Cybersecure California

June 7, 2025

Sponsors:

Vendor Risk & Data Privacy Guide for Schools (California Edition)

Vendor Risk & Data Privacy Guide for Schools printed on a desk beside a laptop and pen, showing key sections on evaluating edtech tools and compliance

Schools rely on edtech tools to function — from learning platforms to lunch systems.

But every vendor you approve is a potential gateway to student data exposure. That’s why California law (AB 1584) and federal requirements (like FERPA) require districts to evaluate vendor risk and use Data Privacy Agreements (DPAs).

This page helps K–12 leaders and staff understand what to ask, what to avoid, and how to stay compliant when reviewing new technology tools.

📌 What AB 1584 Requires (Plain Language)

California schools must ensure any 3rd-party service that stores student data includes these in its contract:

  • Student data is owned by the school/district
  • Data won’t be used for advertising
  • Parents can inspect and review student records
  • Secure procedures are in place for data breach response
  • Data will be deleted at contract termination

If your tool doesn’t meet those criteria — or if you don’t have that in writing — you’re out of compliance.

🧾 What to Ask Before Approving a Vendor

  • What student or staff data will be collected?
  • Is the data encrypted at rest and in transit?
  • Who has access to the data — including subcontractors?
  • Where is the data stored (U.S. or foreign servers)?
  • Is there a Data Privacy Agreement (DPA) available?
  • What’s their policy for breach notification?

🚩 Vendor Red Flags

  • “We don’t need a DPA — we’re FERPA compliant by default”
  • Broad language like “we may use data to improve our services”
  • Data stored in international locations without clarity
  • No clear breach reporting process
  • Terms of service that override your school’s policy

✅ DPA Checklist (For District Approval)

Your district’s DPA should include:

  • Ownership and control of student data remains with the district
  • Prohibition on targeted advertising or third-party sales
  • Breach notification timeline (usually within 72 hours)
  • Description of encryption and security practices
  • Process for data deletion at contract end
  • Contact info for the vendor’s data protection officer

🧠 Who Should Be Involved?

  • IT Team: Vet security practices, storage methods, and integrations
  • Leadership/Business Office: Review contract terms and risk level
  • Teachers/Admins: Know what’s approved and what’s not
  • MSP (if applicable): Help with tech due diligence and breach response

💡 Final Word

Every edtech tool brings risk and responsibility. When schools ask better questions, they make safer choices.

Cybersecure California is here to help you evaluate vendors with confidence, stay compliant with AB 1584 and FERPA, and protect your community’s most sensitive data.

Use this guide before you approve. And say no when the answers aren’t clear.