Solutions/SOC 2 × EdTech & Learning Platforms
SOC 2 · EDTECH

SOC 2 for EdTech selling into US education.

US school districts and universities require SOC 2 as vendor qualification. Add FERPA (student records) and COPPA (under-13) obligations, and EdTech vendors face a specific compliance stack. Matproof covers it in one EU-hosted platform.

Book a demoFree readiness assessment

Why this matters now

State-level education procurement is tightening vendor requirements post-2024 student-data breaches. SOC 2 Type 2 is increasingly non-negotiable for US K-12 adoption.

  • FERPA (Family Educational Rights and Privacy Act) applies to any vendor handling student records of FERPA-covered institutions
  • COPPA for users under 13 adds parental-consent obligations
  • State student-privacy laws (CA SOPIPA, NY 2-d, Illinois SOPPA) add further scope
  • European EdTech serving US customers still faces GDPR for any EU users

How Matproof covers SOC 2 for EdTech & Learning Platforms

SOC 2 + FERPA + COPPA mapping

Controls cross-mapped: student-record access control, parental-consent workflow, data minimization. One evidence set, three regulatory obligations.

State-privacy law alignment

SOPIPA (California), NY 2-d, Illinois SOPPA, and emerging state frameworks — Matproof tracks the requirements and flags mismatches.

Teacher and admin role separation

FERPA requires strict role-based access: teachers see their students, admins see the school, platform admins have audit trails.

Age-verification and parental consent

COPPA workflows for users under 13, verifiable parental consent, consent-withdrawal handling — all integrated into the SOC 2 evidence pipeline.

In scope

  • Learning management systems (LMS) used in K-12 and higher ed
  • Assessment and testing platforms
  • Adaptive learning and tutoring SaaS
  • Student information systems (SIS)
  • Classroom-collaboration and communication tools
  • Admissions, enrollment, and alumni management software

Frequently asked questions

Is FERPA a certification or a contract obligation?+

FERPA applies via contract. When a school shares student records with an EdTech vendor, the vendor becomes bound by FERPA through the data-sharing agreement (often styled as a Data Privacy Agreement). There's no 'FERPA certification' — but vendors attest compliance in the DPA and in security assessments. SOC 2 reports serve as supporting evidence in this attestation.

If we're European and only serve US schools, do we need GDPR?+

For US-only student data, no. But almost no EdTech is truly US-only — staff accounts, test users, admin accounts often include EU residents. Pragmatically, European EdTech should maintain GDPR posture alongside FERPA/COPPA.

What state student-privacy laws matter most?+

California SOPIPA is the pace-setter — many other states model their laws on it. Illinois SOPPA has the strictest parental-consent provisions. New York 2-d covers K-12 vendors specifically. Texas, Colorado, Connecticut all have active frameworks. Matproof maintains current mappings.

Related resources

Ready to start with SOC 2?

30-minute demo tailored to EdTech & Learning Platforms. We show you exactly how Matproof covers SOC 2 for your sector.

Book a demoSOC 2 platform →