(Drafted March 2026. Pending Governing Board Approval)
Service Provider / Vendor Security Policy
1. Purpose
This policy establishes expectations for managing security and privacy risks associated with third‑party service providers and vendors that process, store, or access Colearn Academy data.
2. Scope
This policy applies to significant service providers and vendors that support instructional or administrative functions and handle Colearn Academy data or have access to school systems.
Operating context: Colearn Academy has no physical building and no school-owned hardware; the School operates entirely through cloud and vendor‑provided services.
3. Vendor Inventory
3.1
Colearn Academy will maintain a list or register of key service providers and vendors, including the general purpose of each service and the types of data involved.
4. Security and Privacy Considerations
4.1
When selecting or renewing service providers, the School will consider the provider’s security and privacy practices, including how they protect data and handle incidents.
4.2
Where feasible, contracts or agreements should include language addressing data protection, permitted uses of data, access controls, and incident notification expectations.
5. Ongoing Oversight
5.1
The School will periodically review its list of key vendors to confirm that services and associated risks remain acceptable.
6. Review
This policy will be reviewed at least annually and updated as needed to reflect changes in vendor relationships, legal requirements, or risk.