← All documents
Public Legal Updated July 11, 2026

Third-Party Management

How we vet, contract with, and monitor the vendors that process educational data.

Protecting student data requires securing not only our own systems but every third party that processes educational data. Impact Suite holds subprocessors to equivalent security and privacy standards through selective partnership, thorough vetting, contractual protection, and continuous monitoring.

Vetting & due diligence

Before engaging any subprocessor that will access Student Data or PII, we evaluate:

  • Security practices — documented policies, program maturity, incident-response capability, disaster recovery.
  • Encryption — at rest (AES-256 or equivalent) and in transit (TLS 1.2/1.3+), with sound key management.
  • Access control — authentication (MFA/SSO), authorization (RBAC/least privilege), and access logging.
  • Compliance & certifications — SOC 2 Type II (preferred), ISO 27001, HIPAA attestations, and FERPA/ COPPA capability.
  • Infrastructure — data-center location and U.S. residency, backup/recovery, and network security.

Engagement requires review and sign-off by our Compliance Officer, engineering, and legal.

Contracts

  • Data Processing Agreements — built on the 1EdTech Data Privacy & Security Agreement (DPSA) framework, defining permitted uses, prohibiting use of student data for advertising/profiling/sale, requiring security standards, and mandating deletion (NIST 800-88) and breach notification.
  • Business Associate Agreements — for any subprocessor handling PHI, meeting HIPAA Security Rule requirements with 24-hour breach notification.
  • Flow-down terms — subprocessors must extend equivalent protections to their own vendors.

Ongoing monitoring

We conduct annual reviews, track certification renewals (SOC 2 / ISO 27001), monitor for incidents, and enforce remediation — up to termination and transition — when a subprocessor falls out of compliance.

Transparency

We maintain a current subprocessor list, provide 30 days’ advance notice of new or changed subprocessors, and notify educational agencies of any subprocessor incident affecting their data within 72 hours.