Why Vendor Assessment Matters
Your school's data is only as secure as your vendors. Every SIS, LMS, payment processor, and communication platform that handles student or staff data is a potential breach point.
The Online Learning Platform breach exposed 45,000 student records — not because the school was hacked, but because their vendor was.
Use this checklist before signing any contract with a vendor that will process student or staff personal data.
Section 1: Security Practices
Authentication and Access Control
- [ ] Does the platform support multi-factor authentication (MFA)?
- [ ] Can you enforce MFA for all school accounts?
- [ ] Does the vendor use role-based access controls (teachers see only their students' data, etc.)?
- [ ] Does the vendor log who accesses what data and when?
Red flag: "We don't support 2FA yet" or "All admins can see all data."
Data Encryption
- [ ] Is data encrypted at rest (while stored)? What standard? (Look for AES-256)
- [ ] Is data encrypted in transit? (Look for TLS 1.2 or higher — check for HTTPS)
- [ ] Are database backups encrypted?
Red flag: "We use HTTPS" as the only security answer, or vague claims without specifics.
Infrastructure and Hosting
- [ ] Where is the data stored? (Philippines? US? EU? Cloud provider and region?)
- [ ] Is the vendor hosted on a reputable cloud provider (AWS, GCP, Azure) or their own servers?
- [ ] Does the vendor have security certifications? (ISO 27001, SOC 2 Type II)
- [ ] How often do they patch and update their systems?
Red flag: "Our servers are in our office" or inability to name their hosting provider.
Incident Response
- [ ] Does the vendor have a documented security incident response plan?
- [ ] Will they notify your school of a breach within 24 hours?
- [ ] Have they experienced a breach before? What happened?
- [ ] Do they have cyber insurance?
Red flag: "That hasn't happened to us" or no documented response plan.
Section 2: Data Privacy and Compliance
Data Privacy Act Compliance
- [ ] Is the vendor registered with the National Privacy Commission (NPC)?
- [ ] Do they have a publicly available privacy policy?
- [ ] Have they signed Data Processing Agreements (DPAs) with other Philippine schools?
- [ ] Are they willing to sign your school's DPA or provide their standard DPA?
Red flag: Unfamiliarity with the NPC or the Data Privacy Act of 2012 (RA 10173).
Data Ownership and Portability
- [ ] Does your school own its data? (It should — never sign a contract where the vendor owns your student data)
- [ ] Can you export all data in standard formats (CSV, PDF) at any time?
- [ ] Can you export without losing formatting or relationships between records?
Red flag: No export option, or "You can request a data export" with a week turnaround time.
Data Isolation
- [ ] Is your school's data logically or physically isolated from other schools' data?
- [ ] Could a breach at another school on the same platform expose your data?
Red flag: "All schools share one database."
Data Sharing and Third Parties
- [ ] Does the vendor share your data with any third parties?
- [ ] Do they use student data for advertising, analytics, or AI training?
- [ ] Do they use sub-processors? Are those sub-processors disclosed?
Red flag: "We may share data with partners" without specifics, or using student data for ads.
Section 3: Contract and Legal Terms
Data Processing Agreement (DPA)
- [ ] The vendor will sign a Data Processing Agreement before you share any student data
- [ ] The DPA specifies the purpose and legal basis for processing
- [ ] The DPA includes data security requirements
- [ ] The DPA requires breach notification within 24–72 hours
- [ ] The DPA specifies data deletion terms
Data Retention and Deletion
- [ ] How long does the vendor retain your data after contract termination?
- [ ] Will they provide written confirmation that your data has been deleted? By what date?
- [ ] Do their data retention periods align with your school's DPA obligations?
Red flag: Permanent data retention, no deletion clause, or "we keep it as long as we need it."
Contract Exit
- [ ] Is there a termination clause that allows you to leave without excessive penalties?
- [ ] What happens to your data if the vendor goes bankrupt or is acquired?
- [ ] Is there a data transition period (30+ days) to migrate to a new system?
Red flag: Automatic renewal with no cancellation window, or data held hostage during transitions.
Section 4: Operational Fit for Philippine Schools
- [ ] Does the vendor have local (Philippine) support staff or a local representative?
- [ ] Do they understand DepEd compliance requirements (LIS reporting, etc.)?
- [ ] Do they support local payment methods (GCash, Maya, bank transfer)?
- [ ] Do they have references from comparable Philippine schools?
- [ ] Is the interface available in Filipino or designed for Filipino users?
Red flag: All support is via US time zone, no Philippine school references, no understanding of DepEd.
Scoring Your Vendor
After completing the checklist:
- 40+ items checked: Good — proceed with contract review
- 30–39 items checked: Acceptable — identify and document exceptions, consider addendum
- 20–29 items checked: Concerning — negotiate improvements before signing, or reconsider
- Under 20 items checked: High risk — do not proceed without major improvements
Quick Reference: Minimum Requirements
Before signing any contract, these items are non-negotiable:
- 1HTTPS and data encryption in transit and at rest
- 2Willingness to sign a Data Processing Agreement
- 3Your school owns its data
- 4You can export all data in standard formats
- 5Written data deletion confirmation upon contract end
- 6Breach notification within 72 hours
Related Resources