SOC 2 for edtech companies
Edtech vendors handle student records, and often the data of minors, which puts SOC 2 alongside education-specific laws like FERPA and COPPA. This guide explains how the pieces fit and how to scope an audit that actually answers what schools and universities ask.
Why edtech buyers ask for SOC 2
School districts, universities, and the enterprises that sell into education have grown far more rigorous about vendor security, and SOC 2 has become the most common way they verify it. A SOC 2 report gives a procurement office an independent attestation it can read once and reuse, which is far more efficient than running a bespoke security review of every classroom app. For edtech selling above the small-business tier, SOC 2 increasingly functions as a price of entry, especially where state or institutional policy requires evidence of security maturity. It does not by itself prove compliance with education privacy law, but it demonstrates that the controls protecting student data are designed and operating as described. That combination of independence and reusability is exactly why it shows up in so many edtech RFPs.
FERPA, COPPA, and the regulatory backdrop
Edtech operates under overlapping privacy regimes that SOC 2 complements rather than replaces. FERPA governs education records and treats many vendors as school officials acting under the institution's direction, which constrains how student data can be used and shared. COPPA governs the online collection of personal information from children under 13, and its updated rule, which took effect June 23, 2025 with a compliance deadline of April 22, 2026, tightened requirements around parental consent and third-party uses such as targeted advertising. A growing patchwork of state student-privacy laws adds further obligations. A recurring theme across all of these is that data collected to provide an educational service may not be repurposed for unrelated commercial uses, a line edtech vendors must hold firmly.
Scoping SOC 2 for student data
Security is mandatory in every SOC 2, and for most edtech platforms it is the natural lead because it covers the access control, encryption, monitoring, and incident response that buyers ask about first. Confidentiality is a strong addition where contracts restrict the use and sharing of student records, which is common in education agreements. Privacy is worth serious consideration when you collect personal information directly from students or their families, because it forces you to document consent, collection, use, retention, and disposal in a way that aligns naturally with FERPA and COPPA thinking. Availability can matter for platforms tied to instruction time or assessments. Scope to what your buyers actually request rather than collecting criteria for their own sake, since each added category expands the audit.
Data minimization and minors' data
The single most effective control for an edtech company is collecting less data in the first place, because data you never hold cannot be breached, misused, or subpoenaed. Map what you collect, why each field exists, and how long you keep it, then aggressively prune fields that do not serve a clear educational purpose. For products used by children, build consent and age-gating into the design rather than bolting it on, and keep contractual data-use restrictions enforceable in your actual systems, not just your policies. Retention and deletion deserve special care: districts and parents increasingly expect timely deletion when a student leaves or a contract ends. Designing for minimization up front also shrinks your SOC 2 scope and makes the audit cheaper and cleaner.
How SOC 2 fits with education privacy obligations
Think of SOC 2 as the security and operational backbone, and FERPA, COPPA, and state laws as the specific legal duties layered on top. A practical approach is to use the SOC 2 report as the core assurance artifact while mapping its controls to the education-specific requirements your customers cite, sometimes called a SOC 2-plus approach where additional subject matter is examined alongside the standard criteria. Pair the report with a clear data-processing addendum, a public privacy policy, and a list of subprocessors so a district can complete its own due diligence quickly. Start with a readiness assessment to find gaps, then pursue a Type 1 followed by a Type 2 as your sales cycle demands. Remember that the attestation must come from an independent CPA firm; automation tooling can streamline evidence but cannot issue the report.