A guide to evaluating the security and suitability of school management software before trusting it with student data. Includes questions to ask and red flags to watch for.
Selecting school management software is one of the most consequential technology decisions a Philippine school can make. It affects every department — from admissions and registrar to finance, academics, and parent communication. When you adopt a school management system, LMS, or any EdTech tool, you're trusting that vendor with your students' most sensitive data.
The Online Learning Platform breach showed what happens when vendors don't take security seriously — 45,000 student records exposed. But security is just one dimension. A poor choice can also lead to workarounds, duplicate data entry, and even mid-year system switches that disrupt the entire school.
Good answers: "Our system replaces your separate enrollment, grading, billing, and communication tools with one integrated platform"
Red flags: The vendor talks about "integrating" with your existing tools rather than replacing them, or requires manual data transfers between modules
Good answers: Support for DepEd compliance requirements, local payment methods (GCash, Maya), and Philippine-specific payroll calculations (SSS, PhilHealth, Pag-IBIG, BIR)
Red flags: The vendor claims "international standards" without demonstrating Philippine-specific features, or requires extensive customization for basic local requirements
Good answers: "In ISO 27001 certified data centers," "AES-256 encryption at rest, TLS 1.2+ in transit," with specific region controls (AWS/GCP/Azure)
Red flags: "We're not sure," storage on office servers, or "We use HTTPS" as the only security measure
Good answers: "Only authorized support staff with audited access," "Role-based access controls with comprehensive audit logging"
Red flags: "Our developers can see everything," "All our staff have access," or vague claims of "industry-standard security"
Good answers: "Logical or physical data isolation per school," "Separate databases per client"
Red flags: "All schools share one database" (co-mingled data)
Good answers: Transparent per-student pricing with all fees disclosed upfront — implementation, training, support tiers, and renewal pricing
Red flags: Hidden implementation fees, tiered support charges not mentioned in initial pricing, or unclear renewal price increases
Good answers: "We have a documented incident response plan and will notify you within 24 hours," with clear escalation procedures
Red flags: "That hasn't happened to us" (everyone is a target), or no documented incident response plan
Good answers: "Yes, here's our NPC registration number," with a standard Data Processing Agreement readily available
Red flags: Unfamiliarity with the NPC or the Data Privacy Act, reluctance to sign a DPA
Good answers: "You own your data — you can export everything in standard formats anytime, and we delete it within 30 days of contract end"
Red flags: Permanent data retention, no export options, or data held hostage
Good answers: Local support staff who understand Philippine school contexts, assistance with data migration, comprehensive training for all user types, and post-implementation support through critical periods (enrollment, grading)
Red flags: Distant help desks with no Philippine school experience, self-service-only onboarding, or no migration assistance
When comparing vendors, create a weighted scoring system:
Rate each vendor across all 10 questions above and request references from schools of comparable size and type. Weight security and data privacy questions more heavily — a great feature set means nothing if student data is compromised.
The right school software vendor should be transparent about both their security practices and their understanding of Philippine school operations. They should be willing to put commitments in writing, demonstrate the system from every user's perspective, and provide local support when you need it. If a vendor can't answer these questions clearly, consider that a red flag — your students' data and your school's operations deserve better.