I saw this image, Best AI Tools for the New School Year (below), making the rounds from EducatorsTechnology.com and wondered, “Is it accurate? Are those tools really ones educators SHOULD be using?” but my questions were from a, “Do these tools protect district data?” Anyone who has suffered a data breach because a third party vendor was hacked, mislaid a USB drive, or whatever, will be sensitive to this topic. If you’re not, well, you need to be. It’s the Wild West of Gen AI tools, not unlike the old Ed Tech days.
An Essential Question
Another question to ask, “How likely are these to allow NDPA or Data Processing Agreements?”Please note that there are some questions and a template for National Data Privacy Agreement (NDPA) or Data Processing Agreement (DPA) below.
Data Privacy Agreement Template
As a technology director, I wish I had thought to have something this detailed when working with third party vendors offering solutions in K-12 schools. Sure, I had an agreement they would protect our data in place that had to be signed by their CEO/CTO, as well as a list of questions, but I didn’t have a data privacy agreement that was this detailed. Most of my concerns were around setting up exchange of encrypted data using Secure File Transfer Protocol (SFTP).
This data privacy agreement is a powerful enhancement:
DATA PRIVACY AGREEMENT
Between: [School District Name] ("LEA" - Local Education Agency)
And: [Vendor Name] ("Provider")
ARTICLE I - DEFINITIONS
• "Student Data" means any information about students collected by Provider
• "School Official" means Provider acts under direct control of LEA
• "De-identified Data" means data that cannot identify individual students
ARTICLE II - DATA OWNERSHIP & CONTROL
□ LEA retains full ownership of all Student Data
□ Provider is granted limited license to use data solely for agreed services
□ No sale or transfer of Student Data to third parties
□ Provider will not use Student Data for advertising or marketing
ARTICLE III - DATA COLLECTION & USE
□ Provider will collect only data necessary for educational purpose
□ Provider will not mine Student Data for commercial purposes
□ Provider will not use Student Data to train AI models without explicit consent
□ Provider maintains data inventory showing what is collected and why
ARTICLE IV - DATA PROTECTION & SECURITY
□ Provider implements industry-standard security measures (encryption, access controls)
□ Provider conducts regular security audits
□ Provider maintains cyber liability insurance of $[amount]
□ Provider ensures subcontractors meet same standards
ARTICLE V - PARENTAL & STUDENT RIGHTS
□ Parents can review their child's data upon request
□ Parents can request correction of inaccurate data
□ Parents can request deletion of data (subject to retention requirements)
□ Provider will assist LEA in responding to parent requests within [X] days
ARTICLE VI - BREACH NOTIFICATION
□ Provider notifies LEA within 24-48 hours of discovering breach
□ Provider provides details: nature of breach, data affected, students impacted
□ Provider covers costs of breach notification and credit monitoring
□ Provider cooperates with LEA's investigation
ARTICLE VII - DATA RETENTION & DELETION
□ Data retained only as long as needed for educational purpose
□ Upon termination, Provider will:
• Return all Student Data to LEA in usable format
• Delete all Student Data from Provider systems within [30-60] days
• Provide written certification of deletion
ARTICLE VIII - COMPLIANCE
□ Provider acts as "School Official" under FERPA
□ Provider complies with COPPA for users under 13
□ Provider complies with applicable state student privacy laws
□ Provider will not make material changes without LEA consent
ARTICLE IX - AUDITING
□ LEA may audit Provider's data practices annually
□ Provider provides compliance documentation upon request
□ Provider maintains logs of data access and use
ARTICLE X - TERMINATION
□ Either party may terminate with [30-90] days notice
□ LEA may terminate immediately for material breach
□ Data return/deletion obligations survive termination
EXHIBIT A - DATA ELEMENTS
[Specific list of data types collected: names, emails, grades, etc.]
EXHIBIT B - AUTHORIZED USES
[Specific educational purposes for which data may be used]
EXHIBIT C - SUBPROCESSORS
[List of any third-party services Provider uses]
SIGNATURES
LEA Authorized Representative: _________________ Date: _______
Provider Authorized Representative: _____________ Date: _______
Are These Tools the Best?
When you see a list of tools like this in a chart, you have to ask yourself, “What’s the reason for this chart? Is it to encourage subscriptions to the services? Is it to simply make you aware of the tools?” but the most important question, “Will this safeguard student/teacher data?” isn’t addressed at all in the chart. Now, don’t get me wrong. I’m grateful to Dr. Med Kharbach for putting this list together. There are some GREAT tools on here (and some left out, too) but if I approach these with a more critical eye, I can’t be focused on their usability alone, but also, how well they protect student information.
The Challenge
As such, I challenge those on my updated list (slams gauntlet on the ground in front of them) to provide easy to access links that clarify their stand. I’ll be happy to link to their updated resources and explanations.
I had Gen AI take a stab at addressing these questions, but they would all have to be verified. That’s not Gen AI’s job, but rather, the job of a school CTO or technology director.
A Revised Best AI Tools for The New School Year Chart
Although not as snazzy, this chart takes one step closer to addressing data privacy. It’s not quite perfect, so I would suggest reviewing it, then scrolling down to the Red/Yellow/Green List of tools. That works better.
| Tool | Description | Data Privacy |
|---|---|---|
| BoodleBox Unlimited | Comprehensive AI platform providing access to multiple leading AI models (GPT-4, Claude, Gemini, etc.) in one secure environment. Features include document analysis, web search, image generation, collaborative GroupChats, and custom bot creation – all designed specifically for educational use. | Industry-leading privacy protection: No data training on user inputs, FERPA/COPPA compliant, enterprise-grade security, no ads or data selling. Student data remains completely private and protected. |
| Chatbots (ChatGPT/Claude/Gemini/Perplexity) | Use them to brainstorm lessons, generate practice questions, draft rubrics, and summarize articles | Consumer versions: ChatGPT collects and saves all data (per court ruling); Claude will train on data after Sept 28, 2025 unless opted out; Gemini uses data for training; Perplexity logs searches. Education/Enterprise versions do not train on user data. |
| Napkin AI | Turns messy notes, text, or data into clean visuals like flowcharts, mind maps, and infographics | Limited transparency; may store and analyze user content for service improvement |
| Canva | Best teacher-friendly design tool out there. Use to create posters, presentations, charts, interactive worksheets, and more | Free version: content may be used for product improvement; Education accounts have better privacy protections |
| Quizizz AI | Best creating AI-generated practice questions, adaptive quizzes, and gamified assessments | Collects student performance data; shares data with third parties for analytics; requires careful privacy settings |
| Brisk Teaching | Makes it easy to create lesson plans, resources, Google Form quizzes, exemplars, and so much more | Integrates with Google Workspace; inherits Google’s data practices; may access document content |
| MagicSchool | Offers dozens of AI tools for lesson planning, rubric creation, IEP support, parent communication, and more | Designed for education with FERPA compliance; doesn’t sell data but may use for product improvement |
| Eduaide | A versatile planning assistant that generates lesson ideas, assessments, feedback, and enrichment activities | Claims FERPA compliance; limited public information about specific data practices |
| School AI | Easily tailor teaching plans and more, automatically aligned with standards and objectives. Personalize learning in real-time | Collects student interaction data; privacy policies vary by implementation |
| NotebookLM | A research assistant from Google that lets you upload documents and then ask questions, generate summaries, or build outlines directly from your sources | Google’s standard privacy policies apply; documents uploaded may be processed by Google’s AI systems |
| Curipod | Lets teachers create interactive lessons, polls, and presentations in seconds, turning static content into engaging, student-driven learning experiences | Collects student response data; COPPA compliant for users over 13; data retention policies unclear |
| TeachAid | Helps create adapted materials and supports teachers in designing resources that meet diverse learning needs | Limited privacy information available; standard SaaS data practices likely apply |
| Poe | A platform that gives you access to multiple AI models (including Claude, GPT-4, and others) in one place, making it easy to compare responses | Quora-owned; conversations may be used for model improvement; not specifically designed for education privacy |
| FigJam | A collaborative whiteboard by Figma where students and teachers can brainstorm, map ideas, and co-create projects in real time | Figma’s enterprise policies apply; content may be visible to workspace admins; not education-specific |
| Snorkl | A tool that captures students’ thought processes through audio explanations, giving teachers deeper insight into reasoning and making formative assessment easier | Records student audio; privacy depends on school implementation; data storage location unclear |
| Padlet | A collaborative online board where teachers and students can post notes, images, videos, or links to brainstorm, share resources, and build projects together | COPPA/FERPA compliant options available; free version has less privacy protection than school accounts |
| MyLens | An AI-powered tool that helps you visualize your ideas and content through interactive visuals | Limited privacy information; standard AI tool data practices likely apply |
| ElevenLabs | A text-to-speech tool that generates realistic voices, useful for creating audio versions | ??? |
Red Light, Green Light
Your favorite game, right? Consider the following info. The real lesson from these charts? Consumer versions that teachers can afford are NOT safe, with a few exceptions.
🔴 RED — Don’t Use with Student Personally Identifiable Information (PII)
OK for teacher-only experimentation with no PII, if allowed by policy
Consumer Chatbots (personal accounts):
- ChatGPT – Consumer version may use content for training unless opted out; lacks K-12 DPA
- Claude – After Sept 28, 2025, consumer chats used for training unless opted out
- Gemini (consumer) – Saves prompts/outputs unless Gemini Apps Activity disabled
- Perplexity – Consumer service without education-specific protections
- Poe (Quora) – Anonymized chats may be used for model improvement; third-party bots can access data
- NotebookLM – Consumer Google product not covered by Workspace EDU DPA
Why Red? FERPA requires vendors to be under district control as “school officials” via agreement
🟡 YELLOW — Allowed with Right Plan + Settings
And/or teacher-only use, no student PII
- Figma/FigJam – Requires Enterprise/EDU plan + DPA; admins can access workspace content
- Canva (non-EDU) – Disable AI training toggles; prefer Canva for Education
- Padlet – Use Padlet for Schools with district settings; avoid public pads for student info
- ElevenLabs – Teacher voice only; opt out of training or use enterprise controls
- Synthesia – No training on customer content but not K-12 specific; use with DPA or teacher-only
- MyLens/Twee – Have privacy policies but no explicit FERPA/COPPA contracting
- Slidesgo – Templates available; safest as teacher-only content source
🟢 GREEN — Education-First Tools
Still require DPA on file
- Canva for Education – iKeepSafe-certified; FERPA/COPPA compliant; no training on EDU content
- Quizizz (school use) – FERPA/COPPA commitments; privacy center + DPAs available
- Brisk Teaching – FERPA/COPPA compliance; “school official” addendum; Common Sense privacy rating
- Curipod – Student privacy center; configure age gates and consent
- Snorkl – Claims FERPA compliance and SOPIPA; verify DPA
- Diffit – No student data; FERPA/COPPA compliant; NDPA signatory
- BoodleBox Unlimited – FERPA/COPPA compliance; no training on inputs; confirm district DPA
- MagicSchool – Education-first; FERPA/COPPA claims; available DPAs
- Khanmigo – Khan Academy’s privacy posture for students; COPPA compliant
- SchoolAI – Education-first; FERPA/COPPA and SOC 2 compliant; check DPA terms
- Eduaide – Teacher-facing; FERPA/COPPA claims; avoids student PII
Key Implementation Rules
- Baseline Rule: No student PII in any consumer AI app. Use only vendors acting as school officials under a signed DPA.
- Data Flow Classification:
- Green: No student data leaves district systems
- Yellow: Student data goes to vendor under DPA
- Red: Student data goes to consumer system
- Essential Vendor Questions:
- Will you act as a “school official” under FERPA and sign our state’s NDPA variant?
- Can you confirm in writing: “No use of our content for model training”?
- Zero-Data Workflows: Even “Red” services can be used by teachers without student data for generating exemplars and teacher resources.
📋 Comprehensive Vendor Privacy Questions for K-12 AI Tools
I absolutely LOVE these first six questions, especially #6, after watching school districts having to wait half a year to be notified that a data breach occurred.
Essential DPA Requirements
These are non-negotiable – vendor must answer “YES” to proceed
- Will you sign our standard DPA/NDPA without material modifications?
- Do you certify that student data will NOT be used to train AI models?
- Can you act as a “School Official” under FERPA?
- Will you delete all student data within 60 days of contract termination?
- Do you carry cyber liability insurance?
- Will you notify us within 48 hours of any data breach?
Data Collection & Storage Details
7. What specific data do you collect from users?
- Request detailed list of all data elements
- Include both required and optional data fields
- Clarify what metadata is collected
8. Where is data stored and for how long?
- Specify data center locations and jurisdictions
- Detail retention periods for different data types
- Explain backup and archive policies
9. Who has access to stored data?
- List all personnel roles with access
- Detail access controls and authentication methods
- Include any subprocessor access
10. Is data encrypted at rest and in transit?
- Specify encryption standards used (AES-256, TLS 1.3, etc.)
- Confirm encryption keys management practices
- Detail any exceptions to encryption
FERPA/COPPA Compliance Verification
- How do you handle users under 13 (COPPA)?
- Describe age verification methods
- Detail parental consent processes
- Explain limitations for under-13 users
- Can parents access and delete their child’s data?
- Specify process and timeline for parent requests
- Detail any data that cannot be deleted and why
- Confirm support for LEA in responding to requests
- Do you have a signed Student Privacy Pledge?
- Provide certification date if applicable
- List any other privacy certifications (iKeepSafe, etc.)
- Share Common Sense Privacy rating if available
Data Usage & AI Training Policies
- Is data shared with third parties? If yes, who and why?
- Provide complete list of subprocessors
- Explain purpose for each third-party sharing
- Detail data minimization practices
- Can we opt out of all data collection beyond service provision?
- Clarify what constitutes “necessary” collection
- Detail opt-out mechanisms available
- Explain impact of opt-outs on functionality
- Do you sell or monetize student data in any way?
- Include “derived” or “inferred” data
- Cover aggregated/de-identified data usage
- Confirm no behavioral advertising
Security & Incident Response
- What security certifications do you maintain?
- SOC 2 Type II, ISO 27001, etc.
- Date of last audit and next scheduled audit
- Availability of audit reports to LEA
- What is your complete data breach notification process?
- Notification timeline (must be within 48 hours)
- Information included in breach notices
- Support provided for breach response
- Who covers costs of notification and remediation
- How quickly can you delete all data upon request?
- Standard deletion timeline
- Process for emergency deletion
- Certification of deletion provided
- Any data that cannot be deleted and legal basis
Additional AI-Specific Questions
- Do you use student inputs/outputs for any purpose beyond providing direct service?
- Include improving algorithms or services
- Cover internal analytics or research
- Detail any “product improvement” uses
- Can you guarantee our data remains separate from your consumer product?
- Confirm complete segregation of education/consumer data
- Detail technical controls ensuring separation
- Explain how updates/improvements are managed
- What AI models do you use and who provides them?
- List all AI providers (OpenAI, Anthropic, Google, etc.)
- Confirm their compliance with education requirements
- Detail any model training on education data
Documentation Requirements
- Please provide:
- Current privacy policy with last update date
- Terms of service for education accounts
- Sample DPA you’ve signed with other districts
- Data flow diagram showing all data movement
- List of all data elements collected (data dictionary)
- Incident response plan template
🚩 Automatic Disqualifiers
If vendor answers “NO” or hedges on any of these, consider them unsuitable for K-12:
- Questions 1-6 (Essential DPA Requirements)
- Question 16 (Selling/monetizing data)
- Question 2 & 20 (Using data for AI training)
Discover more from Another Think Coming
Subscribe to get the latest posts sent to your email.
Another Think Coming 