Schools hold the most sensitive category of data there is — records about children — and most run their software reviews with no security staff. The good news: the checks that matter do not require a penetration tester. They require asking precise questions and refusing vague answers. These seven cover most of the ground a formal review would.
1 · Where does our data live, relative to other schools?
The answer you want is structural: separate databases, or at minimum a separation the vendor can draw on a whiteboard without the word "filter". If every customer’s students share one table and a WHERE clause keeps them apart, one programming mistake shows another school your children. Filters fail silently; structures fail loudly.
2 · Who can see what — and who decided?
Ask for the role model on screen: what a class teacher sees versus the fee desk versus the principal. Then the harder question: how exceptions are handled. Per-user overrides that are explicit and audited are healthy; the phrase "we just share the admin login for that" ends the evaluation.
3 · What does the audit trail actually record?
- Sign-ins — including failed ones.
- Publications and unlocks: results, certificates, locked attendance.
- Edits to governed records: who, when, from what to what.
- And crucially: can the vendor SHOW you, live, the trail for an action they just performed?
4 · What happens to a lost ID card, a departed teacher, a revoked certificate?
Security is mostly revocation. A lost card should fail at the gate the same day; a resigned teacher’s access should end with their notice period, not their memory; a corrected certificate should invalidate the version it replaced. Ask for each, demonstrated.
5 · Consent — especially for biometrics and photographs
If attendance uses fingerprints or the gallery publishes children’s photographs, consent is not a policy document; it is a per-person record the system enforces. No consent, no capture — and publication that checks the record before going live. Data-protection regimes (India’s DPDP among them) are moving exactly this direction; buy software already built for it.
6 · Backups you have seen, not been promised
Two questions: when was the last backup taken, and when was a restore last TESTED? The second question is the real one — an unrestored backup is a hope, not a plan.
7 · The exit
Ask, while relations are warm, what leaving looks like: full export, standard formats, a wind-down window. A vendor confident in their product answers easily; data hostage-taking announces itself in the hesitation.
Institutions that run this review earn something beyond a safer choice: a documented file that answers trustees, parents and auditors for years. The hour it takes is the cheapest governance your institution will buy.