Vendor Security Assessment Checklist for Schools

Why Vendor Assessment Matters

Your school's data is only as secure as your vendors. Every SIS, LMS, payment processor, and communication platform that handles student or staff data is a potential breach point.

The Online Learning Platform breach exposed 45,000 student records — not because the school was hacked, but because their vendor was.

Use this checklist before signing any contract with a vendor that will process student or staff personal data.

Section 1: Security Practices

Authentication and Access Control

• [ ] Does the platform support multi-factor authentication (MFA)?
• [ ] Can you enforce MFA for all school accounts?
• [ ] Does the vendor use role-based access controls (teachers see only their students' data, etc.)?
• [ ] Does the vendor log who accesses what data and when?

Red flag: "We don't support 2FA yet" or "All admins can see all data."

Data Encryption

• [ ] Is data encrypted at rest (while stored)? What standard? (Look for AES-256)
• [ ] Is data encrypted in transit? (Look for TLS 1.2 or higher — check for HTTPS)
• [ ] Are database backups encrypted?

Red flag: "We use HTTPS" as the only security answer, or vague claims without specifics.

Infrastructure and Hosting

• [ ] Where is the data stored? (Philippines? US? EU? Cloud provider and region?)
• [ ] Is the vendor hosted on a reputable cloud provider (AWS, GCP, Azure) or their own servers?
• [ ] Does the vendor have security certifications? (ISO 27001, SOC 2 Type II)
• [ ] How often do they patch and update their systems?

Red flag: "Our servers are in our office" or inability to name their hosting provider.

Incident Response

• [ ] Does the vendor have a documented security incident response plan?
• [ ] Will they notify your school of a breach within 24 hours?
• [ ] Have they experienced a breach before? What happened?
• [ ] Do they have cyber insurance?

Red flag: "That hasn't happened to us" or no documented response plan.

Section 2: Data Privacy and Compliance

Data Privacy Act Compliance

• [ ] Is the vendor registered with the National Privacy Commission (NPC)?
• [ ] Do they have a publicly available privacy policy?
• [ ] Have they signed Data Processing Agreements (DPAs) with other Philippine schools?
• [ ] Are they willing to sign your school's DPA or provide their standard DPA?

Red flag: Unfamiliarity with the NPC or the Data Privacy Act of 2012 (RA 10173).

Data Ownership and Portability

• [ ] Does your school own its data? (It should — never sign a contract where the vendor owns your student data)
• [ ] Can you export all data in standard formats (CSV, PDF) at any time?
• [ ] Can you export without losing formatting or relationships between records?

Red flag: No export option, or "You can request a data export" with a week turnaround time.

Data Isolation

• [ ] Is your school's data logically or physically isolated from other schools' data?
• [ ] Could a breach at another school on the same platform expose your data?

Red flag: "All schools share one database."

Data Sharing and Third Parties

• [ ] Does the vendor share your data with any third parties?
• [ ] Do they use student data for advertising, analytics, or AI training?
• [ ] Do they use sub-processors? Are those sub-processors disclosed?

Red flag: "We may share data with partners" without specifics, or using student data for ads.

Section 3: Contract and Legal Terms

Data Processing Agreement (DPA)

• [ ] The vendor will sign a Data Processing Agreement before you share any student data
• [ ] The DPA specifies the purpose and legal basis for processing
• [ ] The DPA includes data security requirements
• [ ] The DPA requires breach notification within 24–72 hours
• [ ] The DPA specifies data deletion terms

Data Retention and Deletion

• [ ] How long does the vendor retain your data after contract termination?
• [ ] Will they provide written confirmation that your data has been deleted? By what date?
• [ ] Do their data retention periods align with your school's DPA obligations?

Red flag: Permanent data retention, no deletion clause, or "we keep it as long as we need it."

Contract Exit

• [ ] Is there a termination clause that allows you to leave without excessive penalties?
• [ ] What happens to your data if the vendor goes bankrupt or is acquired?
• [ ] Is there a data transition period (30+ days) to migrate to a new system?

Red flag: Automatic renewal with no cancellation window, or data held hostage during transitions.

Section 4: Operational Fit for Philippine Schools

• [ ] Does the vendor have local (Philippine) support staff or a local representative?
• [ ] Do they understand DepEd compliance requirements (LIS reporting, etc.)?
• [ ] Do they support local payment methods (GCash, Maya, bank transfer)?
• [ ] Do they have references from comparable Philippine schools?
• [ ] Is the interface available in Filipino or designed for Filipino users?

Red flag: All support is via US time zone, no Philippine school references, no understanding of DepEd.

Scoring Your Vendor

After completing the checklist:

• 40+ items checked: Good — proceed with contract review
• 30–39 items checked: Acceptable — identify and document exceptions, consider addendum
• 20–29 items checked: Concerning — negotiate improvements before signing, or reconsider
• Under 20 items checked: High risk — do not proceed without major improvements

Quick Reference: Minimum Requirements

Before signing any contract, these items are non-negotiable:

1. 1HTTPS and data encryption in transit and at rest
2. 2Willingness to sign a Data Processing Agreement
3. 3Your school owns its data
4. 4You can export all data in standard formats
5. 5Written data deletion confirmation upon contract end
6. 6Breach notification within 72 hours

Related Resources

• How to Choose Secure School Software — detailed guide to vendor evaluation
• Data Privacy Policy Template — includes vendor data sharing clauses
• DPA Compliance Checker — assess your overall DPA compliance