2019-04-14 08:58:00

Checklist: EdTech Due Diligence

By David Eedle
As Co-Founder and CTO of EdSmart, David draws from over 20 years’ experience as a technology leader, investor, entrepreneur and contractor to global Internet and technology businesses. Prior to his focus on technology, he worked in arts and entertainment management. He was also Co-Founder of ArtsHub, the leading online home for arts and cultural workers in Australia, New Zealand and the UK and, consequently, was featured in the book 50 Great eBusinesses and the Minds Behind Them (Random House 2007).

Don’t buy an Edtech product without asking these critical questions of your vendor.

There's rarely a week that passes without news of a technology incident compromising our data and livelihoods. Increasingly, those incidents are impacting schools as they, too, digitally transform and modernise systems. 

Most of the security issues faced by schools around technology are born of accident or ignorance. Australia's new national data breach disclosure reporting shows education is consistently in the top five industries reporting breaches, often due to human error or systems failures that could have been avoided by asking the right questions.

Here are the right questions...

Below is a comprehensive checklist for due diligence on any Edtech vendor or solution that you may download for future reference. If you haven't had these questions answered to satisfaction, you are at risk. 

Download Checklist

Security measures

  • Where is the data hosted and by whom?
  • Does the company certify your data remains in Australia?
  • Is all data encrypted in transit?
  • Is all data encrypted at rest?
  • Are user profiles encrypted in transit?
  • Are user profiles encrypted at rest?
  • How often does the company conduct penetration testing? To what standard? (For example the Open Web Application Security Project, OWASP)

Data access

  • Does the solution include access controls to ensure only authorised staff have access to your data?
  • Does the company conduct regular security training for all staff to prevent inadvertent disclosures?
  • Do all staff in the company with access to your data hold current relevant child protection checks?
  • Has the company provided details of all third parties providing services and/or support for the product or otherwise have access to your data?
  • What physical access controls are in place at the locations from which data may be stored or accessed?
  • Does the company have an internal data management and handling policy?
  • Does the company have a published Notifiable Data Breach Plan?
  • Has the company ever had a data breach? How long ago?


  • Have you audited the product’s functional processes and procedures to ensure compliance with your legal obligations?
  • Does the company have procedures to destroy or retrieve personal information in compliance with the Information Privacy Act 2000 with Privacy Act 1988 (Cth).
  • Does the company regularly review audit logs?
  • Does the company regularly conduct reviews of user access levels?

Quality controls

  • Has the company implemented change control processes to minimise disruption during business hours?
  • Does the company have a Business Continuity Plan in the event of a natural disaster?
  • Does the solution use data loss prevention technologies?
  • What is the Recovery Time Objective?
  • What is the Recovery Point Objective?
  • Does the company make the data available to the customer in an agreed format upon request?
  • How long does the company retain data for?
  • Does the company securely delete the data upon the customer’s request and certify that deletion?

The risk isn't worth it. Practice due diligence and smart technology governance and always ask the right questions.

Download the EdSmart Brochure

Let's talk

Keen to learn how EdSmart could
help transform your school?
Email us at sales@edsmart.com
or call us on +61 3 8560 0980