Kyanite Blue
Tools & Calculators

EdTech Supplier Security Scorecard: Assess Your Vendors Before Sharing Pupil Data

Before sharing pupil data with any EdTech vendor, schools have a legal obligation under UK GDPR Article 28 to ensure the vendor provides "sufficient guarantees" of appropriate security. In practice, many schools adopt EdTech tools without any structured assessment — relying on reputation or a quick look at the vendor's website. This scorecard provides a structured framework for assessing EdTech vendors before data sharing begins, and for monitoring vendor security on an ongoing basis.

UK GDPR Article 28: schools must ensure EdTech vendors provide sufficient guarantees of appropriate security before sharing pupil personal data. This is a legal requirement, not a recommendation.

How to Use This Scorecard

Complete one scorecard per significant EdTech vendor — tools that access or process personal data for pupils or staff. Send relevant questions to the vendor before signing any agreement or sharing data. Score each area and use the total to inform your procurement decision. Document the completed scorecard in your vendor register as evidence of due diligence. Review annually and when the vendor changes their terms, security practices, or key certifications.

Section 1: Security Certifications (25 points)

Security certifications provide independent verification of a vendor's security practices.

  • [ ] Cyber Essentials certified (current) — 10 points. Evidence: CE certificate number and expiry date.
  • [ ] ISO 27001 certified (current, relevant scope) — 15 points. Evidence: ISO 27001 certificate with scope; accreditation body name.
  • [ ] SOC 2 Type II report (within 12 months) — 10 points (alternative to ISO 27001). Evidence: SOC 2 report or summary.
  • [ ] IASME Governance or equivalent — 5 points (additional). Evidence: IASME certificate.

Section 2: Data Practices (25 points)

Understanding where and how the vendor stores and uses school data.

  • [ ] Data stored in UK or EEA — 10 points. Evidence: vendor's privacy policy or data location statement.
  • [ ] Data not used for vendor's own commercial purposes (ads, analytics) — 10 points. Evidence: DPA and privacy policy review.
  • [ ] Sub-processors disclosed and managed — 5 points. Evidence: DPA with sub-processor list or update mechanism.

Section 3: DPA and Contractual Protections (30 points)

The contractual framework governing data sharing must meet UK GDPR Article 28 requirements.

  • [ ] DPA available and comprehensive (covers all Article 28 requirements) — 15 points.
  • [ ] Breach notification within 24-48 hours — 10 points. Standard is "without undue delay" — specific timeframes are better.
  • [ ] Audit rights included — 5 points. The school's right to audit vendor security practices.
  • [ ] Data deletion on contract end — 5 points. Clear process for deletion or return of school data.

Scorecard Result Interpretation

Interpret your EdTech vendor scorecard results: - **70-80 points**: Strong security posture — proceed with appropriate DPA and monitoring - **50-69 points**: Adequate with gaps — negotiate improvements before sharing sensitive data - **30-49 points**: Significant concerns — require vendor to achieve Cyber Essentials before sharing pupil data, or seek an alternative vendor - **Below 30 points**: Do not share pupil personal data with this vendor until security standards are met Document your scorecard result and the decision made. If proceeding despite a low score, document the risk acceptance rationale.

Frequently Asked Questions

Should we use this scorecard for every EdTech tool?

Apply the full scorecard to any tool that processes sensitive personal data — pupil records, safeguarding data, SEN information, health data, or financial records. For lower-risk tools (for example, a quiz tool that only uses first names), a lighter-touch review focusing on the DPA and data location may be proportionate. The ROPA is a useful guide — if a tool appears in the ROPA, it warrants a scorecard assessment.

What if a vendor won't answer our security questions?

A vendor that cannot or will not provide basic information about their security certifications, data storage location, and DPA availability is a significant risk. For tools processing sensitive pupil data, you should not proceed without this information. Document the vendor's refusal or inability to respond. Consider this a strong signal to seek an alternative vendor. Report the vendor's response (or lack of it) to your DPO.

How often should we re-assess vendors we are already using?

Annually at minimum — aligned with your GDPR audit. Additionally, re-assess when: the vendor announces a data breach or security incident; the vendor significantly changes their terms of service or privacy policy; the vendor is acquired by another company; or you significantly expand the data you share with the vendor. Panorays automates continuous security rating monitoring for your vendor portfolio, alerting you to changes in vendor security posture between formal annual reviews.

Automate EdTech vendor security assessment with Panorays

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Panorays

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides