top of page
Image by stem.T4L

EDDS Audit & Assurance Process

A structured, evidence-based process designed to assess governance, safety and trustworthiness across education technology and AI.

Assessment Workflow

1. Scope & Tier Classification

Each assessment begins by identifying the product, intended users, deployment context and risk profile. This determines the assessment tier, applicable controls and the overall scope of the audit.

Child-centered risk classification

risk assessment.jpg

Highest-risk rule: If a product meets any criterion associated with a higher assessment tier—for example, processing special category data, biometric information or AI profiling—it is assessed at that higher tier. The highest applicable risk level always determines the scope of the audit.

EDDS applies a child-centred approach to risk classification. Assessment tiers are determined by the nature of the product, the data it collects and processes, its functionality, and its potential impact on children and education systems - not by the size, age or commercial maturity of the organisation.

A small developer offering a digital whiteboard with no student accounts may only need to demonstrate a limited set of foundational controls. By contrast, a start-up processing children's health information, behavioural analytics or biometric data may be assessed at the highest tier, regardless of how long it has been operating.

The assigned tier determines the scope of the assessment, the number of controls to be evaluated, the evidence required, and the level of independent verification. This ensures that lower-risk products are not overburdened, while technologies presenting greater risks are subject to more comprehensive scrutiny.

2. Vendor Self-Assessment

The organisation completes a structured EDDS self-assessment. A tailored workbook is generated, defining the applicable controls, required evidence, expected audit effort and the basis for estimating assessment time and cost.

3. Evidence Submission

The vendor submits supporting evidence, prioritising existing certifications, policies, technical documentation and assurance reports. Additional artefacts are requested where necessary to demonstrate compliance with the applicable controls.

4. Desktop Review

Assessors independently review the submitted documentation, including policies, certifications, technical configurations, logs and governance evidence, to evaluate whether each control has been adequately evidenced.

5. Live Assessment

Where required, assessors conduct product demonstrations, interviews and technical walkthroughs to verify that documented controls are implemented in practice and operate as described.

6. Findings & Gap Analysis

Evidence is assessed against the EDDS Framework to identify missing, insufficient or contradictory evidence, together with areas requiring remediation before assurance can be achieved.

7. Reporting & Recommendations

A formal audit report summarises the assessment outcome, maturity tier, mandatory controls achieved, identified gaps, overall risk profile, and short-, medium- and long-term recommendations for improvement.

EDDS

EDDS@Etoile, 45 Pont Street, London, SW1X 0BD, UK

EDDS Institute is a trading name of

EDDS for Education CIC,

a community interest company

(registered number 16721386 in England & Wales)

supported by Etoile Partners Ltd

©2026 by EDDS

bottom of page