← Back to School Compliance & Data Practices

NY Education Law §2-d Supplemental Information

Multiple Natures International, LLC — Operative disclosure required by 8 N.Y.C.R.R. Part 121

Last updated: May 13, 2026

Effective: First NYC pilot school contract (date of execution)

This document is required to be made publicly available by New York Education Law §2-d. It is a supplement to and must be read in conjunction with the complete School Data Privacy Agreement and Parent & Student Bill of Rights.

Scope and Purpose

Multiple Natures International, LLC (“MNI”) is an operator under New York Education Law §2-d. This disclosure describes the student and teacher data we collect, the purposes for which we use that data, every third party (subprocessor) that has access to it, how long we retain it, and the security controls we maintain. It is intended to fulfill the operator’s transparency obligations under 8 N.Y.C.R.R. Part 121 and to provide parents, students, and school administrators with full information about our data practices.

1. Student Data Elements Collected

The following student data elements are collected by and stored in the MN School Dashboard:

Data ElementCollection PointType
First name, last nameSchool roster importPersonally identifiable information
Student ID (school-assigned)School roster importPersonally identifiable information
Grade levelSchool roster importEducational record
Class assignmentSchool roster importEducational record
MN/MI self-ratings (19 dimensions, 1–10)Student self-report (MNTEST)Self-assessment of learning and behavioral patterns
NatureType pattern labelsAlgorithmic derivation from self-ratingsInterpreted learning profile
Session logs (login timestamp, page views)Automatic captureActivity log

2. Purposes of Data Use

Student data is used for the following purposes only:

  1. Educational assessment: To provide students and school staff with structured self-recognition of learning patterns and how they tend to show up, enabling more targeted counseling and academic support conversations.
  2. Counselor and teacher support: To help counselors and teachers identify students who may benefit from additional support, and to organize support queues and referral workflows within the school.
  3. Aggregate school-level analytics: To generate summary statistics (e.g., “35% of 9th graders show high Protective Nature”) for school administrators, used for program planning and evaluation. All aggregate reports exclude identifiable student data.
  4. Service improvement: To improve the dashboard and the Multiple Natures framework (de-identified analysis only).
  5. Security and audit: To maintain session logs, detect unauthorized access, and comply with audit obligations.

Data NOT used for: Commercial marketing · targeted advertising · sale to third parties · student placement decisions · disciplinary action · development of a commercial consumer profile · training of any AI or machine-learning model.

3. Teacher and Staff Data

Teacher and school staff data collected includes:

  • First name, last name
  • Email address
  • School role (teacher, counselor, school administrator)
  • Dashboard session and activity logs

Staff data is used for account authentication, access control, and audit logging only. Staff data is not shared with parents or students.

4. Third-Party Subprocessors (Vendor List)

The following third parties have access to student and staff data. All subprocessors are bound by written data protection agreements that meet or exceed the standards required by NY Education Law §2-d.

SubprocessorRoleData ProcessedLocationDPA Status
Cloudflare, Inc. Infrastructure provider — operates the web servers and database that store all student and staff data All student and staff data in transit and at rest; database (D1), object storage (R2), content delivery network US and EU (Cloudflare network); D1 database in US region Cloudflare Customer DPA on file. SOC 2 Type II certified. Certified to comply with NY Ed Law §2-d infrastructure requirements.
Amazon Web Services (SES) Transactional email service — sends staff invitations and school notifications Staff email addresses only. No student personal information is transmitted in email. US (us-east-1) AWS Customer Agreement and DPA on file. SOC 2 Type II certified.
Anthropic, PBC AI support assistant — answers staff questions about dashboard features and the Multiple Natures framework Staff-typed questions only. Student names, IDs, MN/MI rating values, NatureType labels, and all student records are architecturally excluded from every API request. US (data centers) Anthropic API Terms on file. SOC 2 Type II certified. Anthropic does not use API-submitted data for model training per current API terms.
All subprocessors are bound by written agreements prohibiting use of student data for any purpose other than providing the contracted service, prohibiting sale of student data, and requiring deletion of student data upon termination of the vendor relationship.

5. Data Retention and Deletion

Data TypeRetention PeriodAutomatic Deletion
Student names, IDs, grades, class assignments Duration of school contract + 30 days Hard delete on termination or written request
MNTEST assessment values and MN Situation Map outputs Duration of school contract + 30 days Hard delete on termination or written request
Counselor triage notes (free-text) End of school year (June 30) Automatic hard delete on July 1; no backup retained
Session and activity logs 90 days Automatic rolling deletion
Staff data Duration of school contract + 30 days Hard delete on termination or written request

Counselor triage notes are stored for a shorter period than other student data. These notes contain sensitive, free-text observations written by school staff and have no educational value after the school year in which they were written. We delete them automatically on June 30 each year with no backup copy retained. This policy protects student and family privacy and reduces risk of sensitive information being inadvertently disclosed in later years.

On school contract termination or written request, MNI will either export all student data in a standard format (CSV or JSON) within 10 business days or permanently delete all student data within 30 days of written request. Written confirmation of deletion is provided upon request.

6. Parent and Student Rights Under NY Education Law §2-d

Right to Inspect Student Records

Parents and eligible students may request to inspect student data held by MNI. Submit requests to steven@multiplenatures.com with the student name and school name. MNI will provide the data within 14 days.

Right to Correct or Amend Student Records

Parents and eligible students may request correction or deletion of inaccurate student data. MNI will correct or delete inaccurate information and notify the school within 10 days. For data that cannot be corrected (e.g., past assessment values), MNI will flag the record as disputed and document the parent’s correction request.

Right to Challenge and Correct Process

How to file a challenge: A parent or eligible student who believes student data held by MNI is inaccurate or violates student privacy may submit a written challenge to steven@multiplenatures.com, including the student name, school, and specific data in dispute.

MNI’s response timeline: MNI will acknowledge receipt within 5 business days and provide a response within 30 days. If the data is found to be inaccurate, it will be corrected or deleted. If MNI disagrees with the challenge, the parent or student may appeal to the school’s principal or superintendent.

School role: Schools retain ultimate authority over student records. Any unresolved disputes involving interpretation of student data (e.g., whether a student’s assessment is valid) will be escalated to the school for final determination.

7. Breach Notification

Notification timeline: In the event of a confirmed breach of student data, MNI will notify the school’s designated privacy officer within seven (7) calendar days of confirmation — faster than the 10-business-day minimum required by NY Education Law §2-d.

Notification content: The notification will include the nature of the breach, the types of student data affected, the approximate number of students whose data was involved, the date of discovery, steps taken to contain the breach, and a point of contact for further investigation.

Ongoing communication: MNI will provide updates as the investigation progresses and will cooperate fully with the school’s investigation and any required notifications to the New York Department of Education, State agencies, or parents.

8. Data Security Controls

MNI implements the following technical, administrative, and physical controls to protect student and staff data:

  • Encryption in transit: All data transmitted over the internet is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Student data stored in Cloudflare D1 database is encrypted at rest.
  • Access control: Role-based access control (RBAC) restricts database and application access to authorized personnel only. Teachers, counselors, and administrators have separate permission scopes; each can access only their own school’s data.
  • Browser cache protection: All dashboard API responses include the Cache-Control: no-store header to prevent student data from being cached on users’ devices or by CDN proxies.
  • Session security: Session tokens are generated randomly, expire after 30 days of inactivity, and are never exposed in client-accessible storage.
  • Audit logging: All administrative actions (staff invitations, role changes, data exports) are logged with timestamps and actor identity for compliance and incident investigation.
  • Vendor compliance: All subprocessors are required to maintain SOC 2 Type II certification or equivalent security assessment.

Security certifications: MNI’s primary infrastructure provider, Cloudflare, holds current SOC 2 Type II certification audited for Security, Availability, Confidentiality, and Integrity. All subprocessors meet or exceed these standards.

9. Limitations on Use

NY Education Law §2-d prohibits operators from:

  • Selling student data or educational records.
  • Using student data for targeted advertising or marketing to students or families.
  • Using student data to develop a personal profile of a student for non-educational purposes.
  • Using student data to discipline or penalize students.

MNI does not engage in any of these practices. Student data is used solely to operate the MN School Dashboard and improve the Multiple Natures framework (de-identified only).

10. AI and Automated Decision-Making

AI support assistant: The MN School Dashboard includes a staff support assistant powered by Anthropic’s Claude API. The assistant answers questions about dashboard features and Multiple Natures framework concepts. It does not make decisions about students.

Data boundary: Student names, IDs, MN/MI rating values, NatureType labels, and all student records are architecturally excluded from every AI request. The assistant operates on staff-typed questions only.

No automated decisions: The assistant does not make placement, disciplinary, diagnostic, safety, or mental-health decisions. All such decisions remain with school staff and are subject to school policies and procedures.

Full transparency: A detailed AI Transparency Statement describing the assistant’s instruction scope is available to school administrators on request at steven@multiplenatures.com.

11. Data Rights and Conflicts with Other Laws

This disclosure is provided under New York Education Law §2-d. It is supplementary to and does not replace the school’s rights and obligations under:

  • FERPA (Family Educational Rights and Privacy Act, 20 U.S.C. §1232g)
  • COPPA (Children’s Online Privacy Protection Act, 15 U.S.C. §§6501–6506)
  • ESSA (Every Student Succeeds Act, 20 U.S.C. §1232h)
  • The school’s own policies and procedures governing student privacy

In the event of conflict, the law or policy most protective of student privacy controls.

12. Contact Information

Privacy inquiries, breach reports, or challenge requests:

Steven Rudolph
CEO, Multiple Natures International, LLC
steven@multiplenatures.com

Mailing address:

Multiple Natures International, LLC
US

13. Document History

  • v1.0 (May 13, 2026): Initial publication. Effective upon first NYC school pilot contract execution.
Also see: Privacy Policy  ·  School Compliance & Data Practices  ·  Terms & Conditions  ·  Data Privacy Agreement  ·  Parent & Student Bill of Rights