Choosing EdTech for an International School: A Data-Protection Checklist

Why a Checklist

Schools adopt new EdTech tools constantly. A reading platform in Term 1, a communication app in Term 2, a translation service introduced by the new EAL coordinator in Term 3. Each one collects something about students or families. Few schools evaluate every addition with the same rigor.

The problem is not carelessness. It is that ad-hoc judgment degrades under volume. When one tool arrives, an IT lead evaluates it thoroughly. When ten arrive across a calendar year, some get a quick skim and a verbal assurance from a vendor's sales rep. By the time a parent submits a data access request, or an accreditor asks for your sub-processor documentation, the gaps are already in place.

A repeatable checklist standardizes what every tool gets evaluated against and creates a paper trail your data protection officer can audit when questions arise.

The Checklist

Data Residency and Hosting

• Confirm where the vendor's primary data infrastructure is physically located (country and cloud region).
• Ask whether student data is ever transferred across borders, and under what legal mechanism (Standard Contractual Clauses, adequacy decision, or equivalent).
• Verify that backup copies are subject to the same residency controls as primary storage.
• Ask whether any AI or analytics processing routes data through additional jurisdictions not covered by the main hosting agreement.

Legal and Contractual

• Request a signed Data Processing Agreement before any contract is finalized.
• Confirm the DPA identifies a specific lawful basis for each category of processing, not just a blanket statement.
• Obtain the vendor's current sub-processor list and ask how you will be notified when sub-processors change.
• Check that the vendor's privacy policy and DPA are consistent. Discrepancies suggest a document created for appearances rather than practice.
• If the vendor makes broad compliance claims in its marketing, ask your DPO to assess the claim against the actual DPA. A vendor's blanket compliance claim is not a substitute for a reviewed agreement.

Access and Permissions

• Ask who within the vendor's organization can access your school's student data, and under what conditions.
• Confirm that all vendor staff access is logged and that logs are available to your school on request.
• Verify that the platform supports role-based access so that teacher-level staff cannot view records restricted to counselors or administrators.
• Confirm that parent portal access is scoped to that family's own records only.

Retention and Deletion

• Obtain the vendor's documented retention schedule for each data category.
• Confirm that student records are deleted within a defined period after a student leaves, or immediately on request.
• Test the deletion workflow: ask the vendor to walk you through exactly what happens, end to end, when a parent submits a right-to-erasure request.
• Confirm that your school can export a complete copy of its data at any point, not only at contract termination.

Family-Facing

• Identify what information, if any, is shared directly with families through a parent portal or notification system.
• Confirm that visibility controls allow your school to determine what parents see, rather than leaving that to the vendor's default settings.
• Ask whether multilingual notifications involve a third-party sub-processor, and whether that processor is named in the DPA.

Operational

• Identify whether teachers can connect personal accounts, free tiers, or third-party integrations to the tool, and assess the data exposure that creates.
• Confirm that staff onboarding includes guidance on what data to enter and what to keep outside the system.

How to Score What You Find

Work through each section and assign a status to every item.

Green: the vendor answered clearly and documentation is in hand. No further action required for this item.

Amber: the vendor gave a verbal assurance but documentation is not yet provided, or the answer was incomplete. Follow up in writing before the contract is signed and before the tool goes live.

Red: the vendor could not answer the question, declined to provide a DPA, or gave an answer that conflicts with another document. Escalate to your data protection officer before proceeding.

Involve your DPO at minimum when any item in the legal and contractual section scores amber or red, when data residency involves a jurisdiction not on your school's approved transfer list, or when the tool will process sensitive categories of data including health or well-being information.

A Worked Example

Consider a generic well-being check-in platform a counselor wants to introduce for weekly student mood tracking. Apply two checklist items.

Data residency. The vendor's documentation states hosting on AWS US-East. The school has EU-resident students. That combination requires Standard Contractual Clauses embedded in the DPA. Score: amber until the DPA is reviewed and the SCCs are confirmed.

Deletion workflow. Asked to describe what happens when a parent requests erasure, the vendor's account manager forwards the question to engineering. After three days, the response is that deletion must be requested via a support ticket and is completed within 30 days. No confirmation receipt is offered. Score: amber. Request a written deletion SLA and a confirmation mechanism before going live.

In this example, the tool is not blocked. It is not approved until those two documentation gaps are resolved. That is the normal outcome of a thorough evaluation: most tools pass with conditions, not clean sheets.

Evident's Approach

Evident for international schools provides behavior and well-being documentation built for the realities of a multi-jurisdiction campus. The platform is data-minimal and access-controlled: teachers capture structured evidence notes, role-based permissions control visibility across staff, and the full access audit trail is available to school administrators.

Evident runs on US-hosted infrastructure. Data transfers from EU-resident students require Standard Contractual Clauses, and we provide the relevant documentation on request. We do not claim a GDPR certification. We provide a signed DPA, permanent-delete and export controls, and an auditable access trail, and we expect your data protection officer to review the agreement before your school goes live.

One scope note worth stating plainly: Evident is not a statutory safeguarding case-management system. It documents day-to-day behavior and well-being evidence for teachers and counselors. For formal child protection case management, your school should use a purpose-built safeguarding system.

For the broader data protection obligations facing international schools, see the broader GDPR questions for international schools. For specifics on how we store, protect, and delete your school's data, see how Evident handles your school's data.