EdSpace News & Insights

    David Eedle
    November 01, 2018

    EdTech Due Diligence Checklist

    Don’t buy an edtech product without asking these critical questions of your vendor.

    There's rarely a week that passes without news of a technology incident compromising our data and livelihoods. Increasingly, those incidents are impacting schools as they too digitally transform and modernise systems. 

    Most of the security issues faced by schools around technology are born of accident or ignorance. Australia's new national data breach disclosure reporting shows education is consistently in the top five industries reporting breaches - often due to human error or systems failures that could have been avoided by asking the right questions.

    Here are the right questions.

    This is a comprehensive checklist for due diligence on any edtech vendor or solution. If you haven't had these questions answered to satisfaction, you are at risk.  Click below for a downloadable one-sheet checklist if you'd like to share or print.

    Due Diligence_Linkedin_552x289

    Security measures

    • Where is the data hosted and by whom?
    • Does the company certify your data remains in Australia?
    • Is all data encrypted in transit?
    • Is all data encrypted at rest?
    • Are user profiles encrypted in transit?
    • Are user profiles encrypted at rest?
    • How often does the company conduct penetration testing? To what standard? (For example the Open Web Application Security Project, OWASP)

    Data access

    • Does the solution include access controls to ensure only authorised staff have access to your data?
    • Does the company conduct regular security training for all staff to prevent inadvertent disclosures?
    • Do all staff in the company with access to your data hold current relevant child protection checks?
    • Has the company provided details of all third parties providing services and/or support for the product or otherwise have access to your data?
    • What physical access controls are in place at the locations from which data may be stored or accessed?
    • Does the company have an internal data management and handling policy?
    • Does the company have a published Notifiable Data Breach Plan?
    • Has the company ever had a data breach? How long ago?


    • Have you audited the product’s functional processes and procedures to ensure compliance with your legal obligations?
    • Does the company have procedures to destroy or retrieve personal information, in compliance with the Information Privacy Act 2000 with Privacy Act 1988 (Cth).
    • Does the company regularly review audit logs?
    • Does the company regularly conduct reviews of user access levels?

    Quality controls

    • Has the company implemented change control processes to minimise disruption during business hours?
    • Does the company have a Business Continuity Plan in the event of a natural disaster?
    • Does the solution use data loss prevention technologies?
    • What is the Recovery Time Objective?
    • What is the Recovery Point Objective?
    • Does the company make the data available to the customer in an agreed format upon request?
    • How long does the company retain data for?
    • Does the company securely delete the data upon the customer’s request and certify that deletion?

    The risk isn't worth it. Practice due diligence and smart technology governance and always ask the right questions.

    Subscribe Email