Use these questions when evaluating technology vendors. They are organized by category to make it easy to assign different questions to different reviewers (legal, technical, privacy, finance). Vendors who struggle to answer clearly are providing useful information about their actual practices.
Data Ownership and Use
- Who owns the data collected through your platform — us or you?
- For what purposes may you use data collected through our use of your service?
- May you use our data to improve products sold to other customers?
- May you use student or user data for advertising, profiling or sale to third parties?
- Does your standard contract state data ownership clearly and unambiguously?
Data Portability and Exit
- Can we export all our data on demand, without your assistance?
- In what format are data exports provided? Are they machine-readable?
- Are there any fees for data export during or after the contract period?
- What happens to our data when our contract ends?
- How long after termination do you retain our data, and in what form?
APIs and Technical Interoperability
- Do you provide a documented, publicly available API specification?
- Which data standards does your API support (Ed-Fi, OneRoster, FHIR, etc.)?
- Is API access included in the base contract, or is it an additional fee?
- Are there any restrictions on which systems we may connect to via your API?
- How do you handle API versioning and deprecation notices?
Privacy and Compliance
- What steps have you taken to comply with FERPA? (for education data)
- What steps have you taken to comply with COPPA? (for data involving children under 13)
- Have you undergone any third-party privacy audits in the last 24 months?
- Which subprocessors have access to our data?
- Are subprocessors contractually bound to your privacy requirements?
Security and Accountability
- How is our data encrypted at rest and in transit?
- Who within your organization is personally responsible for data privacy compliance?
- What is your process and timeline for notifying us of a security breach?
- Have you experienced any data breaches or unauthorized access incidents in the last 3 years?
- Do you provide audit logs of access to our data?
Related: See the Responsible Vendor Principles for the framework these questions are based on, and the Data Privacy Checklist for your own organization's practices.