All industries
EdTech · K-12 · Higher-ed · Test-prep · Tutoring

Protect student data,
earn district trust.

Pentesting and privacy review for K-12 platforms, higher-ed systems, test-prep and tutoring services handling minor PII. COPPA (with the 2025 amendments), FERPA, GDPR-K and the UK Children's Code, India DPDP §9 children's-data, and OWASP ASVS L2 across student, parent, teacher and admin surfaces.

Under 13
COPPA trigger age in the US — 18 under India DPDP §9, 13–16 across the EU
23 Jun 2025
COPPA 2025 amendments effective — biometric IDs in scope, written retention policy mandatory
15
standards in the UK ICO Age Appropriate Design Code (Children's Code)
₹200 cr
maximum DPDP Act penalty for child-data violations

Pain points EdTech founders bring to scoping

Verifiable parental consent is hard

COPPA, GDPR-K and DPDP §9 all require VPC but each defines "verifiable" differently. Knowledge-based authentication, government-ID upload, credit-card verification, digitally signed consent forms — each has cost, friction and regulator-acceptance trade-offs that the engagement helps right-size.

District procurement security reviews

US K-12 districts and EU school systems now run vendor-security reviews that look like enterprise SaaS questionnaires. SOC 2 Type 2, ISO 27001, annual independent pentest, breach-notification commitments and signed Student Data Privacy Consortium (SDPC) National Data Privacy Agreement (NDPA) addenda all expected.

Online-proctoring backlash

Lockdown browsers, facial detection, eye-tracking and AI-driven cheating-detection raise biometric-data classification, accuracy / bias liability and student-rights friction. State AGs (Illinois, California, New York) and EU DPAs have all opened investigations.

AI tutoring and adaptive learning

Generative AI in the learning loop introduces OWASP LLM Top 10 risk (prompt injection, training-data poisoning, sensitive-data disclosure) plus the new wave of accuracy-and-bias evaluation that regulators expect from any vendor selling AI-driven education to minors.

Third-party tag and analytics stack

Marketing pixels, A/B-test scripts, advertising SDKs in the mobile app — most of which trigger COPPA disclosure / advertising prohibitions, GDPR-K consent failures, DPDP §9 targeting prohibitions. Inventory the stack, prove justification per script, or remove.

Data-retention beyond enrolment

Student records retained "forever" for product analytics violate COPPA §312.10, the GDPR storage-limitation principle and the DPDP retention obligations. Defensible retention schedule per data category is the auditor's first ask.

Compliance frameworks the engagement maps to

COPPA — 16 CFR Part 312 (2025 amendments)

link ↗

FTC Children's Online Privacy Protection Rule. §312.4 notice, §312.5 verifiable parental consent, §312.7 conditioning prohibition, §312.8 confidentiality / security / integrity, §312.10 retention and deletion, §312.11 safe harbour. 2025 amendments expand the personal-data definition (biometric, government-issued IDs), tighten third-party disclosure consent, mandate a written retention policy.

FERPA — 20 USC §1232g; 34 CFR Part 99

link ↗

Family Educational Rights and Privacy Act. Governs Education Records held by US schools and contractors acting under the school-official exception (§99.31(a)(1)). Vendor processing on behalf of the school under direct control is permitted; commercial use outside that control breaks the exception and triggers COPPA VPC plus state-level student-data laws.

GDPR Article 8 + UK Children's Code

link ↗

GDPR Art. 8 sets digital-consent age (13–16 by member state). UK ICO Age Appropriate Design Code defines 15 standards including best-interests-of-the-child, DPIA, default-high privacy, data-minimisation, geolocation and profiling off by default. Recital 38 emphasises children's specific protection needs.

India DPDP Act 2023 §9 + DPDP Rules 2025

link ↗

Special regime for children (under 18) and persons with disabilities — verifiable parental consent before processing, prohibition on detrimental processing, prohibition on tracking, behavioural monitoring and targeted advertising. 2025 Rules detail the "due diligence" mechanics for VPC, with notified exemptions for clinical and educational use under safeguards. Penalties up to INR 200 crore.

Student Data Privacy Consortium NDPA

link ↗

National Data Privacy Agreement template increasingly required by US K-12 district procurement. Standardises vendor commitments on data use, security, breach notification, deletion, parent / student rights and audit. The engagement deliverable includes an NDPA-ready vendor pack.

OWASP ASVS v4.0.3 (L2) + OWASP LLM Top 10

link ↗

Application-security baseline for student, parent, teacher and admin surfaces (L2). LLM Top 10 (LLM01 prompt injection, LLM02 sensitive-data disclosure, LLM03 supply chain, LLM05 improper output handling) for AI-tutoring and adaptive-learning features.

Sample attack scenarios exercised

Three scenarios commonly run against an EdTech estate. Each draws from a public-record breach pattern or regulator-action archetype.

THREAT
Scenario 1 — Parent-portal IDOR exposes child roster across schools
Authenticated test as a single parent account. Tampering of student-ID, classroom-ID and school-ID parameters in the parent-portal API. Demonstrates Broken Object-Level Authorisation (OWASP API #1) exposing names, ages, attendance, grades and contact data of unrelated minors across other schools. Maps to the Edmodo 2017, Pearson 2018, Chegg 2018, Illuminate Education 2022, Finalsite 2022 and Powerschool 2025 incident patterns. COPPA §312.8, FERPA §99.31 and DPDP §9 all implicated.
THREAT
Scenario 2 — Prompt injection extracts other students' tutoring history
Authenticated test against the AI-tutor or AI-grader feature. Crafted prompts attempt to coerce the model into disclosing prior conversation history, system-prompt content, training-data fragments or other-student conversation context. Tests LLM01 (prompt injection), LLM02 (sensitive-data disclosure) and LLM05 (improper output handling). Validates that the retrieval-augmented-generation tenant boundary actually holds.
THREAT
Scenario 3 — Marketing-SDK exfiltration of minor data from mobile app
Mobile-app traffic interception. Inventory of every third-party SDK transmitting data on app launch and during a tutoring session — advertising SDKs, analytics SDKs, crash reporters, A/B-test frameworks, chat widgets. Demonstrates which third parties receive child-attributable data and whether COPPA §312.5 VPC and §312.7 conditioning prohibition, GDPR-K consent and DPDP §9 targeting prohibitions are actually being honoured at the SDK boundary.

Case study

Redacted reference — available under NDA

Series-B K-12 adaptive-learning platform, US and India deployments, 4M monthly active students. Five-week engagement covering parent portal, teacher dashboard, student app (web + iOS + Android), AI-tutor feature and the administrative back-office. Scope mapped to COPPA 2025-amendments, FERPA school-official boundary, India DPDP §9, and OWASP ASVS L2 plus LLM Top 10.

Outcome: Two BOLA findings closed pre-launch of the parent-portal v3 release, AI-tutor prompt-injection guardrails redesigned with tenant-boundary tests in CI, third-party SDK count in the student app reduced from 18 to 6 with verifiable-consent gating on the remainder, written retention policy adopted satisfying §312.10. NDPA-ready vendor pack now used in district procurement.

Full redacted report and reference call available under mutual NDA. Request via the scoping form →

Related work

Services
Reading
Sibling industries

Frequently asked questions

We are a K-12 platform with a US footprint. Where does COPPA actually bite?+

The FTC's Children's Online Privacy Protection Rule (16 CFR Part 312) imposes verifiable parental consent (VPC), data-minimisation, retention-limitation, third-party-disclosure restrictions and a deletion right on operators of online services directed to children under 13, or operators with actual knowledge that they collect personal data from under-13s. The 2025 rule amendments (effective 23 June 2025) tightened the definition of personal data (including biometric and government-issued identifiers), require separate verifiable parental consent for any disclosure to third parties for targeted advertising, mandate a written data-retention policy, expand the school-authorisation exception clarifications, and harden the security-programme requirement. The engagement maps every data-collection point against §312.4 notice, §312.5 VPC, §312.7 conditioning, §312.8 confidentiality / security / integrity, §312.10 retention and the updated §312.11 safe harbour expectations.

How does FERPA interact with COPPA for a school-deployed platform?+

FERPA (20 USC §1232g, 34 CFR Part 99) governs Education Records held by US schools and the contractors acting on the school's behalf. When the EdTech vendor operates under FERPA's school-official exception with direct control by the school, the platform processes the data on behalf of the school and the school's authorisation can substitute for COPPA VPC for use of the platform in the educational programme — but only for data collected and used solely for educational purposes within school authority. The moment the vendor uses student data for commercial purposes outside the school's direct control (advertising, analytics resale, training of public models), COPPA VPC re-attaches and FERPA's school-official exception is broken. The engagement reviews the data-flow boundary between "school authority" and "commercial use" explicitly.

We sell into EU and UK schools. What about GDPR-K and the Children's Code?+

Under GDPR Article 8, the age of digital consent ranges from 13 to 16 depending on member state — Spain, Portugal, Denmark, Italy, Lithuania, Cyprus, Bulgaria and Sweden are at 14; France, Belgium, Greece, Slovenia and Czechia at 15; the rest mostly 13 or 16. The UK GDPR holds 13. Below the threshold, parental authorisation is required. The UK ICO's Age Appropriate Design Code (Children's Code) imposes 15 specific standards including best-interests-of-the-child as a primary consideration, data-protection impact assessments, age-appropriate application, transparency, detrimental-use prohibition, defaulted-high privacy settings, data-minimisation, sharing limitations, geolocation off by default, profiling off by default, nudge-technique restrictions, connected-toy guidance, parental-control transparency and online-tools. The engagement runs a Children's Code self-assessment and a DPIA template alongside the technical work.

India DPDP Act 2023 — what changes for student data?+

Section 9 of the DPDP Act imposes a special regime for children (under 18 in India) and persons with disabilities: verifiable parental consent before any processing, prohibition on processing that is detrimental to the well-being of the child, prohibition on tracking, behavioural monitoring and targeted advertising directed at children. The 2025 DPDP Rules detail the technical mechanics of verifiable parental consent (the "due diligence" obligation on the Data Fiduciary), with exemptions notified for clinical and educational use cases under specified safeguards. Penalties up to INR 200 crore for child-data violations. The engagement maps every Indian-resident-minor data flow against §9 and the relevant 2025 Rule provisions.

Online proctoring, biometrics in the LMS, AI tutoring — what is the right test plan?+

Three distinct threat models. Online proctoring (facial detection, eye-tracking, browser-lockdown) raises biometric data classification under GDPR Article 9, BIPA in Illinois, Texas CUBI, Washington biometric law, plus the COPPA 2025 inclusion of biometric identifiers — engagement tests consent capture, data retention, third-party-processor disclosures and the model-training data flow. Biometrics in the LMS (fingerprint / face for login) similarly trigger biometric-specific regimes. AI tutoring and AI feedback features raise OWASP LLM Top 10 (prompt injection, training-data poisoning, model-output handling, sensitive-data disclosure) plus the educational-content-accuracy and bias-evaluation expectations regulators now flag. We run each as a separate test track in the same engagement.

Scope an EdTech engagement

Send the segment (K-12, higher-ed, test-prep, tutoring), the geographies (US, EU, UK, India, GCC), the AI feature surface, and your next district / regulator deadline. We respond with a fixed-fee proposal and an NDPA-ready vendor-pack sample under NDA.

Request a scoping call