EdTech Vendor Due Diligence: How Schools Should Assess the Security of Education Technology Suppliers
Schools share pupil personal data with dozens of EdTech vendors — and remain responsible for that data under UK GDPR even when it is held by a supplier. The MOVEit breach (2023), Pearson breach (2018), and Capita breach (2023) all demonstrated that EdTech supply chain security can fail in ways that expose pupil data without any failing on the school's own systems. Yet many schools adopt new EdTech tools without any formal security assessment, signing up to vendor terms that provide minimal data protection guarantees and sharing data with platforms whose security practices are unknown.
MOVEit 2023, Pearson 2018, Capita 2023 — three major supply chain breaches affecting education data. Schools remain accountable for data shared with EdTech vendors under UK GDPR.
Why EdTech Due Diligence Matters
Under UK GDPR Article 28, schools must only use processors that provide sufficient guarantees about appropriate technical and organisational security measures. This is not a recommendation — it is a legal requirement. Before sharing pupil data with any EdTech vendor, schools must have assessed the vendor's security practices and have a signed Data Processing Agreement in place. In practice, many schools do not conduct meaningful security due diligence on EdTech vendors — particularly for free tools or those adopted informally by individual teachers. The ICO has made clear that using a free tool does not reduce the school's obligations: if that tool processes personal data, the full GDPR obligations apply.
The Due Diligence Questions Schools Should Ask
Before adopting any EdTech tool that will process pupil personal data, schools should ask vendors:
- Where is data stored — UK, EEA, or third countries? (Third-country transfers require additional safeguards)
- What security certifications do you hold — Cyber Essentials, ISO 27001, SOC 2 Type II?
- How is data encrypted — at rest and in transit?
- Who has access to school data within your organisation?
- How will you notify us of a data breach, and within what timeframe?
- What are your data retention and deletion practices?
- Do you subcontract data processing to other vendors (sub-processors)?
- Can we audit your security practices?
Data Processing Agreements: What Must Be Included
A Data Processing Agreement (DPA) is a legally binding contract that must be in place before any vendor processes pupil personal data. Under UK GDPR Article 28, the DPA must include: - The subject matter and duration of processing - The nature and purpose of processing - The type of data and categories of individuals - The obligations and rights of the controller (school) - That the processor will only process data on the controller's documented instructions - Confidentiality obligations for persons with access to the data - Security measures the processor will implement - Sub-processor management - Assistance with data subject rights requests - Deletion or return of data at the end of the contract - Audit rights for the controller
Building EdTech Security Into Procurement
The best time to assess EdTech vendor security is before adoption, not after pupil data has already been shared. Schools should build security questions into any procurement process — including informal adoption of free tools. A simple one-page security questionnaire sent to vendors before data sharing begins creates a documented record of due diligence and identifies vendors that cannot demonstrate basic security practices. MATs procuring EdTech on behalf of multiple schools should develop a standard due diligence process and approved vendor list that individual schools can reference, rather than each school conducting independent assessments.
Frequently Asked Questions
Does a school need a DPA with every EdTech vendor, including free tools?
Yes, if the free tool processes personal data on behalf of the school. Many free EdTech tools are funded by advertising or data monetisation — which may not be compatible with UK GDPR requirements for schools. Schools should review the terms of service for any free EdTech tool to determine whether a DPA is available and whether the tool's data practices are compatible with the school's GDPR obligations.
What should schools do if a vendor cannot provide a DPA?
If a vendor processes pupil personal data but cannot or will not sign a DPA, the school should not use that vendor for processing personal data. This is a legal requirement, not a recommendation. Schools should document the outcome of any DPA request and the decision made. Alternative tools that can provide appropriate contractual protections should be sought.
How often should schools review their EdTech vendor list?
Schools should review their list of data processing vendors at least annually, and whenever significant new tools are adopted or existing tools change their terms of service. The annual review should confirm that DPAs are in place, that data sharing is still necessary and proportionate, and that vendor security certifications remain current. A log of when each DPA was last reviewed should be maintained as part of the ROPA.
Automate EdTech vendor risk assessment with Panorays
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.