Security is Not Optional: How Edlink Protects Millions of Students' Data in 2026

by Edlink Team

Table of Contents

Intro

For several years now, Edlink has managed and stored a tremendous amount of critical data – including PII for millions of students – and we do not take this responsibility lightly. To protect such sensitive data, we continually evaluate and deploy cutting-edge techniques to prevent cybersecurity risks. Since hackers are constantly evolving their strategies to breach company data, we have to work faster to disincentivize these hackers from targeting us. Over the past year, we have leveled up our data infrastructure, how we manage access, and upskilled our team around new potential vulnerabilities. We take a worst-case scenario approach to our cybersecurity and really get into the minds of the people who would exploit our data.

In 2025, we set out to:

  • Further our commitment to data security and privacy
  • Implement new security programs
  • Restructure how we communicate our security practices with our community

Below, we outline both ongoing practices in 2025 and upcoming changes to our security protocols in 2026 in detail.

Ongoing Practices
We encourage other edtech companies to implement these practices as it increases the security of our industry overall.

Penetration Test

A penetration test is when a company launches a mock cybersecurity attack against your system to find vulnerabilities. We worked with NetSPI and their Penetration Testing as a Service (PTaaS) to test both our API platform, and our network as a whole, this past year. As a data company, it’s crucial to have reliable cybersecurity partners to test against. NetSPI found no critical vulnerabilities as a result of the pen test.

Formal Access Review

Every year, we conduct a formal access review. In this review, we check for vulnerabilities from our employees and their use of third-party company-wide systems (like Google Workspace) or our product. During this review, we look at items including:

  • Verifying correct access level
  • Using multi-factor authentication for all employees, clients, and users
  • Improving password strength and duplicate use

SOC 2 Type II Report

In December 2025, we successfully completed another SOC 2 Type II audit. This means we are verified by a third-party as following the security protocols and best practices that we say we do. We conduct these audits, to hold ourselves accountable to the promise we make to our clients and their users -  protect their data.

As part of the SOC 2 audit, we conduct a formal security review of our sub-processors like Google and Amazon. To safely continue delivering security options like regional data storage, we have to work with cloud providers. Regardless of the type of data company though, we expect a high level of security from not only ourselves, but every data company.

Additionally, we draft and review a risk-assessment for all vendors during our SOC 2 audit including any third-party engineering tools and services. We prioritize based on the cybersecurity threat level as an organization. Ultimately, the effectiveness to offset our risks relies on a team effort from every person at Edlink.

Formal Security Training

One of the ways we create a culture of security awareness in Edlink is by conducting formal security training for all admin-level employees with access to our product and subsequently Personally Identifiable Information (PII). This program includes reviewing and being tested on our policies and protocols. By completing this program, our employees have a deep understanding of what is expected of them if/when security issues arise and how to spot potential threats.

Cloud Monitoring

We utilize monitoring services from Datadog and Google Cloud Platform, which gives us oversight into real-time security threats to our network. Their tools allow us to reduce risk and maintain a high level of security for our product, clients, and their end-users.

What’s New

Bug Bounty Program

We started a Bug Bounty program in 2025 as a way to encourage the developer community to ethically test our product for vulnerabilities. In doing so, we allowed the developer community to show us ways to strengthen our service and practices for our clients.

Trust Center

We built our Trust Center, a centralized location to access all of our security documents. Simply sign an NDA and you can request access to our security documentation including our SOC 2 Type II audit.

Passwordless Login

We’ve introduced a passwordless login to the Edlink Dashboard and completely removed our old password-based system. This functions as both an enhanced security measure to combat weak passwords as well as a user experience improvement for school administrators completing the onboarding flow to connect their data source to client products.

Why should edtech companies care about cybersecurity?

Prioritize protecting the data of the users who use your products. As an integration partner, we have a duty to take data privacy and security seriously, because organizations trust us with millions of people’s data. There are real consequences for not only our clients, but also for the people who trusted them, if there is a security breach. There are consistently edtech vendors in the news experiencing a data breach and subsequently getting fined. But the people whose data is stolen have a greater toll to pay because they can’t ever get their data privacy back.

How should edtech companies level up their cybersecurity?

Though we aren't a cybersecurity company, we do try to follow and find the best security practices to date, which is why we constantly look to experts and review our policies and practices. For  other edtech companies, we suggest you start prioritizing cybersecurity across your company, too. Everyone at Edlink has to undergo constant rounds of cybersecurity training and review. We embed security into our company culture so that these practices become second nature.

Some other areas to get started are:

Get Verified By 3rd Parties

ISO 27001 and/or SOC 2 audits are often requested by school districts as a requirement for them to do business. These verifications immediately build trust with your clients that their data privacy and security is taken seriously.

Bug Bounty Program

This encourages help from the hacker community by allowing them to submit vulnerabilities for cash.

Cybersecurity Training

On an annual basis, our team has to undergo a review of all of our policies and commit to them, and raise flags when appropriate. As we grow, we have made sure to provide extra security training because of the amount of new functionality and solutions we provide. We do this not only to be secure internally with our practices, but also to highlight potential security issues for our clients and their districts.

The top cybersecurity risks for SaaS in 2025

  1. AI-Driven Attacks

Hackers are constantly evolving and finding new ways to exploit vulnerabilities to gain access to sensitive data. This includes utilizing new AI-powered technologies to accelerate and automate various stages of cybersecurity attacks. AI attacks are unique because they can learn and evolve over time on their own – becoming harder to recognize as threats, more tenacious, and relentless.

Potential vulnerabilities to check:

  • Highly personalized phishing messages
  • Automated exploitation at scale
  • Discover misconfigurations
  • Create malware variants faster than traditional defenses can detect
  • Data exposure from Gen AI

2. Shadow IT

As the rise of third-party vendors connecting through APIs has increased the flow of data between SaaS companies, it’s grown increasingly more difficult to secure sensitive data and opened it to new vulnerabilities. When IT departments don’t maintain oversight for all apps connected in the company, it presents an opportunity to hackers. Security experts refer to this as “shadow IT” – using apps without the proper authorization. This includes freemium applications and browser extensions.

Potential vulnerabilities to check:

  • Weak API authentication
  • Third-party API breaches
  • Insecure webhooks

3. Unregulated Access

Access control is a powerful way to protect your company against data breaches, but if managed poorly, it’s an easy way for hackers to gain unauthorized access. Controlling not only who has access to your various systems, but the level of access they have, helps ensure that any security risk is minimized.

Potential vulnerabilities to check:

  • Multi-factor authentication (MFA)
  • Full access (global admin access) instead of role-based access
  • Deleting inactive or disabled accounts from previous contractors, vendors, employees, etc.
  • Limitations on sharing settings allowing external access to sensitive documents

4. Incomplete offboarding

With the large volume of employee onboarding and offboarding for SaaS companies, it’s easy to overlook the importance of completely disengaging an employee from the organization. Hackers rely on disorganization to gain access to sensitive information. Create a thorough checklist to follow to maintain a high level of oversight for each employee, no matter the risk level.

Potential vulnerabilities to check:

  • Collect all hardware
  • Revoke app access immediately
  • Remove email access and restrict file sharing
  • Reset shared passwords

We’re excited to share a few of the items from our 2026 security roadmap.

Launching the Trust Center

We’re currently finalizing our Trust Center and plan to formally announce it to the public later this year. Access is currently only available upon request from existing clients.

Adjusting SOC 2 Audit Cycle

Previously, we’ve been conducting quarterly SOC 2 Type II audits once a year, but in 2026, we’ll shift to a year-long audit cycle at the recommendation of our audit team.

New Certification

In 2026, we are considering pursuing ISO 27001 certification to further show that we maintain a high level of managing information security, cybersecurity, and privacy protection.

Conclusion

Cybersecurity is not a static checklist or a one-time investment — it is an ongoing discipline that must evolve alongside the threats targeting modern edtech companies. At Edlink, protecting sensitive education data is a foundational responsibility. The practices, programs, and investments outlined here reflect a deliberate strategy to reduce risk, strengthen trust, and anticipate worst-case scenarios before they happen.

As the edtech ecosystem grows more interconnected and attackers become more sophisticated, companies that embed security into their infrastructure, culture, and decision-making will be the ones that thrive and scale. Our commitment is to continuously raise the bar — not only for ourselves, but for the broader edtech community that relies on secure, reliable data systems to serve millions of digital learners.

FAQ


Where can I view more information about cybersecurity at Edlink?

Check out the Edlink Security & Privacy section in our docs.

What is SOC 2?

SOC 2 stands for ‘Systems and Organization Controls 2.’ According to AICPA (American Institute of CPAs), the organization that created the SOC 2 audit, “a SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.” There are also different types of SOC 2 audits – type I and type II. Type I allows a company to claim how they protect data, which means it looks good on paper. Type II means auditors actually confirmed that said company follows the policies they claim they do. To learn more about Edlink’s SOC 2 history click here.

Why was SOC 2 created?

In April 2010, the AICPA announced a new auditing standard: the Statement on Standards for Attestation Engagement (SSAE 16), which introduced the three popular reports: SOC 1, SOC 2, and SOC 3. In May 2017, the AICPA replaced SSAE 16 with SSAE 18 to update and simplify some confusing aspects of SSAE 16, which is what is still used today. To learn more about the history of SOC 2 click here.

Should my edtech company perform a SOC 2 audit?

Edlink recommends it, but SOC 2 is not required by law. However, it can be contractually obligated by school districts, and it’s a great way to show how you protect your client’s data and uphold your promise to do the things you say you will, when it comes to security. To learn more about Edlink’s approach to security click here.

What does a SOC 2 audit consist of?

When a company performs a SOC 2 audit, they are measured against five criteria, known as the Trust Services Criteria (formerly Trust Services Principles). The five criteria are: Security, Availability, Confidentiality, Processing Integrity, and Privacy. All audits require the security criteria to be included.

What happens if there is a security breach at Edlink?

If there is any disclosure or access to any personally identifiable Student Data by an unauthorized party (a "Security Incident"), we will promptly notify the Edlink account owner of any affected Schools via email and will use reasonable efforts to cooperate with their investigations of the incident. To the extent known, this notice will identify (i) the nature of the Security Incident, (ii) the steps we have executed to investigate the Security Incident, (iii) the type of Student Data affected, (iv) the cause of the Security Incident, if known, (v) the actions we have taken or will take to remediate any deleterious effects of the Security Incident, and (vi) any corrective actions we have taken or will take to prevent a future Security Incident. Learn more.

Suggested Continued Reading

Have security questions for Edlink? Contact us 👉 here.