ISMS Copilot for edtech compliance
Children's data, age-appropriate design, and the school procurement security review — drafted, mapped, and audit-ready.
Why edtech compliance is different
- Draft GDPR Article 8 workflows — parental consent verification where information society services are offered to a child below the Member State age (13–16)
- Map FERPA obligations as a school official / service provider handling US student education records
- Build age-appropriate design measures: data minimisation, profiling-off-by-default, and child-facing transparency
- Generate a DPIA for high-risk processing of minors' data (GDPR Article 35)
- Produce the ISO 27001 Statement of Applicability and SOC 2 control matrix schools and districts ask for
- Draft Records of Processing Activities (ROPA) and breach-notification procedures for the data of minors
Built for the edtech compliance lead
GDPR child-consent and Article 8 policy templates
FERPA school-official exception and directory-information guidance
Age-appropriate / data-minimisation design control set
DPIA and ROPA generators for minors' data
GDPR-to-ISO-27001 Annex A cross-mapping
Vendor and sub-processor security questionnaire responder for district procurement
Children's data: the rule that reshapes edtech compliance
For most SaaS the lawful basis is a footnote. For edtech it is the architecture. GDPR Article 8 makes consent for an information society service offered directly to a child valid only if given or authorised by the holder of parental responsibility, where the child is below the age the Member State sets between 13 and 16. That single rule cascades: you need verifiable parental consent flows, a DPIA under Article 35 because large-scale processing of children's data is high-risk, profiling and behavioural advertising off by default, and child-readable transparency. In the US, FERPA layers on top — student education records can only be disclosed to a vendor acting as a 'school official' with a legitimate educational interest and under the school's direct control. ISMS Copilot drafts each of these against the actual statutory text, not a generic privacy template.
GDPR framework details →Frequently Asked Questions
At what age can a child consent under GDPR?
GDPR Article 8 sets a default of 16 but allows Member States to lower it to no less than 13. The applicable age depends on where the child is — e.g. 13 in Ireland and the UK, 15 in France, 16 in Germany. ISMS Copilot maps your target markets to each national age threshold.
Does FERPA apply if we are an EU company?
FERPA applies whenever you handle US student education records on behalf of a US school or district, regardless of where you are based. As a vendor you typically rely on the 'school official' exception, which requires you to be under the school's direct control and to use the data only for the authorised purpose. ISMS Copilot drafts the contractual and policy language that supports that position.
Do we need a DPIA?
Almost always. Large-scale processing of children's personal data is treated as high-risk under GDPR Article 35 and EDPB guidance, so a Data Protection Impact Assessment is expected. ISMS Copilot walks you through the DPIA and produces the documented assessment.
Ready to do compliance work faster?
Built for speed, accuracy, and audit-ready output.
