Foundational. Every other stewardship question presumes you know which vendors hold what data.
Type of data each vendor holds — PII, behavioral, academic, directory. Required for breach scope and parent disclosure.
Reduces the auth-related attack surface for vendor access. Cross-references Cyber IAM (F4 staff MFA, F9 vendor admin access) for the broader pattern.
Contractual data-use terms — what the vendor may do with student data, how long they keep it, what they do on termination. Texas Compliance card carries the legal-attestation rollup; this captures operational coverage.
Hard finding · DPAs missing for 3 vendors
Three active vendors hold student data without a DPA on file. Closing this gap before the next insurance renewal is table stakes; the missing agreements also block clean breach-scope and parent-disclosure work downstream.
Confirmation that student data is destroyed when a vendor relationship ends. Closes the tail risk — terminated vendors holding stale data are a recurring K-12 breach vector.
Who calls the district, on what timeline, and what information they provide when the vendor gets breached. Feeds the cyber IR playbook's “third-party trigger” branch.