Technology vendors that work with schools, government agencies and organizations managing sensitive data hold a position of significant trust. The data they access — student records, program data, operational information — belongs to the organizations that collect it and, ultimately, to the individuals it represents. Responsible vendors recognize and honor this responsibility.
The eight principles below describe the commitments that responsible technology vendors make. They are not aspirational language — they represent concrete, testable practices that organizations should require as conditions of procurement.
Principle 1 — Data Ownership Is Clear
Data collected through a vendor's platform belongs to the organization that contracted for the service and, where applicable, to the individuals the data represents. Vendors do not claim ownership of that data and do not treat customer data as an asset of their business.
This means: contracts use clear language that data is owned by the customer. The vendor's terms of service do not contain provisions claiming broad rights over customer data. Data cannot be used as leverage in contract disputes.
Principle 2 — Data Is Used Only for Stated Purposes
Vendors use customer data exclusively for the purposes outlined in the service agreement. Student data is not used for advertising, behavioral profiling, product development for other customers or sale to third parties. Operational data is not repurposed without explicit customer authorization.
This means: vendor contracts specify exactly what the data will be used for. Privacy policies are written in plain language that describes actual practices, not legal hedge language.
Principle 3 — Data Is Portable and Exportable
Customers can export a complete, structured copy of all their data at any time, not only at contract termination. Exports are provided in standard formats that can be used by other systems. Export capability does not require vendor assistance for routine operations and does not incur unreasonable fees.
Principle 4 — Data Is Deleted Completely on Request
When a customer terminates service or requests data deletion, the vendor deletes all copies of customer data within a defined and reasonable timeframe — including backups, disaster recovery copies and data held by subprocessors. The vendor provides documentation confirming deletion.
Principle 5 — APIs Are Open and Documented
Vendors provide well-documented, standards-compliant APIs that allow customers to connect their systems to other platforms. API access is not restricted to prevent competitive integrations. Vendors support current industry standards (Ed-Fi, 1EdTech, FHIR or applicable equivalents).
Principle 6 — Security Practices Are Transparent
Vendors maintain and share documentation of their security practices, including encryption standards, access controls, vulnerability management and incident response. They undergo periodic third-party security audits and share summary results with customers. They provide timely, clear notification of security incidents.
Principle 7 — Subprocessors Are Disclosed and Bound
Vendors disclose all subprocessors (third-party services that have access to customer data). Subprocessors are contractually bound to privacy and security requirements at least as stringent as the vendor's own. Customers are notified of material changes to the subprocessor list.
Principle 8 — Accountability Is Specific
Vendors designate specific named individuals responsible for data protection compliance, vendor-customer data disputes and incident response. "Our team" and "the organization" are not sufficient — accountability requires a real person with authority and contact information.
Vendor Self-Assessment Checklist
Vendors evaluating their own practices against these principles can use this checklist as a starting point:
- Our contracts clearly state that customer data is owned by the customer
- Our privacy policy describes actual data use practices in plain language
- We do not use customer data for advertising or sale to third parties
- We do not use student data for product development shared with other customers
- Customers can export all their data on demand without our assistance
- We provide data exports in standard, machine-readable formats
- We delete all customer data within 60 days of termination
- We provide written confirmation of data deletion upon request
- We support at least one current industry data standard (Ed-Fi, OneRoster, etc.)
- Our API documentation is publicly available
- We provide customers with a list of all subprocessors with access to their data
- All subprocessors are bound by contract to our privacy and security requirements
- We conduct annual third-party security audits
- We have a named Data Protection Officer or equivalent responsible party
- We notify customers of security incidents within 72 hours of discovery
Questions Buyers Should Ask Vendors
- Who owns the data collected through your platform? Can I see that stated clearly in the contract?
- Can I export all of my data at any time, in a standard format, without your assistance?
- What data standards does your API support?
- Which subprocessors have access to our data?
- Who within your organization is personally responsible for our data's privacy and security?
- What happens to our data when our contract ends?
- Have you undergone a third-party security audit in the last 12 months?
- What is your process when a security incident occurs?
- Does your contract permit you to use our data for product development for other customers?
- Are there any fee limitations on data export?
- How long before you delete our data if we request deletion during an active contract?
- What would prevent us from switching to a different vendor if we chose to?