Table of Contents

Intro

For several years now, Edlink has managed and stored a tremendous amount of critical data – including PII for millions of students – and we do not take this responsibility lightly. To protect such sensitive data, we continually evaluate and deploy cutting-edge techniques to prevent cybersecurity risks. Since bad actors are constantly evolving their strategies to breach company data, we have to work faster to disincentivize these bad actors from targeting us. Over the past year, we have leveled up our data infrastructure, how we manage access, and upskilled our team around new potential vulnerabilities. We take a worst-case scenario approach to our cybersecurity and really get into the minds of the people who would exploit the information we're trusted with.

In 2025, we set out to:

  • Further our commitment to data security and privacy
  • Implement new security programs
  • Restructure how we communicate our security practices with our community

Below, we outline both ongoing practices in 2025 and upcoming changes to our security protocols in 2026 in detail.

Ongoing Practices
We encourage the edtech companies we talk with to implement similar practices as it increases the security of our industry overall.

Penetration Test

A penetration test is when a third party company launches a mock cybersecurity attack against your system to find vulnerabilities. We worked with NetSPI and their Penetration Testing as a Service (PTaaS) to test both our API platform, and our network as a whole, this past year. As an infrastructure company, it’s crucial to have reliable cybersecurity partners to test our systems. NetSPI found no critical vulnerabilities as a result of the pen test.

Formal Access Review

Every year, we conduct a formal access review. In this review, we check for vulnerabilities from our employees and their use of third-party company-wide systems (like Google Workspace) or our product. During this review, we look at items including:

  • Verifying each team member has the lowest necessary access level
  • Enforcing multi-factor authentication for all employees, clients, and users
  • Improving password strength and reducing duplicate password use

SOC 2 Type II Report

In December 2025, we successfully completed another SOC 2 Type II audit. This means we are verified by a third-party as following the security protocols and best practices that we say we do. We engage a third party for these audits to hold ourselves accountable to the promise we make to our clients and their users - protect their data.

As part of the SOC 2 audit, we conduct a formal security review of our sub-processors like Google and Amazon. To safely continue delivering features of our platform, like regional data storage, we have to work with cloud providers that we trust.

Additionally, we draft and review a risk-assessment for all our vendors during our SOC 2 audit including any third-party engineering tools and services. We prioritize vendor reviews based on the type and amount of information each vendor has access to. Ultimately, the effectiveness of our risk mitigation efforts depends on every person at Edlink.

Formal Security Training

One of the ways we create a culture of security awareness at Edlink is by conducting formal security training for all employees.. This program includes reviewing and being tested in a proctored, live test, on our policies and protocols. By completing this program, our employees have a deep understanding of what is expected of them if/when security issues arise, how to protect Personally Identifiable Information (PII), and how to spot potential threats.

Cloud Monitoring

We utilize monitoring services from Datadog and Google Cloud Platform, which gives us oversight into real-time security threats to our network. Their tools allow us to reduce risk and maintain a high level of security for our product, clients, and their end-users.

What’s New

Bug Bounty Program

We started a Bug Bounty program in 2025 as a way to encourage the developer community to ethically test our product for vulnerabilities. In doing so, we allowed the developer community to show us ways to strengthen our service and practices for our clients.

Trust Center

We built our Trust Center, a centralized location to access all of our security documents. Simply sign an NDA and you can request access to our security documentation including our SOC 2 Type II audit.

Passwordless Login

We’ve introduced a passwordless login to the Edlink Dashboard and completely removed our old password-based system. This functions as both an enhanced security measure to combat weak passwords as well as a user experience improvement for school administrators completing the onboarding flow to connect their data source to client products.

Why should edtech companies care about cybersecurity?

Prioritize protecting the data of the users who use your products. As an integration partner, we have a duty to take data privacy and security seriously, because organizations trust us with millions of people’s data. There are real consequences for not only our clients, but also for the people who've trusted them, should there is a security breach. Consistently edtech vendors are in the news because they experienced a data breach and subsequently were fined. The students and teachers whose data is stolen have a greater toll to pay – they can’t ever get their data privacy back.

How should edtech companies level up their cybersecurity?

Though we aren't a cybersecurity company, we do try to follow and find the best security practices to date, which is why we constantly look to experts and review our policies and practices. For other edtech companies, if you aren't already, we suggest you start prioritizing cybersecurity across your company, too. We embed security into our company culture so that these practices become second nature.

Some other areas to get started are:

Get Verified By 3rd Parties

ISO 27001 and/or SOC 2 audits are often requested by school districts as a requirement for them to do business. These verifications immediately build trust with your clients that their data privacy and security is taken seriously. They also cause you to think more holistically about both your policies, and whether or not you actually do what your policies say you do.

Bug Bounty Program

This encourages help from the developer community by allowing them to submit vulnerabilities for compensation.

Cybersecurity Training

On an annual basis, our team has to undergo a review of all of our policies and commit to them, and raise flags when appropriate. As we grow, we have made sure to provide extra security training because of the amount of new functionality and solutions we provide. We do this not only to be secure internally with our practices, but also to highlight potential security issues for our clients and their districts.

The top cybersecurity risks for SaaS in 2025

  1. AI-Driven Attacks

Bad actors are constantly evolving and finding new ways to exploit vulnerabilities to gain access to sensitive data. This includes utilizing new AI-powered technologies to improve the speed, scale and sophistication of their cybersecurity attacks. AI attacks are becoming harder to detect and respond to using traditional methods.

Potential vulnerabilities to be aware of:

  • Highly personalized phishing attempts that closely mimic real communications
  • Automated attacks at scale that rapidly scan for and exploit vulnerabilities
  • Identification of system misconfigurations that can expose data or access
  • Rapid generation of malware variants designed to evade detection
  • Potential data exposure through misuse of generative AI tools

2. Shadow IT

As more third-party vendors connect through APIs, the amount of data has flowing between SaaS companies continues to grow. While this enables better functionalit and more seamless use of these platforms together, it also increases the potential attach surface and introduces new security risks.

A key risk is lack of visibility. When IT teams to not maintain oversignt of all connected applications, it creates opportunities for unauthorized or unvetted tools to access company data. it presents an opportunity to bad actors. Security experts refer to this as “shadow IT” – the use of applications without proper approval. This can include freemium tools, browser extensions, or other software that connects to company systems without formal review.

Potential vulnerabilities to be aware of:

  • Weak API authentication or improperly scoped access
  • Security incidents or breaches at third-party vendors
  • Insecure or misconfigured webhooks

3. Unregulated Access

Access control is a powerful way to protect your company against data breaches, but if managed poorly, it’s an easy way for hackers to gain unauthorized access. Controlling not only who has access to your various systems, but the level of access they have, helps ensure that any security risk is minimized.

Potential vulnerabilities to be aware of:

  • Multi-factor authentication (MFA)
  • Full access (global admin access) instead of role-based access
  • Deleting inactive or disabled accounts from previous contractors, vendors, employees, etc.
  • Limitations on sharing settings allowing external access to sensitive documents

4. Incomplete offboarding

With the large volume of employee onboarding and offboarding for SaaS companies, it’s easy to overlook the importance of completely disengaging an employee from the organization. Hackers rely on disorganization to gain access to sensitive information. Create a thorough checklist to follow to maintain a high level of oversight for each employee, no matter the risk level.

Potential vulnerabilities to check:

  • Collect all hardware
  • Revoke app access immediately
  • Remove email access and restrict file sharing
  • Reset shared passwords

We’re excited to share a few of the items from our 2026 security roadmap.

Launching the Trust Center

We’re currently finalizing our Trust Center and plan to formally announce it to the public later this year. Access is currently available existing clients upon request.

Conclusion

Cybersecurity is not a static checklist or a one-time investment — it is an ongoing discipline that must evolve alongside the threats targeting modern edtech companies. At Edlink, protecting sensitive education data is a foundational responsibility. The practices, programs, and investments outlined here reflect a deliberate strategy to reduce risk, strengthen trust, and anticipate worst-case scenarios before they happen.

As the edtech ecosystem grows more interconnected and attackers become more sophisticated, companies that embed security into their infrastructure, culture, and decision-making will be the ones that thrive and scale. Our commitment is to continuously raise the bar — not only for ourselves, but for the broader edtech community that relies on secure, reliable data systems to serve millions of digital learners.

FAQ


Where can I view more information about cybersecurity at Edlink?

Check out the Edlink Security & Privacy section in our docs.

What is SOC 2?

SOC 2 stands for ‘Systems and Organization Controls 2.’ According to AICPA (American Institute of CPAs), the organization that created the SOC 2 audit, “a SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.” There are also different types of SOC 2 audits – type I and type II. Type I allows a company to claim how they protect data, which means it looks good on paper. Type II means auditors actually confirmed that said company follows the policies they claim they do. To learn more about Edlink’s SOC 2 history click here.

Why was SOC 2 created?

In April 2010, the AICPA announced a new auditing standard: the Statement on Standards for Attestation Engagement (SSAE 16), which introduced the three popular reports: SOC 1, SOC 2, and SOC 3. In May 2017, the AICPA replaced SSAE 16 with SSAE 18 to update and simplify some confusing aspects of SSAE 16, which is what is still used today. To learn more about the history of SOC 2 click here.

Should my edtech company perform a SOC 2 audit?

Edlink recommends it, but SOC 2 is not required by law. However, it can be contractually obligated by school districts, and it’s a great way to show how you protect your client’s data and uphold your promise to do the things you say you will, when it comes to security. To learn more about Edlink’s approach to security click here.

What does a SOC 2 audit consist of?

When a company performs a SOC 2 audit, they are measured against five criteria, known as the Trust Services Criteria (formerly Trust Services Principles). The five criteria are: Security, Availability, Confidentiality, Processing Integrity, and Privacy. All audits require the security criteria to be included.

What happens if there is a security breach at Edlink?

If we become aware of any unauthorized access to or disclosure of personally identifiable Student Data (a “Security Incident”), we will notify your designated account or security contact as quickly as possible. We will also work with your team and cooperate with any related investigations.

As information becomes available, we will share relevant details about the incident, including the nature of the issue, the type of data affected, the steps we’ve taken to investigate and contain it, the cause (if known), and the actions we’ve taken or plan to take to remediate the issue and prevent it from happening again.
Learn more.

Have more questions about SIS or LMS integration or ready to learn more about how to work with Edlink?

Contact us to schedule a brief discovery call.

Suggested Continued Reading

Have security questions for Edlink? Contact us 👉 here.