VED
Trust & Verification OS · Procurement
VettED — Round 1 Privacy Triage
Epic
Round 1 · Privacy Triage · VettED Privacy Triage (Avenues-derived) — Round 1 · assessed
🟠 Insufficient Evidence — Round 2 required
Privacy score 77.8% · band Good
2 mandatory gates are unaddressed in the privacy policy (Q6 (Data Sharing); Q16 (AI & Model-Training)) — more than we tolerate at triage. No violation found, but silence can't earn a pass; escalate these specific items to Round 2.
Unaddressed gate(s): Q6, Q16 — not covered by the public policy. Confirm before relying on this.

Dimension scorecard

DimensionScore
Data Collection GATE
75.0%
Data Sharing GATE
50.0%
Data Sold GATE
100.0%
Data Rights GATE
100.0%
Data Safety GATE
100.0%
Ads & Tracking GATE
100.0%
Parental Consent
100.0%
School Purpose
100.0%
AI & Model-Training GATE
0.0%
Jurisdiction & Residency
100.0%

Findings — 18 questions, every answer cited

Data Collection
Q1Does the vendor limit collection/use of information to only data required for the product? GATE
✓ Good T3
Answer: Yes
“We collect only as much personal information as is reasonably necessary for the child to use the Epic Service.”
From Children's Privacy Policy section; applies to child profiles. General Epic service collection is broader.
Q2Does the vendor collect PII beyond what's necessary for the stated educational purpose?
✓ Good T3
Answer: No
“We collect only as much personal information as is reasonably necessary for the child to use the Epic Service.”
Policy explicitly limits collection to what is necessary for the stated educational purpose.
Q3Is any image of the user collected?
✓ Good T3
Answer: No
“To be clear, we do not collect biometric, free or reduced lunch eligibility, health, or financial data from or about students.”
From Epic School Privacy Policy; no mention of image collection in either policy.
Q4Does the vendor collect precise geolocation data?
? Not addressed T0
Answer: Unclear
Policy mentions 'device's location data, or we may approximate your location by analyzing data like IP address' but does not explicitly state whether precise geolocation is collected.
Data Sharing
Q5Does the vendor limit data sharing with third parties to the purpose for which it was collected? GATE
✓ Good T3
Answer: Yes
“We share information with our trusted third-party service providers who provide services to us or on our behalf, such as website hosting and customer support services, payment processing, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, auditing, and other services.”
Policy describes sharing with service providers for stated purposes; limits are implicit in 'services to us or on our behalf.'
Q6Does the vendor impose contractual limits on how third parties use shared personal information? GATE
? Not addressed T0
Answer: Unclear
Policy does not explicitly state whether contractual limits are imposed on third-party use of shared personal information.
Data Sold
Q7Does the vendor sell or rent users' personal information to third parties? GATE
✓ Good T3
Answer: No
“We do not "sell" personal information to third parties. However, as is common practice among companies that operate online, we do allow certain third-party advertising networks and other third-party businesses to collect personal information directly from your browser or device through cookies and related technologies for the purpose of serving ads that are more relevant, for ad campaign measurement and analytics, for fraud detection and reporting, and for research purposes.”
Explicitly states they do not sell personal information; third-party data collection is for ad serving, not a sale by Epic.
Data Rights
Q8Do the student / educator / parent / school retain ownership of data and IP of uploaded content? GATE
✓ Good T3
Answer: Yes
“Epic does not own or control Student Data, which belongs to the School and to the student (or the student's Parent).”
From Epic School Privacy Policy; explicitly states students/schools retain ownership of Student Data.
Q9Can the user delete all of their PII and personal information from the vendor?
✓ Good T3
Answer: Yes
“You may request access to the personal information that we have collected in connection with your account and ask us to change or delete it.”
Users can request deletion; also states 'You may refuse to permit any further collection of your child's information by no longer providing the child user access to the Service.'
Q10Does the vendor auto-delete data after a defined period of inactivity (data sunset)?
✓ Good T3
Answer: Yes
“We will delete or de-identify Student Data within 60 days of receipt of a deletion request from a School. Even if we do not receive a deletion request from a School, we may delete or de-identify Student Data after a period of inactivity in accordance with our standard data retention schedule.”
Epic School policy explicitly describes auto-deletion after inactivity; general Epic policy does not specify a sunset period.
Data Safety
Q11Can students contact or interact with UNKNOWN users (strangers / the general public) in environments NOT supervised by a teacher or school? (Teacher-managed or within-class interaction, and content-only sharing, do NOT count.) GATE
✓ Good T3
Answer: No
“Students are not permitted to communicate or interact with anyone outside of the student's classroom other than the student's Parent.”
From Epic School Privacy Policy; explicitly prohibits student contact with unknown users outside the classroom.
Ads & Tracking
Q12Does the vendor display behavioral or targeted advertising to students inside the product? (Sending product/marketing emails to account holders does NOT count.) GATE
✓ Good T3
Answer: No
“We do not display targeted ads to child users in Epic. We do not use or disclose data collected from child users for targeted advertising or marketing purposes.”
Children's Privacy Policy explicitly states no targeted advertising to students.
Q13Does the vendor share students' personal information with third parties for third-party advertising or ad-targeting? GATE
✓ Good T3
Answer: No
“We do not use, disclose, sell, or rent Student Data to third parties for targeted advertising, marketing or other commercial purposes.”
From Epic School Privacy Policy; explicitly prohibits sharing student data with third parties for advertising.
Parental Consent
Q14Does the vendor limit collection for children aged 13 or under, or require parental/school consent?
✓ Good T3
Answer: Yes
“We do not permit children under 13 to create an account and do not knowingly collect personal information from children under the age of 13 without the consent and at the direction of a parent.”
Policy explicitly requires parental consent for children under 13.
School Purpose
Q15Does the vendor state the product is intended for students in preschool or preK-12?
✓ Good T3
Answer: Yes
“The Epic School product is only available for educators, schools, school districts, and other K-12 education institution users (collectively referred to as "Schools") to use with students for a K-12 educational purpose.”
Epic School product explicitly stated as K-12; general Epic service is for families but also used in schools.
AI & Model-Training
Q16Does the vendor use student/user data — including uploaded content — to train, fine-tune, or improve AI/ML models? GATE
? Not addressed T0
Answer: Unclear
Policy does not address whether student data or uploaded content is used to train, fine-tune, or improve AI/ML models.
Q17Does the vendor disclose which AI sub-processors/models power its features and any automated decisions affecting students?
? Not addressed T0
Answer: Unclear
Policy does not disclose specific AI sub-processors, models, or automated decision-making systems affecting students.
Jurisdiction & Residency
Q18Does the vendor disclose where data is stored and which privacy regimes it complies with?
✓ Good T3
Answer: Yes
“We have designed our School Privacy Policy and the Epic School product to meet our responsibilities under COPPA, FERPA and state student privacy laws, including SOPIPA.”
Policy names COPPA, FERPA, and SOPIPA compliance; does not explicitly state storage locations but references compliance with these regimes.

Jurisdiction & residency — Nord Anglia footprint

Vendor named 1 of 11 Nord Anglia countries. Shown alongside the verdict, not folded into the score — a vendor can be strong on privacy yet leave residency gaps for specific countries.
“We have designed our School Privacy Policy and the Epic School product to meet our responsibilities under COPPA, FERPA and state student privacy laws, including SOPIPA.”
CountryPrivacy lawCoverage
MexicoLatAmLFPDPPP⚠ Gap
Costa RicaLatAmLaw 8968⚠ Gap
PanamaLatAmLaw 81/2019⚠ Gap
Dominican RepublicLatAmLaw 172-13⚠ Gap
BrazilLatAmLGPD⚠ Gap
ColombiaLatAmLey 1581/2012⚠ Gap
EcuadorLatAmLOPDP (2021)⚠ Gap
PeruLatAmLaw 29733⚠ Gap
ChileLatAmLaw 21.719⚠ Gap
UruguayLatAmLaw 18.331⚠ Gap
United StatesFERPA / COPPA✓ Named
GDPR (overlay)Nord Anglia is UK-headquartered, global⚠ Gap
Advisory only. Round 1 reads the vendor's public privacy policy — a T3 (self-asserted, unverified) source. This is a triage signal, not a final verdict or legal advice. An explicit gate violation is a hard no; silence routes to Round 2, it never fakes a pass. A human reviews and signs off.
Reviewed by: __________________________ Date: ____________