top of page
Independent assurance for education technology and AI systems used in education

A rigorous, evidence-based assessment of whether education technologies are lawful, safe and fit for use in schools.

Lawful

Assessing compliance with applicable laws and regulatory requirements governing education technology and AI.

Safe

Evaluating what and how personal data are collected, processed, stored and shared to protect the rights of learners and educators.

Secure

Reviewing technical and organisational safeguards to strengthen resilience against security threats and data breaches.

Responsible AI

Assessing transparency, accountability, human oversight and responsible use of AI within educational technologies.

The EDDS Assurance Framework

The EDDS Framework combines legal, technical, educational and child-centred assessment into a single evidence-based assurance model. Rather than relying on self-declarations or checklists, it evaluates products through documented evidence, independent review and proportionate risk assessment.

Regulatory & Human Rights Foundations​

  • GDPR AI ACT

  • EU AI ACT

  • UNCRC

  • Age Appropriate Design Code

Cybersecurity Standards

  • ISO/IEC 27001, 27701

  • NIST Cybersecurity Framework

  • CIS Controls

  • Other relevant security standards

Threat Intelligence

  • MITRE ATT&CK Framework (Techniques, Tactics &

  • Procedures relevant to education technology)

1. FOUNDATION

PRIVACY & DATA GOVERNANCE

Lawful, fair and transparent data practices. Data minimisation, purpose limitation, retention, transparency & rights.

CYBERSECURITY & RESILIENCE

Security by design, secure configuration, vulnerability management, incident response and resilience

AI RISK IMPACT ASSESSMENT

Responsible Al principles, explainabllity, bias mitigation, human oversight and safety of Al systems.

CHILD RIGHTS & SAFETY

Best interests of the child, age-appropriate design, safeguarding, inclusion and protection from harm.

LEGAL & CONTRACTUAL COMPLIANCE

Contractual safeguards, terms of use, IP, data sharing, sub-processors and regulatory compliance.

2. ASSESSMENT DOMAINS

TIER 1

LOW RISK

Minimal data exposure

Limited functionality

Standard controls

TIER 2

MODERATE RISK

Personal data

Moderate functionality

Expanded controls

TIER 3

HIGH RISK

Sensitive data/analytics

High functionality

Comprehensive controls

TIER 4

VERY HIGH RISK

PII/SEND data/Al profiling

Significant impact

Maximum control set

      Highest-Tier Rule If a product meets any criterion in a higher tier, the highest applicable tier always applies. Risk is determined by the nature of the product, data and impact - not by the size, age or location of the company.

3. RISK TIERS

Once a product has been assigned an assessment tier, the EDDS Framework identifies the proportionate controls, evidence requirements and assurance activities applicable to that product. Higher-risk products require more comprehensive controls and a greater depth of independent verification.

4. ASSESSMENT PROCESS

1. SCOPE & RISK

CLASSIFICATION

Define product scope, intended use, users and data. Assign assessment tier (1-4).

2. SELF-ASSESSMENT

 

Vendor completes tailored self-assessment and prepares evidence workbook.

3. ON-BOARDING

 

Re-assessment of tier and preparation for assessment procedures.

4. EVIDENCE SUBMISSION

 

Submit policies, documents, technical evidence and declarations.

5. ARTEFACTS REVIEW & RISK ANALYSIS

Independent review of evidence and risk analysis across applicable domains.

6. FINDINGS &

RECOMMENDATIONS

Risk findings, maturity rating, gaps and prioritised remediation plan.

7. ASSURANCE REPORT

& LABEL

 

Final report issued with Governance & Data Assurance Label (where applicable).

5. EVIDENCE & EVALUATION

Evidence Types

  • Policies & Procedures

  • Contracts & DPAs

  • Technical Documentation

  • Architecture & Configuration

  • Logs & Monitoring

  • Test Reports & Certificates

  • DPIA / Risk Assessments

  • Training & Awareness

  • Interviews & Demonstrations

Assurance Principles

  • Independent

  • Evidence-Based

  • Proportionate

  • Replicable

  • Transparent

  • Multidisciplinary

  • Continuous Improvement

Assurance Methods

  • Document review

  • Technical verification

  • Configuration review

  • Threat modelling

  • Sampling & testing

  • Interviews & walkthroughs

Maturity Model (1-4)

  1. Initial / Ad doc

  2. Developing

  3. Defined / Managed

  4. Institutionalised/Optimised

6. RE-ASSESS

Annual reassessment

Change monitoring

Risk & threat updates

Remediation tracking

Maturity uplift

From Assessment to Assurance

Every EDDS assessment concludes with a formal assurance report. Where applicable, organisations may also receive an EDDS Governance & Data Assurance Label, providing a clear summary of the product's governance profile and assessment outcome.

Independent assurance for informed decision-making

The EDDS Governance & Data Assurance Label provides an independent summary of a product's governance, risk profile and assessment outcome. It supports more transparent, evidence-informed decisions across the education technology ecosystem.

  • Schools & Education Authorities  | Support evidence-informed procurement and identify products that demonstrate robust governance, safety and accountability.​

  • Technology Providers  | Demonstrate responsible practice, strengthen customer confidence and benchmark progress through independent assessment.​

  • Governments & Regulators | Provide an independent evidence base to inform procurement, oversight and the development of future assurance frameworks.​

  • Education Sector | Promote greater transparency, consistency and trust in the evaluation of education technologies used by children and young people.

Verification Every EDDS Governance & Data Assurance Label (pictured) includes a unique QR code linking to an independent verification page, allowing stakeholders to confirm the authenticity, scope and validity of an assessment without accessing confidential audit information.

EDDS GOVERNANCE & DATA ASSURANCE

OVERALL AUDIT STATUS

Conditional pass

Proactive (3-4)

DATA EXPOSURE

High Sensitivity

DATA EXPOSURE

Elevated

GOVERNANCE MATURITY

institutionalised and remediated

KEY RISK INDICATORS

Al-generated interpretive summaries of children's behaviour

DPIA documentation incomplete

Incident response measures absent or untested

QR code.jpg

Assessment Date: 12.12.2025

Valid Until: 12.12.2026

Scan to verify assessment.

Audit Inquiry

Tell us about your organisation and product, and we'll recommend the most appropriate EDDS assessment pathway and arrange a pre-boarding consultation.

EDDS

EDDS@Etoile, 45 Pont Street, London, SW1X 0BD, UK

EDDS Institute is a trading name of

EDDS for Education CIC,

a community interest company

(registered number 16721386 in England & Wales)

supported by Etoile Partners Ltd

©2026 by EDDS

bottom of page