Security Across the K-12 Industry
As cybersecurity and data privacy continue to be critical to schools and districts worldwide, see the chart below for a list of industry standards and how those align to PowerSchool’s commitment to security.
Industry Standard
Recommended by CoSN
Recommended by CISA
PowerSchool
Other EdTech Providers
Data Protection & Privacy
Family Education Rights and Privacy Act (FERPA) Compliance: Does the vendor adhere to FERPA?
Children’s Online Privacy Protection Act (COPPA) Compliance: Does the vendor meet Children’s COPPA requirements?
State-Specific Compliance: Does the vendor comply with your state’s regulations and data privacy laws?
Some vendors
Third-Party Data Sharing: Does the vendor clearly disclose data-sharing practices and provides contractual safeguards?
Some vendors
Hosting Security & Infrastructure
Cloud Hosting Security: Does the vendor comply with the security posture of the cloud hosting environment?
Some vendors
Intrusion Detection & Prevention: Does the vendor comply with your organization’s ability to detect and prevent cyber intrusions in real time?
Few vendors
Web Application Firewalls (WAFs): Does the vendor comply with the effectiveness of web application firewalls in blocking cyber threats?
Some vendors
Data Governance & Ownership
Data Ownership Policy: Does the vendor operate in accordance with whether districts retain full ownership of their data?
Some vendors
Privacy Policy Transparency: Does the vendor maintain a transparent, publicly available privacy policy?
Secure User-Defined Functions (UDFs): Does the vendor follow strict security protocols, including least privilege execution, sandboxed environments, and parameterized inputs to prevent code injection?
Role-Based Access & Identity Management
Role-Based Access Control (RBAC): Does the vendor enforce least-privilege access through role-based control?
Multi-Factor Authentication (MFA): Does the vendor comply with whether multi-factor authentication (MFA) is mandatory for users?
Some vendors
Audit Logging & Access Reviews: Does the vendor align with your organization’s needs to track and log access and modifications to data?
Some vendors
Advanced Data Protection & Anonymization
Encryption Standards: Will your data be encrypted at rest and in transit using industry standards (AES-256, TLS 1.2+)?
Data Masking & Tokenization: Does the vendor adhere to the use of data masking and tokenization for sensitive information?
HSTS & Secure Communications: Does the vendor enforce secure communication protocols (HSTS, TLS)?
Data Security Practices
Incident Response Plan: Does the vendor have a clearly documented breach response process, notification timelines, and recovery procedures?
Some vendors
Data Retention & Deletion Policies: Does the vendor provide a clear timeline for data storage, retention, and secure disposal?
SOC 2 Type II Certification: Does the vendor undergo regular third-party audits for security controls?
Some vendors
ISO 27001 Compliance: Does the vendor follow international security standards for information security management?
Some vendors
Penetration Testing & Security Audits: Does the vendor conduct regular internal/external security testing?
Some vendors
Red Teaming & AI Security Testing
Red Team Security Testing: Does the vendor conduct regular adversarial red teaming with ethical hackers simulating real-world cyberattacks?
Few vendors
Continuous AI Threat Monitoring: Does the vendor monitor AI behavior in real-time, detecting malicious input patterns, unauthorized model manipulation, and AI system failures?
Few vendors
AI Security Risk Management: Does the vendor comply with how the organization manages security risks in their third-party ecosystem?
Few vendors
Responsible AI & Data Usage
AI Transparency & Explainability: Does the vendor provide clear information about AI system functionalities, decision-making processes and disclose training data sources?
Some vendors
Bias & Fairness Testing & Elimination: Does the vendor implement measures to identify and mitigate biases in AI systems, promotion fairness and equity in educational outcomes?
Few vendors
Student Profiling Controls: Does the vendor offer clear opt-in/opt out options for AI-driven recommendations?
Few vendors
Data Minimization: Does the vendor only collect the minimum required student data for functionality?
Some vendors
AI-Content Generation
AI-Generated Content Controls: Is the vendor’s AI-generated content moderated and customizable for safe use?
Some vendors
Deepfake & Misinformation Detection: Does the vendor detect and mitigate deepfake and misinformation risks?
Few vendors
Reliability & Support
Uptime & Availability: Does the vendor maintain 99.9% uptime, with public status pages and proactive support?
Customer Support & SLAs: Does the vendor offer 24/7 support, dedicated account managers, and service-level agreements?
Disaster Recovery & Business Continuity: Does the vendor have redundant data centers, tested disaster recovery plans, and RTO/RPO guarantees?
Some vendors
User Security & Training
Phishing & Social Engineering Protections: Does the vendor have phishing protection mechanisms to prevent social engineering?
Some vendors
District Admin Training & Awareness: Does the vendor provide cybersecurity training for district administrators?
Some vendors
Cybersecurity Insurance & Legal Protections
Legal Protections & Liability Coverage: Does the vendor offer indemnification clauses protecting districts from vendor negligence?
Some vendors
Cybersecurity Insurance Coverage: Does the vendor have cybersecurity insurance to cover damages in case of an attack?
Some vendors
Liability & Indemnification Clauses: Does the vendor indemnify your organization against security failures?
Some vendors
