EdTech security — student-data minimization + AI tutoring prompt injection + BOLA
EdTech security centers on student-record access control, consent-gated under-13 data collection, and data minimization. AI tutoring adds prompt-injection defense + cross-student isolation.
Top security risks
Under-13 data without consent gate
Collecting under-13 PII without a verifiable parental-consent gate leaks minor data that should never be stored.
Student-record leakage
Educational records leaked to a third party breaks per-tenant isolation and institutional trust.
Prompt injection in AI tutoring
Student types adversarial input to manipulate the AI's response or extract other students' data.
BOLA on student records
/api/students/[id] without per-school + per-class scope leaks across institutions.
Regulatory context
Securie focuses on the security-engineering surface: consent-gated under-13 collection, per-school + per-class access scope, prompt-injection defense, and data-retention limits verified on every change.
Checklist
- Verifiable parental-consent flow for under-13 users
- Prompt-injection defense on tutoring AI
- Per-school + per-class BOLA scope
- Data-retention < 12 months for student records
- Securie automated security review on every release
School-district procurement trusts a verifiable security posture — consent-gated collection, per-school access scope, and Securie automated security review on every release.