We spend a lot of time talking about what quality looks like in edtech. Strong pedagogical tools. Great workflows that support teachers in the way they actually teach. Useful AI. Intuitive interfaces that help students navigate. But underneath all of it, there is a prerequisite that does not get enough credit: the people using your platform must be able to trust you with their data.
For itslearning, this is not an abstract principle. The data on our platform belongs to students, many of them children, and under GDPR that matters in a specific way. Children receive heightened safeguards precisely because they may not fully understand the nature or long-term consequences of sharing personal data. Recital 38 of the regulation says so explicitly. GDPR sets out the promise. Certification is part of the proof.
Today, we can confirm that itslearning has achieved ISO 27701 certification, the international standard for Privacy Information Management Systems.
Achieving certification is not a self-assessment. An independent auditor from TÜV NORD Nederland reviewed our data governance structures, privacy controls and accountability mechanisms against the full requirements of the standard. That includes how we handle data across its full lifecycle, how privacy roles and responsibilities are defined, how we assess and manage risk, and how we respond when something goes wrong.
Nico Nijenhuis, Global “TIC” Manager for Privacy at TÜV NORD, highlights what independent certification means for the education sector:
“ISO 27701 is increasingly important for organizations operating internationally, especially in education where responsible handling of students’ personal data is essential. We see that supervisory authorities and other stakeholders are placing growing emphasis on audits, certification and other forms of independent assurance for privacy practices in education.
Achieving this certification shows that itslearning has put strong and reliable processes in place to protect student’s personal data in daily practice. As an independent certification body, we are proud to contribute to building trust in data protection in the education sector, and we warmly congratulate itslearning on achieving this certification.”
Daniel Manne, Privacy Officer at itslearning, reflects on the responsibility that underpins the certification:
"Schools trust itslearning with data that belongs to children and young adults. That is not a responsibility we take lightly, and it is not one that should rest on our word alone. This certification means our privacy practices have been independently reviewed and verified. That is what accountability looks like in practice."
Privacy governance is not new to itslearning. We have always had processes in place to handle student data responsibly. What certification gives us is external validation of those processes, and a structured framework for continuously improving them.
Together with our existing ISO 27001 certification, we now hold independently verified coverage across both information security and privacy management. Where ISO 27001 addresses the security of systems and information, ISO 27701 specifically covers how personal data is governed, who is accountable for it, and how risks are identified and managed across the full data lifecycle, from collection through to deletion.
Under GDPR, schools act as data controllers, accountable for how student data is handled, including by the tools and platforms they use. As a data processor, itslearning handles that data on their behalf and under their instruction. It is our responsibility as a supplier to ensure our processes and governance are robust enough that schools can meet that accountability with confidence.
ISO 27701 certification means that responsibility is no longer just a commitment on our part. It is an independently audited fact. For data protection officers evaluating platforms, procurement teams navigating public sector requirements, and municipalities conducting due diligence, that distinction matters.
Our infrastructure is hosted within the European Economic Area, and the standard requires ongoing monitoring and measurable performance. This is a continuous process, not a one-time exercise.
If you have questions about our certifications, data residency or how this applies in your specific context, please get in touch with our Privacy Officer, Daniel Manne.