DEV Community

Cover image for How to Pass a School District Security Questionnaire in 2026 (Before It Kills Your Deal)
Bhavesh Pawar
Bhavesh Pawar

Posted on

How to Pass a School District Security Questionnaire in 2026 (Before It Kills Your Deal)

#lms #security #edtech #complaince

You've done a great demo. The school loves the product. Then procurement sends over a 40-question security questionnaire and the deal goes quiet for 3 months — or dies entirely.

This is the most common way edtech deals stall. Not on price. Not on features. On security documentation that the founding team has never thought about.

Here's what districts are actually checking, and how to be ready before they ask.

Why districts send security questionnaires

Schools handle student data — grades, attendance, behavioral records, personally identifiable information for minors. They're legally responsible for that data under FERPA, COPPA, and a growing stack of state privacy laws. When they bring in a third-party tool, they're extending that responsibility to you.

The questionnaire isn't bureaucracy. It's the district's way of checking whether you'll hold up your end of that responsibility if something goes wrong.

Districts that skip this step face regulatory penalties and parent backlash. So they don't skip it. And if you can't answer the questions, they go with someone who can.

What the questionnaire actually asks

Most school district security assessments cover the same core areas:

Data handling

  • What student data does your product collect?
  • Where is it stored and in what country?
  • How long do you retain it?
  • Do you share it with any third parties?
  • Do you use student data for advertising or product improvement?

Security controls

  • Is data encrypted in transit and at rest?
  • Do you have multi-factor authentication for admin access?
  • How do you handle access controls — who inside your company can see student data?
  • Do you have a formal incident response plan?
  • When did you last conduct a security audit?

Compliance certifications

  • Are you SOC 2 certified? Type I or Type II?
  • Do you have a signed Data Processing Agreement template ready?
  • Are you FERPA compliant? COPPA compliant?
  • Do you have a privacy policy that covers student data specifically?

Breach response

  • What is your process if student data is breached?
  • How quickly do you notify affected institutions?
  • Have you had any data breaches in the past 3 years?

What trips most edtech companies up

No SOC 2 report. SOC 2 is voluntary but districts treat it as a baseline signal of seriousness. Without it, you're asking the district to take your word for your security practices. Most won't — especially for products touching student data from minors.

No Data Processing Agreement. Districts need a signed DPA before they can legally share student records with you under FERPA. If you don't have a DPA template ready, the procurement team has to write one from scratch — and that adds months.

Vague answers about data sharing. If your product uses any third-party analytics, infrastructure, or services that touch student data — Google Analytics, AWS, Mixpanel — those are sub-processors. You need to disclose them. Districts find out eventually, and discovering it after the fact damages trust.

No answer on retention. COPPA now requires that children's data is only retained as long as necessary for the specific collection purpose. If you don't have a clear retention policy, you don't have a compliant product.

How to get ready before the questionnaire arrives

You don't need to have everything perfect before your first school conversation. But you need a plan and a timeline for each of these:

  • SOC 2 Type I — start this process early. It takes 3 to 6 months and signals to districts that you take security seriously even before Type II is complete.
  • Data Processing Agreement template — have a lawyer draft one. It's a one-time cost that unblocks every school deal going forward.
  • Privacy policy — make it education-specific. Generic SaaS privacy policies don't address FERPA or COPPA and districts notice.
  • Sub-processor list — document every third-party service that touches student data. Keep it current.
  • Incident response plan — even a simple written plan is better than none. Districts want to know you've thought about what happens if something goes wrong.

FAQ

Do small school districts send security questionnaires too?
Yes. Smaller districts often use standardized questionnaires from state-level frameworks. The questions are similar to large districts — they just have fewer people reviewing the answers.

What if we can't answer some questions yet?
Be direct. "We are currently working toward SOC 2 Type I certification with an expected completion of Q3 2026" is an acceptable answer. Vague or evasive answers are not. Districts have seen enough vendors to know when someone is hiding something.

Is SOC 2 required to sell to schools?
Not legally required. But districts treating it as a procurement requirement is becoming standard, especially for products that handle student data from minors. Without it, you're competing against vendors who have it — and that's a disadvantage you don't need.

Top comments (0)