SOC 2 for EdTech Companies (2026 Complete Guide)

EdTech has had its compliance reckoning. A decade of "move fast and collect student data" gave way to state-level student privacy laws, COPPA enforcement actions, FERPA-aware procurement, and IT teams at school districts who actually read vendor risk questionnaires. SOC 2 has become the price of entry for EdTech selling anywhere above the small-business tier.

What makes EdTech SOC 2 distinctive is buyer diversity. A K-12 district superintendent asks different questions than a university CIO than an enterprise L&D buyer. A single EdTech product often sells into all three, plus consumer and parent-facing audiences. Your SOC 2 program has to tell a coherent story to each.

This guide is for EdTech founders, CISOs, and compliance leaders planning or running SOC 2. It assumes some familiarity with SOC 2 mechanics and focuses on what's specific to education — student data, FERPA, COPPA, the K-12/higher ed/enterprise split, and running a program that matches EdTech economics.

Why SOC 2 Matters in EdTech

Three buyer segments drive SOC 2 demand:

K-12 school districts and state education agencies. District IT and procurement increasingly treat SOC 2 as baseline for any SaaS handling student data. State-level student privacy laws add teeth.
Higher education. University CIOs, CISOs, and procurement run vendor risk management programs that explicitly require SOC 2. EDUCAUSE HECVAT alignment is common.
Enterprise L&D and corporate training. HR tech and learning platforms selling into enterprise face the same procurement rigor as any B2B SaaS.

Each segment has different priorities. K-12 cares about FERPA, COPPA (for under-13), state laws (especially California SOPIPA, Colorado SB 190, Illinois SOPPA), and parent transparency. Higher ed cares about FERPA, research data, and institutional autonomy. Enterprise cares about HR data, integration security, and workforce privacy.

For foundational material, see the SOC 2 framework hub, Trust Services Criteria page, and our SOC 2 for SaaS companies guide.

Education Regulatory Landscape

EdTech sits at the intersection of multiple regulatory regimes:

Framework	Who It Applies To	Focus
FERPA	Schools receiving federal funds + vendors acting as "school officials"	Education records privacy
COPPA	Services directed at under-13 or with actual knowledge of under-13 users	Parental consent for PII collection
State student privacy laws (30+ states)	EdTech vendors serving K-12 in those states	Data use limits, disclosure, security
GDPR	EU student data	Personal data protection
HIPAA	Education-health intersection (campus health, behavioral health programs)	PHI
PCI DSS	Tuition and fee payment processing	Card data
Section 508 / ADA	Digital accessibility	Accessible design

SOC 2 doesn't replace any of these. It's the operational security and trust artifact that customers layer on top of regulatory compliance. A well-scoped SOC 2 program addresses the operational controls that satisfy most of the security elements of the above regulations.

Trust Services Criteria for EdTech

Every SOC 2 includes Security (Common Criteria). For EdTech, the other criteria map to specific use cases:

Product Type	Recommended Criteria
Learning management system	Security + Availability + Confidentiality
Assessment platform	Security + Availability + Processing Integrity + Confidentiality
Student information system	Security + Availability + Confidentiality + Privacy
Learning analytics	Security + Confidentiality + Privacy
Tutoring / homework help	Security + Availability + Privacy
Enterprise L&D	Security + Availability + Confidentiality
K-12 curriculum platform	Security + Availability + Privacy

Processing Integrity matters for assessment platforms (grades must be accurate) and any product with academic or compliance consequences.

Privacy is worth strong consideration for any consumer-facing EdTech product, especially those serving K-12. Parent and regulator expectations are high.

FERPA and SOC 2 — Different Animals, Aligned Goals

FERPA is a federal law with specific requirements for education records. SOC 2 is a CPA-firm attestation report on operational controls. They're not the same, but they align.

FERPA requires your EdTech product, if acting as a "school official" for a covered school, to:

Perform institutional services the school would otherwise perform
Be under direct control of the school regarding use and maintenance of records
Not use or re-disclose education records beyond authorized uses
Use reasonable methods to protect records

SOC 2's Common Criteria, especially around access controls, audit logging, vendor management, and incident response, directly support FERPA's "reasonable methods" requirement. A SOC 2 report is often accepted as evidence of FERPA compliance by district IT teams.

The gaps SOC 2 doesn't fill:

Your contractual FERPA addendum with the school district (required)
Specific FERPA-required safeguards and disclosure limitations
Parent access rights (FERPA doesn't technically create parent rights against vendors, but many states extend them)

Most EdTech vendors draft a FERPA addendum (separate from their DPA) that addresses the specific FERPA obligations, then reference SOC 2 for operational security.

COPPA Considerations

If your product directs at under-13 users or you have actual knowledge of under-13 users, COPPA applies. COPPA requires:

Parental consent before collecting PII from under-13 users
Notice of collection practices
Parental access, correction, and deletion rights
Reasonable security
Retention limits

SOC 2's Privacy criteria align with COPPA's security and data handling requirements but don't automate parental consent workflows. If you serve K-12, include Privacy criteria in your SOC 2 and build your consent workflow as a COPPA-specific capability.

Our SOC 2 for SaaS companies guide covers Privacy criteria in more detail.

Scoping EdTech SOC 2

A typical EdTech SOC 2 scope includes:

Student-facing application infrastructure
Teacher/instructor-facing infrastructure
Administrator dashboards
Roster integration systems (Clever, Classlink, OneRoster, LTI/LTI Advantage)
Analytics and learning data warehouse
AI/ML infrastructure for personalization or content
Assessment and proctoring systems
Customer support and operations tooling
Identity and access management
Monitoring, logging, alerting
Vendor ecosystem

Scoping mistakes common in EdTech:

Excluding the analytics environment because "it's derived data." If it contains student data, it's in scope.
Missing legacy roster sync infrastructure that still handles student PII.
Excluding parent portals when they contain student information.
Ignoring marketing and sales tools that have imported district rosters for outreach (an increasingly common finding).

Student Data as Sensitive Data

Your SOC 2 should treat student data with the same seriousness as PHI or financial data. Specific control depth:

Access Controls

Role-based access at tight granularity (teacher-to-class, not teacher-to-school)
District-level isolation in multi-tenant deployments
Access reviews for district admin accounts specifically
Service account minimization

Roster Integration Security

Secure integration with Clever, Classlink, OneRoster
LTI 1.3 / LTI Advantage for embedded tools
OAuth2 and SAML for authentication
Rostering data validation and error handling

Student Data Handling

Minimum necessary — if you don't need home address, don't ingest it
Retention policies aligned to school year and district retention norms
Deletion workflows for students leaving districts
Data portability for transfer students

Parent Access

Where law requires parent access, provide it
Parent-facing interfaces with appropriate authentication
Audit logs of parent access

Content Moderation (where applicable)

User-generated content policies
Moderation tooling
Reporting mechanisms
COPPA-aware interactions

Integration with HECVAT, CASBO, and District Questionnaires

Higher ed procurement commonly uses the HECVAT (Higher Education Community Vendor Assessment Toolkit). K-12 procurement uses a variety of district-specific or state-specific questionnaires. SOC 2 dramatically reduces the burden of answering these:

Many HECVAT questions map directly to SOC 2 controls
District IT teams often accept SOC 2 Type II in place of detailed security questionnaires
State-level questionnaires (e.g., California CSPA addendum) often have SOC 2 reference paths

Build a questionnaire response library mapped to your SOC 2 report. Maintain standard answers for common questions. The time savings compound over the sales year.

For more, see our SOC 2 for SaaS companies guide on questionnaire efficiency.

K-12 vs Higher Ed vs Enterprise — the Same SOC 2

Your SOC 2 report is the same across all three buyer segments. What differs is how you contextualize it:

Buyer Segment	Supplementary Artifacts
K-12 districts	FERPA addendum, state-specific student data agreements (SDPA), COPPA compliance documentation, privacy policy, parent-facing transparency
Higher education	HECVAT Lite or Full, FERPA addendum, research data governance, accessibility documentation (WCAG, Section 508)
Enterprise L&D	DPA, ISO 27001 (helpful), HR data handling documentation, integration security documentation

The SOC 2 report is the trust anchor. Around it you build segment-specific artifacts.

EdTech Cost Economics

EdTech margins are tighter than most SaaS. Budget accordingly:

Line Item	Typical Cost
SOC 2 Type II audit	$25K–$75K
Readiness assessment	$10K–$30K
Penetration testing	$15K–$40K per engagement
GRC platform	$15K–$60K annual
Internal staffing	$80K–$200K annual
Accessibility testing (often parallel need)	$15K–$40K annual

Timeline: 8–14 months from standing start to Type II. Faster is possible with strong engineering foundations and dedicated focus.

Our SOC 2 cost breakdown has more detailed modeling.

Type I vs Type II for EdTech

Education buyers are mixed on Type I. K-12 districts sometimes accept Type I as evidence you're on the journey. Higher ed and enterprise increasingly want Type II.

The pragmatic path:

Type I at month 4–6 — unlock early K-12 and select higher ed deals
Type II observation period starts immediately
Type II delivered at month 10–14 — unlock higher ed and enterprise
Annual Type II cadence thereafter

Do not drop Type II once you have it. A lapse signals program weakness to every buyer segment.

Common Pitfalls for EdTech SOC 2

Under-including analytics and AI infrastructure in scope. Student learning data analytics are in scope if they contain student data.
Ignoring COPPA for any under-13 audience. Even accidental (you're "not targeting kids" but kids use your product).
Sloppy data deletion. Students leave districts, schools change vendors, parents request deletion. Weak deletion workflows are a SOC 2 finding and a state law violation.
Misunderstanding FERPA relationship. SOC 2 doesn't replace FERPA addenda.
Accessibility as afterthought. Not a SOC 2 requirement, but a procurement requirement alongside it.
State student privacy law ignorance. California, Colorado, Illinois, and a dozen others have specific requirements. Being out of compliance damages your SOC 2 credibility.
Weak parent-facing controls. Parent portals, parent notifications, parent consent mechanisms should be as robust as teacher or admin-facing controls.
Insufficient rostering security. Integrations with Clever/Classlink/OneRoster handle huge volumes of student PII. Security gaps there are high-impact.
AI/ML without governance. Using student data for model training without documented consent and controls.

How to Get Started

If you're an EdTech startup:

Identify buyer segments and understand their compliance expectations
Map existing controls against SOC 2 Common Criteria
Identify required Trust Services Criteria based on product
Get Type I at month 4–6
Layer in FERPA addendum template, COPPA compliance (if applicable), state SDPA templates
Type II at month 10–14
Build questionnaire response library mapped to your report

If you're an established EdTech scaling:

Audit existing SOC 2 scope against current product footprint
Confirm state law compliance alongside SOC 2
Evaluate Privacy criteria addition if not already included
Build artifacts ecosystem (FERPA, HECVAT, SDPAs) aligned to your report

FAQ

Q: Do we need SOC 2 to sell to K-12? A: Technically no; practically yes if you're selling at scale. Small, localized, or pilot sales may not require it. District-wide, state-wide, or multi-district sales will.

Q: Can we skip Privacy criteria if we already comply with FERPA and COPPA? A: You can, but including Privacy criteria signals maturity to buyers and regulators. For K-12-focused EdTech, it's worth the investment.

Q: Is HECVAT the same as SOC 2? A: No. HECVAT is a questionnaire developed by EDUCAUSE for higher ed vendor risk assessment. SOC 2 is an independent attestation report. Most EdTechs complete HECVAT by referencing their SOC 2 where applicable.

Q: What about state student privacy laws like California SOPIPA? A: These layer on top of SOC 2. Your SOC 2 program satisfies operational security expectations; state laws add specific data use restrictions, disclosure limits, and sometimes assessment obligations. Address them in your state-specific contracts and privacy documentation.

Q: How do we handle international student data in EdTech? A: International students in US schools are covered by FERPA. EU students accessing US EdTech products trigger GDPR. International schools using your product trigger local laws. A well-designed SOC 2 with Privacy criteria and jurisdictional documentation handles most of this; specific regulations still apply on top.

EdTech in 2026 is more regulated, more procurement-savvy, and more demanding than ever. A well-run SOC 2 program — anchored in education-specific sensitivities and supplemented with FERPA, COPPA, and state-law documentation — is the foundation for EdTech companies selling at scale.

For more, see the SOC 2 hub, Trust Services Criteria, and our education industry resources. Ready to run compliance on a platform built for SaaS economics? Start with episki.

SOC 2 for EdTech Companies (2026)