The 10 “must have” Requirements When Choosing an EdTech Supplier

The 10 “must have” Requirements When Choosing an EdTech Supplier: Prioritising Security and Privacy

The latest stats are out: During the 2023/24 financial year, the Australian Centre to Counter Child Exploitation (ACCCE) received almost 59,000 reports of online child abuse. This marked a 45% increase from the previous year with the Australian Federal Police convinced photos are playing a major part in such exploitation.

With that in mind, in today’s digital-first education landscape, selecting the right EdTech supplier to secure children’s data is not only essential, but critical, for ensuring the safety and privacy of students.

In my previous article, I shared why securing school photos should be a major part of any school’s cyber safety strategy in 2025, and if the recent student information system Powerschool breach in the US – the largest at-scale breach of children’s data in US history – hasn’t scared you into reassessing your existing supplier base, it should!

With increasing cybersecurity threats and stricter regulations, schools in 2025 must thoroughly re-evaluate their existing technology providers and break away from any supplier who blatantly or inadvertently puts school/student data at risk.

What schools should lookout for in an EdTech supplier to make the right choice

When deciding on a supplier, I believe there are ‘10 “Must Have” requirements’ which I have compiled into the below checklist to help guide schools during the vendor selection process in 2025. Obviously, I created this checklist from my own experiences in the EdTech industry (would you be surprised to hear its over 13 years now?) – seeking advice from various legal, cyber, data security and privacy experts from around the world – to ensure that my own service – pixevety – ticked all right the boxes. And now that I’ve made that investment, I am ready to share these findings with schools so they can ask the right questions and to ensure other suppliers can answer them, having also invested in becoming responsible school data processors in this era of cyber security and privacy due diligence.

Edtech supplier checklist – The 10 “Must Have” Requirements

1. Data Protection: Can they ensure robust data protection procedures are in place when acting as your data processor? Do they share a customised Agreement?
2. Compliance: Are they compliant with data protection law (e.g. GDPR, FERPA, APPs) including data breach notification? Have they registered with the Regulator?
3. Transparency: Do they support data transparency for your parent community (i.e. update Privacy Policies, targeted notifications)?
4. Data Ownership: Are they clear about who owns the data, the school’s responsibilities, and how your data will be retained, transferred and deleted?
5. Security: Do they provide several layers of security in authentication and access? Do they conduct regular security audits?
6. Reputation: Do they have a long history of successfully serving schools and have they experienced any security/data breach incidents?
7. Employee Competency: Can they demonstrate their employees receive constant/annual training in privacy and security, and that they follow industry best practices (i.e., ISO)?
8. Scalability/Futureproof: Can they guarantee the service is easily scalable to meet the growing/changing needs of schools?
9. Industry Certifications: Can they demonstrate they have achieved global/industry standard certifications or reviews (i.e. ISO, Cyber Essentials Plus, ST4S)?
10. Fair Contract: Is their contract unfair and non-negotiable? (i.e., can only the supplier terminate without cause)?

The key areas are:

• Is the vendor aware of their responsibilities as a data processor? Have they documented what they are?
• Do they have stringent data protection measures in place to protect children’s data?
• Are they compliant with regulatory requirements? Have they registered with the local regulator?
• Do they have the appropriate security measures in place to help prevent any cyber security incident? Do they have a process in place for managing a data breach?
• Do they have a strong reputation in privacy and security, and have they had any incidents in the past?
• Do they provide a transparent contract that protects the school’s interest, and provides fair termination clauses?

Final thoughts

Choosing the right EdTech supplier today is a decision that impacts not only school outcomes but also the safety and privacy of your students. If you need even more incentive, do it for your parents!

By using the above checklist and asking the right questions, schools can confidently select a provider that prioritises security, complies with regulations, and aligns with their values.

Remember, safeguarding student data isn’t just a legal obligation—it’s a critical part of building trust with students, parents, and the wider community—and selecting the right partner in your data processing is no longer a “nice to have” it is a “must have”!