Contact us to get a demo of Vidh.

School management platforms handle sensitive data about children. Before you adopt one, here are the security questions every school leader needs to ask.
When a school signs up for a management platform, it is not just purchasing software. It is entrusting a third-party vendor with some of the most sensitive data its institution holds: personal information about children, family financial records, staff details, and years of academic history.
The consequences of a data breach in an educational institution are serious — for families, for the school's reputation, and in many jurisdictions, for the school's legal standing. Despite this, data security is consistently one of the most under-evaluated factors in school technology purchasing decisions.
This is a guide to changing that.
Why School Data Is High-Value Data
School databases contain exactly the kind of information that bad actors find useful: full names, dates of birth, home addresses, contact numbers, and in many cases, payment information. For students who are minors, this data is protected by additional legal frameworks in most countries — frameworks that place specific obligations on anyone who collects and stores it.
Beyond external threats, internal data management matters too. A school with poor permission controls risks staff accessing information they should not have — financial records, medical notes, or personal family information that was shared in confidence.
The Eight Questions to Ask Any EdTech Vendor
1. What security certifications does the platform hold?
Certifications are not a guarantee, but they are a meaningful signal. A platform that has undergone a formal certification process — such as Google's startup certification requirements — has demonstrated that its security practices meet an external standard. Ask for documentation, not just a claim.
2. Is data encrypted in transit and at rest?
This is a baseline requirement, not a differentiating feature. Any platform that cannot confirm both should be removed from consideration immediately.
3. Where is the data stored, and under which jurisdiction?
The country in which data is stored affects which legal framework governs it. For Indian schools, data stored on Indian servers is governed by Indian data protection law. Data stored on servers in other jurisdictions introduces complexity that most schools are not equipped to navigate.
4. Does the platform maintain audit logs?
Audit logs record who did what, and when. If a staff member incorrectly records attendance, modifies a student's fee record, or accesses information outside their role, an audit log creates an accountable trail. Ask to see a sample audit log, and ask how far back logs are retained.
5. How granular are the access controls?
Can the school configure precisely which staff roles can access which modules? Can a teacher be given access to their own class's academic records but not to fee information? Can the transport staff be restricted from any administrative modules beyond their own function? Systems that offer only broad role categories (admin/teacher/parent) are significantly weaker than those offering granular, configurable permissions.
6. What happens to the data if the school ends its subscription?
This question is asked too rarely and matters enormously. Schools should understand exactly how their data is exported, in what format, and what the vendor's data retention and deletion policy is after contract termination. Data that cannot be exported in a usable format creates operational lock-in that is not in the school's interest.
7. Is student data used to train AI models?
As AI features become more common in school platforms, this question becomes critical. Schools need explicit answers — not ambiguous policy language — about whether student data is processed locally, shared with third-party AI providers, or used to improve the platform's models. Consent frameworks for using children's data for AI training purposes are complex and, in many jurisdictions, actively regulated.
8. What is the breach notification policy?
If a security incident occurs, how quickly will the school be notified? What information will be provided? What support will the vendor offer? Schools that have a clear answer to this question before a breach occurs are in a far better position than those who find out the policy when they need to invoke it.
The Internal Security Audit
Beyond evaluating vendors, schools should audit their own practices. Staff who share login credentials, administrators who retain access after leaving the institution, and paper records sitting alongside digital systems are all security vulnerabilities that software cannot fix.
The best school management platform in the world cannot protect data that is being handled carelessly outside of it.
A Framework for Making the Decision
When evaluating data security in EdTech, the question is not whether a platform is perfectly secure — no platform is. The question is whether the vendor takes security seriously as an operational priority, communicates clearly about its practices, and gives the school the tools it needs to manage data responsibly.
Schools that ask these questions before signing are not being obstructionist. They are being professionally responsible with the trust that families have placed in them.
Vidh is a Google-certified startup with granular role-based permissions, comprehensive audit logs, and a clear data management framework. Our team is available to walk school leaders through any security question before or during the evaluation process.