Here’s a scenario most district administrators know well. You’re evaluating an EdTech vendor. You ask about their security practices. They send a PDF. You ask about compliance. Another PDF. You want to see their subprocessor list — that takes a phone call. Their privacy policy? Buried three clicks deep on their website, last updated who knows when.
This is how most districts evaluate the vendors handling their students’ data. Scattered documents, email threads, and a lot of “let me get back to you.”
There’s a better model. It’s called a trust center.
What a Trust Center Actually Is
A trust center is a single, public, always-current page where a vendor lays out everything a customer needs to evaluate their security posture. No PDFs attached to old emails. No “request access” gates. Just the information, published and maintained.
For EdTech vendors specifically, a trust center typically includes:
- Compliance certifications and the specific statutes behind them
- Infrastructure details — where data is stored, how it’s isolated, how it’s encrypted
- A complete subprocessor list — every third party that touches your data
- Published privacy policies and terms of service
- Contact information for their security team
The key word is public. A trust center isn’t a sales deck sent after you sign an NDA. It’s the vendor saying: here’s how we handle your data, and we’re confident enough to put it where anyone can see it.
Why This Matters for Student Data
California has one of the strictest student data privacy frameworks in the country. Districts operate under a stack of overlapping requirements — FERPA, COPPA, SOPIPA (Cal. Bus. & Prof. Code §22584), AB 1584 (Cal. Ed. Code §49073.1), and the CA-NDPA through CITE. Each law covers different ground, and together they create a high bar for any vendor handling student records.
The problem isn’t that these laws exist. The problem is verifying that vendors actually comply with them.
When a vendor says “we’re FERPA compliant,” what does that mean in practice? Are they operating as a school official under a signed agreement? When they claim SOPIPA compliance, can they show you exactly how they avoid selling student data or building non-educational profiles? When they reference COPPA, are they relying on parental consent or the school consent exception — and do they know the difference?
These aren’t gotcha questions. They’re the minimum a district needs to answer before signing a contract. And right now, getting those answers usually requires multiple rounds of back-and-forth with a vendor’s sales team.
A trust center eliminates that friction. The answers are there, in one place, before you even pick up the phone.
What to Look For in a Vendor’s Trust Center
Not all trust centers are created equal. Some are genuinely useful. Others are marketing pages dressed up with a padlock icon. Here’s what separates the two.
Specific compliance claims, not vague ones. A good trust center cites the actual statutes — FERPA, COPPA, SOPIPA, AB 1584 — and explains how the vendor complies with each. If a vendor just says “we take privacy seriously” without naming specific laws and their approach, that’s a red flag.
Infrastructure transparency. You should be able to answer these questions from the trust center alone: Where is student data stored? Which cloud provider? Which region? Is each district’s data isolated, or does it sit in a shared database? What encryption standards are in place? Is the infrastructure SOC 2 Type II certified?
A published subprocessor list. Every third party that touches student data should be listed — what they do, what data they process, and where they’re located. Bonus points if the vendor commits to advance notice before adding new subprocessors.
Accessible policies and agreements. Privacy policies and terms of service should be publicly available — no login required. Other documents like DPAs, SOC 2 reports, and detailed compliance certifications are commonly available on request, and that’s fine. What matters is that the vendor makes it clear what’s available and easy to get.
A signed CA-NDPA. For California districts, check whether the vendor is a signatory through CITE. A signed, verifiable CA-NDPA means your district can adopt the existing agreement without negotiating a separate DPA from scratch — saving weeks of legal back-and-forth.
The Questions You Should Be Asking
Even with a trust center in front of you, it’s worth pressure-testing. Here are the questions that matter most:
- Can the vendor cite the specific California statutes they comply with and explain how?
- Where exactly is student data stored — cloud provider, region, isolation method?
- Do they publish a complete subprocessor list with change notification policies?
- What happens to your data when the contract ends? How quickly is it deleted?
- Can you export your data at any time in a standard format?
- Does the vendor use student data for any purpose beyond the contracted educational service — including product development, analytics, or AI training?
If the answers are clear and public, that’s a good sign. If they’re not — or if the response is “let me get back to you” — it’s worth understanding why.
Why We Built Ours
Student data privacy is the reason we built our infrastructure the way we did. We put together the Attendly Trust Center so districts can verify that for themselves — no PDFs, no phone calls required.
