity and, if applicable, their authority to act on behalf of a minor or institution.

17.3 Types of Rights Available

UPI Study supports the following rights requests:

17.4 Submission Process

Step 1: Request Submission

Requests may be submitted by email to:

• [email protected] — for all student/parent requests
• [email protected] — for institutional and legal inquiries

Subject line should include:

• Type of request (e.g., “Access Request – [Full Name]”)
• Student name and date of birth (if applicable)
• Associated email address or institution name

Step 2: Identity Verification

UPI Study will verify identity by:

• Email confirmation from an account on file
• Institution domain (e.g., .edu, .k12.ny.us)
• Secure ID upload or digital signature for sensitive or parental requests
• Parent-child relationship validation (for COPPA/FERPRA rights)
• Comparison with internal account metadata

No data is released until identity is confirmed.

Step 3: Confirmation and Processing Timeline

A confirmation of receipt will be sent within 5 business days. Processing timelines are as follows:

If additional verification is needed, the timeline pauses until verification is complete.

17.5 Correction and Amendment Requests

When a user or parent believes that a record is incorrect, UPI Study will:

1. Confirm the data and field in question
2. Request evidence of the corrected value (e.g., transcript, institutional verification)
3. Consult with the issuing institution if the data originated externally
4. Apply the correction, or provide a written explanation of why the change cannot be made

Where correction is denied under FERPA, the requester may submit a written appeal and request a formal hearing, which UPI Study facilitates in coordination with the institution.

17.6 Deletion and Data Erasure Requests

UPI Study will delete data upon verified request if:

• It is not required for ongoing academic, contractual, legal, or regulatory reasons
• The request complies with COPPA, GDPR, or CCPA obligations
• There are no conflicting retention obligations (e.g., transcript preservation)

Non-Deletable Records Include:

• Transcript or credential records required by ACE/NCCRS
• Regulatory audit logs
• Records under legal hold
• Active institutional contracts requiring access for reporting or transfer

All denied deletion requests will be documented and explained in writing.

17.7 Parental Requests for Under-13 Users (COPPA)

For students under the age of 13:

• UPI Study accepts deletion and access requests from verified parents or legal guardians
• Upon deletion approval, all identifiable data is erased within 14 calendar days
• A confirmation is emailed to the parent
• Consent logs are retained (as permitted) for audit purposes but are de-linked from the account

17.8 Portability and Transfer Requests

UPI Study supports:

• FERPA transcript requests
• GDPR Article 20 portability requests
• Institutional requests to transfer academic records to another school or registrar

Records are exported in:

• CSV (course data, grades, participation logs)
• PDF (transcripts, certificates)
• JSON or XML (if receiving system supports programmatic import)

All exports are encrypted and transferred via secure download or SFTP link.

17.9 Request Logs and Retention

Each rights request is logged in UPI Study’s Rights Request Registry, which captures:

• Requestor identity
• Type of request
• Date received and date closed
• Decision issued (approved, denied, pending)
• Supporting documentation or correspondence

Logs are retained for six (6) years and may be reviewed during regulatory audits, institutional reviews, or legal proceedings.

17.10 Denials and Appeals

If UPI Study denies a request, the user will receive:

• A written explanation of the denial
• The legal basis for retention or refusal
• Instructions for submitting an appeal or initiating a FERPA hearing (where applicable)
• Contact information for escalating to UPI Study’s Privacy Officer or, if needed, an external regulator

GDPR-based denials will also include the right to lodge a complaint with a Data Protection Authority (DPA).

17.11 Institutional Support and Delegation

Institutions may submit bulk or administrative rights requests if they:

• Are responding to a subpoena, complaint, or audit
• Need a data export or correction across a student cohort
• Are closing out a graduating class or program
• Have parental consent to act on behalf of a student or family

All such requests must:

• Be submitted on institutional letterhead or from an official email domain
• Include legal basis or contract reference
• Be signed by an authorized official (e.g., registrar, legal counsel)

Email:
[email protected]
Subject: “Institutional Rights Management Request – [Institution Name]”

17.12 Compliance Reporting

UPI Study compiles an annual User Rights Compliance Report, which includes:

• Total number of rights requests by type
• Average response times
• Number of denied, escalated, and appealed cases
• Process changes made in response to rights trends
• DPO commentary and recommendations

The report is available to regulators and institutional clients upon request.

SECTION 18: POLICY UPDATES, NOTIFICATIONS, AND USER COMMUNICATION STANDARDS

18.1 Purpose of This Section

This section explains how UPI Study maintains, updates, communicates, and enforces changes to its Privacy Policy and related data protection practices. It includes:

• Legal requirements for advance notice of changes
• Processes for notifying affected users and institutions
• Methods for ensuring transparency and user understanding
• Contractual assurances for school districts and institutions

UPI Study is committed to ensuring that no material change affecting user rights, data use, or institutional compliance occurs without clear notice, consent where required, and an opportunity to respond.

18.2 Scope of Policy Changes Covered

This section governs updates or changes to any of the following documents:

• UPI Study’s official Privacy Policy
• Terms of Service or Acceptable Use terms related to data rights
• Data Processing Agreements (DPAs) with institutional clients
• Subprocessor and Vendor Disclosures
• Cookie Policy or Analytics Configuration (for EU/CCPA compliance)
• Security and breach notification procedures that impact contract performance

18.3 Change Categories and Notification Triggers

UPI Study classifies changes into three categories:

UPI Study does not implement retroactive changes to data usage practices without obtaining new consent where legally required (e.g., under GDPR Art. 7 or COPPA).

18.4 Methods of Notification

When a policy update is triggered, UPI Study notifies users and institutions using multi-channel communication, including:

For Individual Users (Students, Parents, Educators):

• Email to the address associated with the account
• In-platform message (dashboard banner or modal)
• Link to summary of changes and full updated policy
• Ability to opt in/out (if applicable to the change)

For Institutions:

• Email to the designated institutional contact (e.g., IT lead, legal, registrar)
• Redlined copy of updated policy or DPA for review
• Notification of new sub-processor or vendor, if relevant
• Call or coordination meeting upon request

UPI Study maintains a change log archive of all previous privacy policy versions, accessible from:
https://www.upistudy.com/pages/privacy/versions

18.5 Required Institutional Approvals

If an institutional agreement or state law (e.g., NY Education Law §2-d(5)(c)) requires:

• Review or board approval before accepting material changes, or
• Amendment of a binding DPA,

UPI Study will:

• Provide a draft version of the updated language at least 30 days in advance
• Pause enforcement of new terms until:
  • The institution consents in writing
  • A contract amendment is signed
  • An opt-out pathway is confirmed

If the institution does not accept the new terms, UPI Study continues processing under the prior version until the contract expires or is renegotiated.

18.6 Examples of Material Changes Requiring Notice

Material updates may include, but are not limited to:

• Introduction of a new category of data collected
• Change in how student data is used or shared (e.g., new analytics provider)
• Addition of a new international data transfer mechanism
• Lowering of retention period protections
• Modification of user rights procedures
• Updates to institutional audit or breach response policies
• Adding functionality for AI-based grading, predictive analytics, or profiling

These changes are communicated in advance and never applied to existing data without review or opt-in, where applicable.

18.7 Summary of Changes Format

All change notices include a plain-language summary written for accessibility by both institutional and general users. Each notice contains:

• Version number and date of effect
• What changed (in bullets or a change matrix)
• Why the change was made (legal, operational, strategic)
• How it affects user data or rights
• Whether new consent is required
• Link to the full updated document and comparison with the prior version

These summaries are written in compliance with:

• CCPA/CPRA §1798.100(b) transparency requirements
• GDPR Articles 12–14 on clear and concise language
• NYSED guidance on parent notifications under §2-d

18.8 Change Acceptance and Consent Where Required

In jurisdictions where affirmative consent is required for certain changes (e.g., GDPR, COPPA), UPI Study provides:

• A checkbox or acceptance action before continued use of the affected feature
• “Decline” or opt-out routes where permitted
• Expiration timelines for unaccepted changes (e.g., deactivate analytics, disable marketing, or freeze account access until acknowledged)

For other regions (e.g., most U.S. FERPA-based districts), continued use of the platform after publication is considered constructive acceptance, unless a contract states otherwise.

18.9 Emergency Changes and Critical Disclosures

In the event of a material legal or security event (e.g., data breach, new legislation, vendor failure), UPI Study may update its privacy policy or internal practices without 30 days’ notice, but will:

• Email institutional and individual users within 24–48 hours
• Explain the nature of the change and temporary or permanent implications
• Provide a follow-up review opportunity with legal and compliance teams
• Make any changes time-bound and subject to later ratification

18.10 Institutional Rights to Request Freezes or Exceptions

Institutions may request:

• A delay in applying the new terms
• A freeze of subprocessor or data flow changes
• Legal review before implementing new processing purposes or categories
• Custom terms via amendment (where permitted by law)

Such requests must be made within 10 business days of receiving the update notice and should be submitted by a district-level administrator or legal representative.

Send to:
📧 [email protected]
Subject: “Policy Change Review Request – [Institution Name]”

18.11 Documentation and Archiving

UPI Study retains the following documentation for each policy revision:

• A version-controlled changelog
• PDF archive of the prior and new policy language
• Legal memorandum (internal) summarizing risks and compliance impact
• Consent logs (for any change requiring opt-in)
• Copies of all communications sent to users and institutions

These documents are retained for six (6) years and available upon request during institutional audits or regulatory investigations.

18.12 Annual Policy Review

UPI Study performs a formal annual review of its Privacy Policy and supporting compliance policies to ensure:

• Consistency with updated laws and industry standards
• Alignment with changes in technology, vendors, and institutional practices
• Clarity, accessibility, and non-discrimination in enforcement

Institutions may participate in the review process via:

• Legal or compliance teams
• Data protection officers
• EdTech advisory panels (by invitation)

The next scheduled review is as per requirement.

APPENDIX A: NY EDUCATION LAW §2-D – PARENTS’ BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY

(Standalone Supplement – Required under 8 NYCRR Part 121.3)

Purpose

This document is provided pursuant to New York Education Law §2-d(3)(a) and the implementing regulations under 8 NYCRR Part 121. It sets forth the rights of parents, legal guardians, and eligible students regarding the privacy and security of personally identifiable information (PII) collected and maintained by UPI Study when providing services to New York educational agencies (public school districts, BOCES, and charter schools).

UPI Study includes this Appendix as a publicly available and contractually binding supplement to its Privacy Policy and its Data Processing Agreements with educational institutions.

1. Student Data Protection Commitment

UPI Study is committed to protecting the confidentiality, integrity, and availability of student data in compliance with New York State law and best practices in education data security. This Bill of Rights is intended to ensure transparency and to empower families with control over their children's educational records.

2. Parents’ and Eligible Students’ Rights

In accordance with Education Law §2-d and FERPA, the following rights apply to all parents and eligible students:

a. Right to Access and Review

Parents have the right to inspect and review the complete contents of their child’s education record upon request. UPI Study provides this access within 30 calendar days of a verified request.

b. Right to Correction

Parents may challenge the accuracy of student data and request corrections if they believe the information is inaccurate, misleading, or otherwise in violation of the student's privacy rights.

c. Right to Data Security

All student PII is protected using industry best practices, including but not limited to:

• Encryption at rest and in transit
• Role-based access control
• Audit logging and data minimization
• Annual penetration testing and risk assessment

d. Right to Be Notified of Unauthorized Disclosure

Parents have the right to be promptly notified in the event of a data breach or unauthorized disclosure of their child’s PII. UPI Study will notify affected parties within 7 business days, as required by law.

e. Right to File a Complaint

Parents have the right to file complaints about possible breaches or misuse of student data with the New York State Education Department (NYSED).

3. Use and Sharing of Student Data

UPI Study does not sell or commercialize student data. Student PII will only be shared with:

• Educational institutions under contract with UPI Study
• Authorized staff or educators with a legitimate educational interest
• Subcontractors or vendors who have signed a Data Protection Agreement (DPA) and agree to comply with Education Law §2-d and FERPA

A complete list of third-party contractors and their data use purposes is available to institutions and parents upon written request.

4. Student Data Collected

The types of PII that may be collected include:

• Full name, date of birth, and contact information
• Course participation, grades, credits earned
• Assessment results, progress reports, and transcript details
• Login history, session logs, and device identifiers (for system security)

No biometric, health, social security, or financial account data is collected unless contractually authorized by the institution and permitted under state and federal law.

5. Data Storage and Retention

Student data is:

• Stored in U.S.-based data centers on Google Cloud Platform, compliant with SOC 2 Type II and ISO 27001standards
• Retained for a minimum of six (6) years, or longer if required by accreditation or legal hold
• Subject to secure deletion using NIST 800-88 standards upon expiration of the retention period

Parents may request a copy of UPI Study’s retention schedule applicable to their student’s data.

6. Security Practices and Technologies

UPI Study uses multiple layers of security to protect student PII:

• Encryption: AES-256 at rest, TLS 1.2+ in transit
• Network Security: Web Application Firewalls, DDoS protection, VPN-only internal access
• Authentication: Multi-factor authentication (MFA) for administrators
• Monitoring: Real-time intrusion detection and access logging
• Annual third-party security audit and vulnerability testing
• Employee background checks and FERPA/security training

All vendors with access to student data must demonstrate equivalent security measures and submit to independent review.

7. Subcontractor Oversight and Disclosure

UPI Study maintains a list of all subcontractors who receive access to student PII. This list includes:

• Name and contact details of the vendor
• Purpose of data access
• Contract start and end dates
• Security certifications held (e.g., SOC 2, ISO 27001)

This list is available upon written request by a parent or school official.

8. Right to Review Contracts and Data Elements

UPI Study makes available, upon request from parents or eligible students, the following:

• The contract between UPI Study and the school or district
• The data inventory outlining specific data elements collected
• The timeline and purpose for data retention
• The third-party vendor list and applicable DPAs
• Summary of student-level access logs (institution authorization required)

All such requests are processed within 30 calendar days and may be submitted to: [email protected]
Subject: “Parents’ Rights Request – [Student Full Name]”

9. Breach Reporting and Legal Compliance

If UPI Study experiences a breach involving student PII under contract with a New York public school:

• The affected school or district will be notified within 24 hours of confirmation
• Parents and students will be notified within 7 business days
• A detailed breach report, mitigation steps, and post-incident audit will be made available upon request
• Logs will be retained for at least 6 years, in compliance with state regulations

10. Contact for Privacy Concerns

Parents or eligible students may direct inquiries or complaints to:

UPI Study Privacy Office
221 River Street, 9th Floor
Hoboken, NJ 07030
[email protected]
📞 (contact number upon institutional request)

Please include:

• Student name
• Institution name
• Description of the privacy concern
• Your relationship to the student (e.g., parent, guardian)

APPENDIX B: SUB PROCESSOR AND THIRD-PARTY VENDOR REGISTRY

(Audit-Ready Supplement – Required Under NY Education Law §2-d and FERPA Vendor Oversight Provisions)

Purpose

This appendix provides a comprehensive registry of third-party sub-processors and vendors that UPI Study engages to process, host, or otherwise support services involving personally identifiable information (PII) or education records as defined under:

• FERPA (20 U.S.C. §1232g; 34 CFR Part 99)
• New York Education Law §2-d
• COPPA, CCPA/CPRA, and GDPR (as applicable by region or institution)

UPI Study is the primary data processor and ensures that all subcontracted entities comply with the same legal, technical, and contractual standards applicable to UPI Study itself.

Registry Structure

Each entry includes:

1. Vendor Name
2. Service Type / Purpose
3. Data Categories Processed
4. Jurisdiction of Hosting
5. Certifications and Security Standards
6. Data Transfer Safeguards (if applicable)
7. Contract Start Date
8. Contract Expiration / Review Cycle
9. Breach Notification SLA
10. Retention & Deletion Schedule Compliance

Current Sub-processor Registry

Vendor Contractual Requirements

Each vendor in the above list has abides with UPI Study that requires:

• Encryption of all data at rest and in transit
• No resale or repurposing of student or institutional data
• Written notice & prior approval before onboarding any additional sub-processors
• Breach notification within 24–72 hours (depending on jurisdiction)
• Compliance with:
  • FERPA directory and non-directory information handling
  • NY Education Law §2-d logging, retention, and audit protocols
  • GDPR Art. 28–30 if applicable

Right to Review and Object

Under NY Education Law §2-d(5)(b)(3) and equivalent institutional contracts, educational agencies may:

• Review the full sub-processor list
• Obtain evidence of each vendor’s compliance documentation
• Request removal of any vendor for material legal or reputational risk
• Opt out of non-essential vendor integrations (e.g., analytics, optional assessments)

All such requests must come from an authorized district or institutional officer (e.g., legal, data privacy lead, IT administrator).

Submit vendor inquiries to:
📧 [email protected]
Subject: “Vendor Oversight Request – [Institution Name]”

Notification of New Vendors

If UPI Study adds a new vendor or sub-processor that processes PII or education records, institutional clients will be:

• Notified at least 15 days prior to activation
• Provided with:
  • Vendor name and description
  • Intended data usage
  • Security certification summary
  • Right to object or request exclusion

If a district or institution objects in writing, UPI Study will:

• Offer an equivalent vendor if feasible
• Provide a configuration without the vendor
• Involve legal review to assess contractual options

Retention and Deletion

All vendors must:

• Adhere to UPI Study’s defined data retention schedule (see Section 12)
• Securely delete all client-related data upon termination of the contract or service
• Provide written certification of deletion upon request
• Retain no backups, metadata, or derivative works unless:
  • Permitted by contract
  • Fully anonymized and approved for statistical use only

Breach Protocols

In case of a vendor-caused breach involving UPI Study student data:

• Vendor must notify UPI Study within the contractually defined SLA (24–72 hours)
• UPI Study will coordinate with:
  • Impacted institution
  • New York State Education Department (NYSED)
  • Parents or legal guardians (if required)

Vendor breach logs must be retained for 6 years, and all incident documentation must be available to institutions upon request.

APPENDIX C: ANNUAL PRIVACY AUDIT & COMPLIANCE ATTESTATION TEMPLATE

(FERPA, NY Ed Law §2-d, GDPR & CCPA/CPRA Aligned Format – Use for District or Agency Records)

Purpose of This Appendix

This appendix provides a formal, standardized Privacy Compliance Attestation to be used in annual audits, data privacy reviews, or procurement compliance documentation for educational institutions that contract with UPI Study.

It is designed to support:

• New York State Education Department (NYSED) reviews under Education Law §2-d(5)(b)(3)
• Institutional or district-level internal audits
• FERPA-based governance procedures
• Regulatory inquiries or procurement renewals
• Data protection reviews under GDPR, CCPA/CPRA, and COPPA

This attestation affirms UPI Study’s compliance with contractually required data protection obligations and allows the Educational Agency to document vendor due diligence.

SECTION 1 – VENDOR INFORMATION

SECTION 2 – PRIVACY FRAMEWORK COMPLIANCE CHECKLIST

SECTION 3 – COMPLIANCE ATTESTATION

I, the undersigned, hereby attest that:

1. UPI Study Inc. has implemented all required privacy and security measures under the Master Services Agreement, this Privacy Policy, and applicable law.
2. Student data is processed only for educational purposes, in accordance with FERPA, Education Law §2-d, and applicable state or federal privacy statutes.
3. All personnel with access to student or institutional data have completed annual privacy and security training, and appropriate access control mechanisms are in place.
4. All known data breaches, incidents, or legal risks involving the institution’s data would be disclosed immediately in accordance with contract and law.
5. A full copy of UPI Study’s Information Security Policies, Sub-processor Registry, Breach Logs, and Retention Policies are available to the Educational Agency upon request.
6. UPI Study is prepared to cooperate with:
   • NYSED Chief Privacy Officer
   • District Data Protection Officers
   • Institutional compliance audits or FOIL/FERPA data access cases

This attestation is valid for the audit cycle listed below and may be renewed or updated upon request or legal obligation.

SECTION 4 – SIGNATURES

Signed on behalf of UPI Study Inc.:

For Use by Educational Agency:

INSTRUCTIONS FOR USE

• Institutions may attach this form to their annual third-party risk audit file
• This appendix may be appended to existing contracts as a yearly compliance certificate
• Copies of logs, DPIAs, and policies referenced above are available upon written request
• UPI Study will issue updated versions of this form each fiscal year (Q1)

APPENDIX D: GLOSSARY OF LEGAL & TECHNICAL TERMS

(Defined Terms as Used in the UPI Study Privacy Policy, Agreements, and Compliance Materials)

A. LEGAL DEFINITIONS

1. Personally Identifiable Information (PII)

Any data that identifies, relates to, describes, or can be used to identify an individual, including but not limited to: name, student ID, email address, date of birth, grades, IP address, biometric records, or any combination of data elements that allow identification.

Referenced under: FERPA, NY Ed Law §2-d, CCPA, COPPA, GDPR

2. Education Records

All records, files, documents, and other materials maintained by UPI Study or the institution that contain information directly related to a student and are maintained by an educational agency or its designee.

Governing Law: FERPA (34 CFR §99.3)

3. Data Controller

An entity (e.g., school, district, college) that determines the purposes and means of processing personal data.

Applicable Under: GDPR, NY Ed Law §2-d, Institutional Contracts

4. Data Processor

A third party (such as UPI Study) that processes data on behalf of a controller under instructions and within scope of contract.

5. Subprocessor

A third-party vendor engaged by the primary processor (UPI Study) to carry out specific processing tasks under a Data Processing Agreement (DPA).

6. Data Subject

The individual to whom the data pertains (e.g., student, parent, or educator). Under GDPR, the data subject holds specific privacy rights.

7. FERPA (Family Educational Rights and Privacy Act)

U.S. federal law protecting the privacy of student education records and granting access and amendment rights to students and parents.

8. NY Education Law §2-d

New York State law requiring vendors to protect student data privacy, post a Parents’ Bill of Rights, notify of breaches, and support institutional audit rights.

9. COPPA (Children’s Online Privacy Protection Act)

Federal law requiring verifiable parental consent before collecting personal information from children under 13 in an online environment.

10. CCPA / CPRA (California Consumer Privacy Act / Rights Act)

California law granting consumers—including students—the right to access, delete, and restrict the sale or sharing of their personal information.

11. GDPR (General Data Protection Regulation)

European Union regulation governing the collection, processing, and storage of personal data of individuals located in the EU/EEA and, via adequacy decisions or SCCs, other international transfers.

B. TECHNICAL DEFINITIONS

12. Encryption (AES-256 / TLS 1.2+)

Methods for securing data:

• AES-256: Encryption of data at rest using the Advanced Encryption Standard with 256-bit keys
• TLS 1.2+: Encryption of data in transit using Transport Layer Security protocol

13. Role-Based Access Control (RBAC)

Access framework restricting data and system access based on a user's role within an organization.

14. Multi-Factor Authentication (MFA)

Security process requiring users to authenticate using at least two forms of identification before accessing protected data.

15. Data Breach

Unauthorized access, acquisition, or disclosure of protected personal or educational information that compromises confidentiality, integrity, or availability.

16. Data Retention Schedule

Policy and timetable specifying how long each data type is retained and when it is deleted or archived securely.

17. NIST 800-88

U.S. National Institute of Standards and Technology’s publication detailing best practices for secure data destruction.

18. Secure Software Development Lifecycle (SSDLC)

A structured approach to designing, building, and maintaining secure applications that includes code reviews, vulnerability scans, and secure deployment protocols.

19. Data Protection Impact Assessment (DPIA)

A risk-based assessment required under GDPR for high-risk processing activities, used to document privacy risks and safeguards.

20. Standard Contractual Clauses (SCCs)

Legal mechanism under GDPR for ensuring lawful international data transfers from the EU/EEA to third countries like the United States.

21. Rights Request Registry

A secure, auditable log maintained by UPI Study of all user rights requests (access, correction, deletion), including timeframes and outcomes.

22. SIEM (Security Information and Event Management)

Technology system used to detect, analyze, and respond to cybersecurity threats in real time by aggregating and correlating system logs.

23. Least Privilege Principle

Security concept in which users are granted the minimum level of access—or permissions—needed to perform their job function.

24. DPA (Data Processing Agreement)

A legally binding contract between a data controller and a processor specifying roles, obligations, and data protection practices.

25. Audit Log

An immutable log that records all access to student data, changes made to records, and by whom—retained for six (6) years minimum under NY §2-d.