Independent assurance for education technology and AI systems used in education
A rigorous, evidence-based assessment of whether education technologies are lawful, safe and fit for use in schools.
Lawful
Assessing compliance with applicable laws and regulatory requirements governing education technology and AI.
Safe
Evaluating what and how personal data are collected, processed, stored and shared to protect the rights of learners and educators.
Secure
Reviewing technical and organisational safeguards to strengthen resilience against security threats and data breaches.
Responsible AI
Assessing transparency, accountability, human oversight and responsible use of AI within educational technologies.
The EDDS Assurance Framework
The EDDS Framework combines legal, technical, educational and child-centred assessment into a single evidence-based assurance model. Rather than relying on self-declarations or checklists, it evaluates products through documented evidence, independent review and proportionate risk assessment.
Regulatory & Human Rights Foundations
-
GDPR AI ACT
-
EU AI ACT
-
UNCRC
-
Age Appropriate Design Code
Cybersecurity Standards
-
ISO/IEC 27001, 27701
-
NIST Cybersecurity Framework
-
CIS Controls
-
Other relevant security standards
Threat Intelligence
-
MITRE ATT&CK Framework (Techniques, Tactics &
-
Procedures relevant to education technology)
1. FOUNDATION
PRIVACY & DATA GOVERNANCE
Lawful, fair and transparent data practices. Data minimisation, purpose limitation, retention, transparency & rights.
CYBERSECURITY & RESILIENCE
Security by design, secure configuration, vulnerability management, incident response and resilience
AI RISK IMPACT ASSESSMENT
Responsible Al principles, explainabllity, bias mitigation, human oversight and safety of Al systems.
CHILD RIGHTS & SAFETY
Best interests of the child, age-appropriate design, safeguarding, inclusion and protection from harm.
LEGAL & CONTRACTUAL COMPLIANCE
Contractual safeguards, terms of use, IP, data sharing, sub-processors and regulatory compliance.
2. ASSESSMENT DOMAINS
TIER 1
LOW RISK
Minimal data exposure
Limited functionality
Standard controls
TIER 2
MODERATE RISK
Personal data
Moderate functionality
Expanded controls
TIER 3
HIGH RISK
Sensitive data/analytics
High functionality
Comprehensive controls
TIER 4
VERY HIGH RISK
PII/SEND data/Al profiling
Significant impact
Maximum control set
Highest-Tier Rule If a product meets any criterion in a higher tier, the highest applicable tier always applies. Risk is determined by the nature of the product, data and impact - not by the size, age or location of the company.
3. RISK TIERS
Once a product has been assigned an assessment tier, the EDDS Framework identifies the proportionate controls, evidence requirements and assurance activities applicable to that product. Higher-risk products require more comprehensive controls and a greater depth of independent verification.
4. ASSESSMENT PROCESS
1. SCOPE & RISK
CLASSIFICATION
Define product scope, intended use, users and data. Assign assessment tier (1-4).
2. SELF-ASSESSMENT
Vendor completes tailored self-assessment and prepares evidence workbook.
3. ON-BOARDING
Re-assessment of tier and preparation for assessment procedures.
4. EVIDENCE SUBMISSION
Submit policies, documents, technical evidence and declarations.
5. ARTEFACTS REVIEW & RISK ANALYSIS
Independent review of evidence and risk analysis across applicable domains.
6. FINDINGS &
RECOMMENDATIONS
Risk findings, maturity rating, gaps and prioritised remediation plan.
7. ASSURANCE REPORT
& LABEL
Final report issued with Governance & Data Assurance Label (where applicable).
5. EVIDENCE & EVALUATION
Evidence Types
-
Policies & Procedures
-
Contracts & DPAs
-
Technical Documentation
-
Architecture & Configuration
-
Logs & Monitoring
-
Test Reports & Certificates
-
DPIA / Risk Assessments
-
Training & Awareness
-
Interviews & Demonstrations
Assurance Principles
-
Independent
-
Evidence-Based
-
Proportionate
-
Replicable
-
Transparent
-
Multidisciplinary
-
Continuous Improvement
Assurance Methods
-
Document review
-
Technical verification
-
Configuration review
-
Threat modelling
-
Sampling & testing
-
Interviews & walkthroughs
Maturity Model (1-4)
-
Initial / Ad doc
-
Developing
-
Defined / Managed
-
Institutionalised/Optimised
6. RE-ASSESS
Annual reassessment
Change monitoring
Risk & threat updates
Remediation tracking
Maturity uplift
From Assessment to Assurance
Every EDDS assessment concludes with a formal assurance report. Where applicable, organisations may also receive an EDDS Governance & Data Assurance Label, providing a clear summary of the product's governance profile and assessment outcome.
Independent assurance for informed decision-making
The EDDS Governance & Data Assurance Label provides an independent summary of a product's governance, risk profile and assessment outcome. It supports more transparent, evidence-informed decisions across the education technology ecosystem.
-
Schools & Education Authorities | Support evidence-informed procurement and identify products that demonstrate robust governance, safety and accountability.
-
Technology Providers | Demonstrate responsible practice, strengthen customer confidence and benchmark progress through independent assessment.
-
Governments & Regulators | Provide an independent evidence base to inform procurement, oversight and the development of future assurance frameworks.
-
Education Sector | Promote greater transparency, consistency and trust in the evaluation of education technologies used by children and young people.
Verification Every EDDS Governance & Data Assurance Label (pictured) includes a unique QR code linking to an independent verification page, allowing stakeholders to confirm the authenticity, scope and validity of an assessment without accessing confidential audit information.
EDDS GOVERNANCE & DATA ASSURANCE
OVERALL AUDIT STATUS
Conditional pass
Proactive (3-4)
DATA EXPOSURE
High Sensitivity
DATA EXPOSURE
Elevated
GOVERNANCE MATURITY
institutionalised and remediated
KEY RISK INDICATORS
Al-generated interpretive summaries of children's behaviour
DPIA documentation incomplete
Incident response measures absent or untested

Assessment Date: 12.12.2025
Valid Until: 12.12.2026
Scan to verify assessment.
