EdTech & trainingYour students' data
Your students' data
is a regulatory priority.
Educational platforms collect minor data, training records, exam results. The CNIL has made children's data protection an absolute enforcement priority. An audit is no longer optional.
Applicable regulations
CNIL — Children's data protection
Active priorityChildren's data protection is a CNIL strategic priority 2024-2026. Parental consent required under 15, enhanced security obligations.
GDPR — Educational data
In forceAcademic results, progression data, family information: this personal data requires security measures proportionate to its sensitivity.
Education Code
In forcePlatforms used in educational settings must guarantee student data protection (Art. L. 131-2 and following).
Common edtech vulnerabilities
- APIs exposing student data (grades, progress, personal information) without adequate authentication
- Cross-user access: one student can view another student's data
- Unauthenticated webhooks allowing admin or instructor account creation
- Paywall bypass on paid training platforms (free access to premium content)
- Identity documents (ID cards, certificates) stored in public buckets
- Missing age verification and parental consent mechanisms
We identified an unauthenticated webhook on a training platform allowing admin account creation — full access to user data, premium content, and payment information in 2 minutes.