Parents' Bill of Rights for Data Privacy and Security

Introduction

This Parents' Bill of Rights is published by IS NOT AI LLC ("NotAI") in connection with contracts between NotAI and New York State educational agencies (school districts, boards of cooperative educational services, charter schools, and the New York State Education Department). It is provided to satisfy Section 2-d of the New York State Education Law and the implementing regulations at 8 NYCRR Part 121, and is appended to every applicable agreement between NotAI and a New York State educational agency.

Unless otherwise defined here, capitalized terms have the meanings given in Education Law § 2-d and 8 NYCRR Part 121.

1. No Sale or Commercial Use of Student Data

A student's personally identifiable information cannot be sold or released for any commercial or marketing purposes. NotAI does not sell, rent, license, trade, or otherwise commercially exploit student data, and does not use student data for targeted advertising, behavioral profiling for non-educational purposes, or any commercial purpose other than the educational purpose for which it was collected.

2. Parental Right to Inspect and Review

Parents have the right to inspect and review the complete contents of their child's education record. Requests to inspect, review, correct, or amend education records should be directed to the student's school or school district, which serves as the data controller. NotAI will assist the educational agency in responding to such requests within the time required by applicable law.

3. Confidentiality and Safeguards

State and federal laws protect the confidentiality of personally identifiable information (including FERPA, New York Education Law § 2-d, and 8 NYCRR Part 121). Safeguards associated with industry standards and best practices, including but not limited to encryption, firewalls, password protection, role-based access controls, and monitoring, are in place when data is stored or transferred.

NotAI aligns its data-security program with the NIST Cybersecurity Framework 2.0 (published February 2024) as required by 8 NYCRR § 121.5 and maintains the technical and organisational measures described in Section 11 of the NotAI Privacy Policy, including AES-256 encryption for data at rest using customer-managed keys, TLS 1.2+ (TLS 1.3 where supported) for data in transit, and continuous logging and access monitoring.

Redisclosure limits on NotAI. When NotAI receives personally identifiable information from education records in its capacity as a school official with a legitimate educational interest (34 CFR § 99.31(a)(1)), NotAI (not the parent) is bound by the redisclosure restrictions in 34 CFR § 99.33. NotAI will not disclose personally identifiable information from education records to any third party except (a) on documented instructions from the educational agency, (b) as permitted under one of the enumerated exceptions in § 99.31 and § 99.33 (including disclosure to subprocessors bound to equivalent confidentiality obligations and acting on behalf of the educational agency), or (c) as required by law in response to a subpoena or court order, in which case NotAI will give the educational agency prompt written notice (unless legally prohibited) so that it may seek a protective order. Any subprocessor that receives education records under this framework is itself bound to the same § 99.33 redisclosure limits.

Workforce training. Consistent with Education Law § 2-d(3)(d) and 8 NYCRR § 121.7, all NotAI personnel and contractors with access to student, teacher, or principal data receive data-privacy and data-security training at the time of onboarding and at least annually thereafter. The training covers the federal and state laws protecting personally identifiable information (including FERPA, COPPA, PPRA, IDEA, and New York Education Law § 2-d), NotAI's internal information-security policies, incident-reporting procedures, and the specific obligations owed under each applicable educational-agency contract. NotAI retains records of training completion and provides summary documentation to the contracting educational agency on request.

4. Student Data Elements Collected by the State

A complete list of all student data elements collected by New York State is available for public review on the New York State Education Department website at http://www.nysed.gov/data-privacy-security/student-data-inventory, or by writing to:

Chief Privacy Officer
New York State Education Department
89 Washington Avenue
Albany, NY 12234
Email: [email protected]

5. Right to Have Complaints Addressed

Parents have the right to have complaints about possible breaches or unauthorised disclosures of student data addressed. Complaints may be submitted in writing to:

• The student's educational agency (school or school district), which is the primary contact for complaints; and
• NotAI's privacy team at [email protected] or IS NOT AI LLC, Attn: Privacy, 7014 E Camelback Rd B100A, Scottsdale, AZ 85251; and
• The New York State Education Department's Chief Privacy Officer at http://www.nysed.gov/data-privacy-security or by email at [email protected].

Complaints submitted to NotAI will be acknowledged within ten (10) business days and resolved in coordination with the contracting educational agency as promptly as practicable.

6. Breach Notification

Parents have the right to receive notification, to the extent required by law, of any breach or unauthorised release of student data. In the event of a data breach affecting student data, NotAI will notify the affected educational agency without undue delay and no later than 72 hours after becoming aware of the breach, and will assist the educational agency in meeting its own notification obligations to parents, eligible students, NYSED, and any other authority as required by Education Law § 2-d(6) and 8 NYCRR § 121.10.

7. Third-Party Contractor Obligations

Educational agencies must ensure that contracts with third-party contractors include provisions requiring that confidentiality of shared student data is maintained in accordance with federal and state law and the educational agency's data security and privacy policy. All NotAI subprocessors are contractually bound to data protection obligations at least as protective as those NotAI owes to the contracting educational agency, including obligations of confidentiality, security, breach notification, and use limitation.

Supplemental Information (8 NYCRR § 121.3(c))

The following supplemental information is provided in connection with every agreement between NotAI and a New York State educational agency that involves the disclosure of personally identifiable information from student records or teacher or principal records. For every such agreement, NotAI also adopts the educational agency's Data Privacy and Security Plan required by Education Law § 2-d(5)(f)(5) and 8 NYCRR § 121.6, which is appended to or incorporated into the agreement and sets out the administrative, operational, and technical safeguards applied to that agency's data; together, this Bill of Rights, the supplemental information below, and the Data Privacy and Security Plan constitute NotAI's commitments to the educational agency under Education Law § 2-d. A copy of the Data Privacy and Security Plan for a given agreement is available to parents and eligible students on request to the contracting educational agency.

A. Exclusive Purposes

NotAI will use student, teacher, and principal data disclosed by the educational agency solely for the purposes expressly authorised by the contract, which are limited to:

• Detecting and analyzing AI-generated and automated activity in student work submitted through the educational agency's digital systems;
• Providing authorship-verification confidence scores and related reports to authorised instructors and administrators of the educational agency; and
• Supporting the educational agency's administration of academic integrity programs.

NotAI will not use such data for any other purpose, including marketing, advertising, re-identification, sale, or the development of commercial products unrelated to the educational services described above.

B. Subcontractor Safeguards

Where NotAI engages a subcontractor or service provider (a "subprocessor") that will have access to student, teacher, or principal data, NotAI binds that subprocessor in writing to data protection and security obligations that are at least as protective as those NotAI owes to the educational agency, including obligations of confidentiality, security, breach notification, audit cooperation, and use limitation. A current list of subprocessors is maintained in Section 5 of the NotAI Privacy Policy, and educational agencies are notified of material changes to this list in advance.

C. Contract Expiration and Data Disposition

Upon expiration or termination of an agreement with an educational agency, or upon the educational agency's earlier written instruction, NotAI will, at the agency's election, (i) securely delete all personally identifiable information from student, teacher, and principal records in its possession or control, or (ii) return such information to the educational agency in a readable electronic format and then delete it, in each case within the period specified by the agency (and in any event within ninety (90) days of expiration or termination absent agency instruction to the contrary). NotAI will provide written confirmation of deletion upon request. This disposition obligation extends to all copies held by NotAI's subprocessors.

D. Challenging Data Accuracy

Parents, eligible students, teachers, and principals who wish to challenge the accuracy of personally identifiable information held by NotAI should direct their request to the contracting educational agency, which is the data controller and is responsible for correcting its education records. The educational agency will coordinate with NotAI to implement any corrections required. Eligible students' rights under 34 CFR § 99.20 (FERPA) and parents' rights under New York Education Law are preserved.

E. Data Storage and Security Protections

Student, teacher, and principal data processed by NotAI is stored on enterprise cloud infrastructure operated by Microsoft Azure, in data centers located within the United States region selected by the educational agency. NotAI applies the following security protections:

• Industry-standard encryption of data at rest using AES-256 with customer-managed keys held in Azure Key Vault;
• Industry-standard encryption of data in transit using TLS 1.2 or higher (TLS 1.3 enabled where supported);
• Role-based access controls and the principle of least privilege for all personnel with access to student data;
• Multi-factor authentication for administrative access;
• Background screening of all personnel with direct access to customer data on or via the production Services, including a fingerprint-based criminal-history check via search of the U.S. Federal Bureau of Investigation Next Generation Identification ("NGI") database conducted through the program operated under Arizona Revised Statutes § 41-1758.01 et seq. (or a successor program of equivalent scope and stringency) for personnel resident in Arizona, or a comparable state-authorized program for personnel resident elsewhere, prior to being granted such access; criminal history is reviewed in accordance with applicable employment-screening laws. This requirement does not apply to professional service providers (such as outside accountants, attorneys, auditors, and similar advisers) who are bound by applicable professional-conduct confidentiality obligations and whose limited access to personal data, if any, is incidental to the provision of their professional services to NotAI rather than processing of customer data on NotAI's behalf in the provision of the Services;
• Continuous monitoring, audit logging, and intrusion detection;
• Regular security reviews and penetration testing; and
• Alignment with the NIST Cybersecurity Framework 2.0 as required by 8 NYCRR § 121.5.

F. Encryption in Motion and at Rest

All personally identifiable information disclosed to NotAI is encrypted in transit using TLS 1.2 or higher (TLS 1.3 where supported) and encrypted at rest using AES-256 with keys managed through Azure Key Vault under the educational agency's region selection. Encryption keys are managed and rotated in accordance with NotAI's cryptographic key management procedures.

G. Written Data-Retention Policy (COPPA § 312.10; NY Ed. Law § 2-d)

NotAI maintains a written data-retention policy governing the personal information it processes from or about children under 13 and students generally. Consistent with 16 C.F.R. § 312.10 (effective 23 June 2025) and NotAI's obligations as a school service provider, that policy records for each category of data (a) the business need that requires retention, (b) the specific business purpose for which the data was collected, and (c) the timeframe within which the data will be deleted.

The operative timeframes are:

• Behavioral session data (keystroke timing, cursor-movement dynamics, scroll and click telemetry collected during a verification session): retained for the shortest of (i) the retention period specified in the educational agency's contract, (ii) the plan-default retention period (7 days on Starter, 30 days on Pro, or the contracted retention period on Enterprise, per Privacy Policy Section 6), and (iii) the period required to complete authorship-verification review for the session, after which the data is deleted.
• Authorship-verification reports and scores: retained for the period specified by the educational agency, not to exceed the academic year in which the assignment was submitted unless the agency instructs otherwise.
• Account and roster data (instructor and administrator accounts, class rosters, institution-provided identity fields): retained for the term of the agreement plus the disposition window described in Section C.
• Security logs and audit records: retained for the period required by applicable law and NotAI's information-security program, and in any event not longer than reasonably necessary to detect, investigate, and respond to security incidents.
• Aggregated and de-identified statistical patterns that are not attributable to any identifiable individual or institution: retained in aggregated form only, consistent with Privacy Policy Sections 3 and 13.5, and not used to reidentify any student.

NotAI does not retain children's personal information for longer than reasonably necessary to fulfil the purposes for which it was collected. The written retention policy is available to the educational agency on request at [email protected] and is reviewed at least annually.

Contact

Questions about this Parents' Bill of Rights or about NotAI's handling of student data may be directed to:

• NotAI Privacy Team: [email protected]
• Mail: IS NOT AI LLC, Attn: Privacy, 7014 E Camelback Rd B100A, Scottsdale, AZ 85251

See also the NotAI Privacy Policy, Section 13 (Children's Privacy & Student Data).