How to run a security review of school software (without a security team)

July 3, 2026 · 6 min read · by the ez.school team

Schools hold the most sensitive category of data there is — records about children — and most run their software reviews with no security staff. The good news: the checks that matter do not require a penetration tester. They require asking precise questions and refusing vague answers. These seven cover most of the ground a formal review would.

1 · Where does our data live, relative to other schools?

The answer you want is structural: separate databases, or at minimum a separation the vendor can draw on a whiteboard without the word "filter". If every customer’s students share one table and a WHERE clause keeps them apart, one programming mistake shows another school your children. Filters fail silently; structures fail loudly.

2 · Who can see what — and who decided?

Ask for the role model on screen: what a class teacher sees versus the fee desk versus the principal. Then the harder question: how exceptions are handled. Per-user overrides that are explicit and audited are healthy; the phrase "we just share the admin login for that" ends the evaluation.

3 · What does the audit trail actually record?

  • Sign-ins — including failed ones.
  • Publications and unlocks: results, certificates, locked attendance.
  • Edits to governed records: who, when, from what to what.
  • And crucially: can the vendor SHOW you, live, the trail for an action they just performed?

4 · What happens to a lost ID card, a departed teacher, a revoked certificate?

Security is mostly revocation. A lost card should fail at the gate the same day; a resigned teacher’s access should end with their notice period, not their memory; a corrected certificate should invalidate the version it replaced. Ask for each, demonstrated.

5 · Consent — especially for biometrics and photographs

If attendance uses fingerprints or the gallery publishes children’s photographs, consent is not a policy document; it is a per-person record the system enforces. No consent, no capture — and publication that checks the record before going live. Data-protection regimes (India’s DPDP among them) are moving exactly this direction; buy software already built for it.

6 · Backups you have seen, not been promised

Two questions: when was the last backup taken, and when was a restore last TESTED? The second question is the real one — an unrestored backup is a hope, not a plan.

7 · The exit

Ask, while relations are warm, what leaving looks like: full export, standard formats, a wind-down window. A vendor confident in their product answers easily; data hostage-taking announces itself in the hesitation.

Institutions that run this review earn something beyond a safer choice: a documented file that answers trustees, parents and auditors for years. The hour it takes is the cheapest governance your institution will buy.

Evaluating for your institution?

We'll answer these questions about our own platform, on real screens.