10 Questions for EdTech Vendors Post-PowerSchool

In December 2024, PowerSchool suffered a massive data breach that exposed the personal information of approximately 62.4 million students and 9.5 million educators across North America (BleepingComputer, 2025). The breach happened because of a single compromised employee credential and a lack of multi-factor authentication on a critical support portal (TechTarget, 2025). Privacy regulators have since emphasised that schools bear responsibility for vetting their vendors' security practices.

This changes everything for how schools should evaluate EdTech providers. Whether you're considering a virtual science lab, a learning management system, or any software that touches student data, you need to ask harder questions. Here are ten questions every school should ask before signing a contract.

1. Where Is Our Data Stored?

This isn't just about knowing the country. You need specifics:

• Which cloud provider? (AWS, Google Cloud, Azure, or self-hosted?)
• Which region? (EU schools may require EU-based servers for GDPR)
• Is data ever transferred internationally?
• Are backups stored in a different location?

A vendor who can't answer these questions precisely probably hasn't thought carefully about their data architecture. The UK Information Commissioner's Office specifically requires organisations to know where personal data is processed (ICO, 2024).

2. Do You Have SOC 2 or ISO 27001 Certification?

SOC 2 (System and Organization Controls) is a security audit performed by independent accountants that proves a vendor's security controls actually work, not just that they exist on paper (AICPA, 2024). There are two types:

• Type I: Confirms controls exist at a point in time
• Type II: Confirms controls worked consistently over 6-12 months (more rigorous)

ISO 27001 is an international equivalent recognised in over 160 countries (ISO, 2022). If a vendor has neither, ask what third-party validation they do have. "We take security seriously" is not a certification.

3. Who Has Access to Student Data?

The PowerSchool breach happened through a customer support portal that lacked proper access controls. Ask vendors:

• How many employees can access student data?
• Is access logged and auditable?
• Do support staff need your permission before accessing your data?
• Are contractors and third parties included in access controls?

The principle of least privilege, a core requirement in frameworks like NIST Cybersecurity Framework (NIST, 2024), means employees should only access the minimum data needed for their job. If "everyone in support" can see student records, that's a red flag.

4. Do You Use Multi-Factor Authentication?

PowerSchool's breach could have been prevented with MFA. According to Microsoft, MFA blocks 99.9% of automated attacks (Microsoft, 2019). Ask specifically:

• Is MFA required for all employee accounts?
• Is MFA required for administrative portals?
• Is MFA available for school admin accounts?
• What MFA methods are supported? (App-based is stronger than SMS)

If a vendor doesn't enforce MFA internally, they're not following basic security hygiene in 2026.

5. What Third-Party Services Touch Our Data?

Many EdTech platforms use external services for analytics, error tracking, AI features, or hosting. Each one is a potential leak point. Under GDPR, vendors must disclose all sub-processors who handle personal data (EDPB, 2024). Ask for a complete list and what data each one receives.

Watch out for:

• Analytics platforms (Google Analytics, Mixpanel) that may track student behaviour
• AI services that process student work for grading or feedback
• Customer support tools that may store conversation logs
• Error tracking that might capture sensitive data in crash reports

A vendor with "no third-party analytics on student-facing applications" is making a meaningful commitment.

6. What Is Your AI Data Policy?

With AI-powered EdTech becoming common, understanding how vendors handle AI and student data is crucial. The Future of Privacy Forum's research on AI governance provides useful frameworks for evaluating these policies (FPF, 2024). Ask about:

• Do you use student data to train AI models? If so, is this opt-in or opt-out?
• Can schools choose whether to participate?
• Is the AI processing done on your infrastructure or sent to third parties?
• What happens to student work after it's processed?

The key is transparency. A vendor should clearly explain their approach and give schools meaningful control over how student data is used for AI purposes.

7. What's Your Data Retention Policy?

Data that doesn't exist can't be breached. GDPR's data minimisation principle requires organisations to keep personal data only as long as necessary (ICO, 2024). Ask:

• How long is student data kept after they leave the platform?
• Can schools request early deletion?
• What happens to data if we cancel our subscription?
• Are backups also deleted, or do they persist?

A vendor keeping student data indefinitely "just in case" is a liability.

8. What Happens If There's a Breach?

Every vendor should have an incident response plan. GDPR requires notification within 72 hours (ICO, 2024). Ask:

• How quickly will you notify us of a breach?
• What information will the notification include?
• Do you have cybersecurity insurance?
• Will you provide credit monitoring for affected students?

PowerSchool took weeks to fully disclose the scope of their breach, and some schools reported learning about it from media reports rather than official notification. Clear contractual commitments on notification timelines matter.

9. Can We Get a Data Processing Agreement?

A Data Processing Agreement (DPA) is a legal contract required under GDPR Article 28 that defines how a vendor handles your data (GDPR.eu, 2024). It should specify:

• What data is collected and why
• How data is protected
• Sub-processor lists
• Breach notification procedures
• Data deletion upon termination

If a vendor can't provide a DPA, they're probably not ready to work with schools that take compliance seriously.

10. How Do You Protect Our School's Data?

Understanding how your data is protected from other schools on the same platform is important. The NIST Cybersecurity Framework recommends defence-in-depth approaches. Ask about:

• Encryption: Is your school's data encrypted with keys specific to your organisation?
• Access controls: What prevents users from one school accessing another school's data?
• Audit logging: Are all data access attempts logged and monitored?
• Penetration testing: Has an independent security firm tested the platform?

Look for vendors who can explain specifically how they isolate and protect your data, whether through encryption, access controls, or architectural design.

The New Reality for Schools

The PowerSchool breach has changed the regulatory landscape. Privacy commissioners have made clear that schools can't simply trust vendors; they must verify. This means these ten questions aren't just good practice. They're becoming a legal requirement.

Document the answers you receive. Include security requirements in your contracts. And don't be afraid to walk away from vendors who can't provide clear answers.

At WhimsyLabs, we believe transparency builds trust. We're happy to answer all ten of these questions for any school considering our virtual science labs. Get in touch and we'll send you our complete security documentation.

Further Reading

• UK Schools: Get £3,000 for VR Science Labs
• Teachers Are the Experts. We Just Build the Tools.
• AI Detection Doesn't Work. Process-Based Assessment Does.