The Vendor Language Brief · Issue 003
What PowerSchool Publicly Committed To That Your District’s Contract Doesn’t Require
Source: PowerSchool Holdings, Inc., Letter of Commitment to the Office of the Privacy Commissioner of Canada, signed July 15, 2025, Section III, with the supporting PowerSchool U.S. Notice of Data Breach and the November 2025 Ontario IPC investigation report.
Pulled: May 12, 2026 from priv.gc.ca and powerschool.com/security.
Document type: Vendor commitment to a regulator, made publicly available. Not a customer contract; not a Data Processing Addendum; not incorporated by reference into district agreements.
By March 31, 2026, PowerSchool will provide the Commissioner with information demonstrating that it has obtained recertification of ISO/IEC 27001 compliance. ... By December 31, 2025, PowerSchool will provide the Commissioner evidence that will clearly demonstrate that it has conducted a review and readjustment of its system access privileges to align with security best practices and operational needs, including customer support agents.
— PowerSchool Letter of Commitment, Section III, July 15, 2025On December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized exfiltration of certain personal information from PowerSchool Student Information System (SIS) environments through one of our community-focused customer support portals, PowerSource.
— PowerSchool U.S. Notice of Data BreachThis Brief uses a Canadian regulatory document to expose a gap in U.S. district contracts. After the December 2024 breach, PowerSchool signed a Letter of Commitment with the Privacy Commissioner of Canada naming specific deliverables on specific dates. That letter is public. The standard U.S. district contract does not require PowerSchool to provide the same evidence to the district. The same vendor. The same breach. Two different accountability frameworks — and U.S. districts are operating under the weaker one. PowerSchool is the dominant K-12 student information system in the U.S., used by more than 18,000 school organizations across North America and serving over 60 million students globally according to the company's own published figures. The December 2024 incident affected an estimated 62 million students globally.
Three findings, ranked by what a district should care about. The unit of analysis is the gap between what the vendor told a regulator and what the vendor’s customer contracts require.
Finding 01The Letter of Commitment is more specific than most customer contracts.
The Letter of Commitment names deliverables on named dates. Three of them, in plain language. By December 31, 2025, PowerSchool would complete a review of system access privileges. By March 31, 2026, PowerSchool would obtain ISO/IEC 27001 recertification. The Letter also commits PowerSchool to an independent external security assessment on the same March 31, 2026 deadline. Each commitment is a verb, a noun, and a date. There are no hedges. There are no boosters. There are no agentless passives. The Letter reads like a contract because it is one, in operative effect, between PowerSchool and the OPC.
Now compare what a standard PowerSchool customer contract requires. The standard MSA does not name the same deliverables. The standard MSA does not commit PowerSchool to deliver evidence of ISO/IEC 27001 recertification to the customer. The standard MSA does not name a deadline for an independent external security assessment, much less commit to providing one to the customer. The vendor has committed in writing to a regulator to do specific work by specific dates. The customer has not been given the right to see the work.
Finding 02Awareness is doing the same work here as in other major vendor agreements, with one new element.
PowerSchool’s public notice states the company became aware of the incident on December 28, 2024. CrowdStrike’s forensic findings, referenced in subsequent reporting and in the Ontario IPC investigation, place the earliest unauthorized access at approximately December 19, 2024. The gap is nine days. The gap is structurally identical to the awareness gap documented in other major vendor contracts, except that here it can be measured because the breach happened and the dates are documented in public sources.
One element distinguishes this awareness gap from the prior two. PowerSchool’s awareness, by available public reporting, did not arise from PowerSchool’s internal monitoring. It arose from the attacker contacting the company with a ransom demand. The “became aware” framing in PowerSchool’s notice reads, on its surface, as a routine detection event. The underlying facts describe a notification to PowerSchool by the threat actor. A district that read the notice without the underlying forensic record would not know that.
Finding 03The Ontario IPC ruling closes the question of whether the district can outsource accountability.
In November 2025 the Information and Privacy Commissioner of Ontario completed an investigation into the same incident on the Canadian side. The IPC’s published finding was that twenty Ontario school boards, and the Ontario Ministry of Education, had each failed their own statutory safeguard obligations independent of PowerSchool’s failure. The Commissioner’s language is direct: “while institutions may outsource services, they cannot outsource accountability.”
The same logic operates in U.S. law. FERPA’s “school official” exception at 34 CFR § 99.31(a)(1) permits a district to disclose education records to a vendor only when the district maintains direct control over the vendor’s use of the records. A district that signs a standard vendor template, does not supplement it, and does not enforce the terms it has, has not maintained direct control in any auditable sense. The vendor’s failure under the contract does not relieve the district of its own statutory obligation under the regulation. The Ontario ruling is not binding in the U.S., but the legal architecture is parallel, and the IPC’s finding articulates a principle U.S. counsel would be hard-pressed to dispute on the merits.
If you are a superintendent or technology director at a district that uses PowerSchool, the analysis you signed onto when you renewed your contract is incomplete in two specific ways that the December 2024 incident exposed.
First, your contract gives you less than PowerSchool has given a Canadian regulator. PowerSchool committed in writing on July 15, 2025 to obtain ISO/IEC 27001 recertification by March 31, 2026, to complete an independent external security assessment by the same date, and to complete a system access privileges review by December 31, 2025. These commitments are real, dated, and enforceable by the OPC. They are not, by default, enforceable by you. The vendor has done the work for the regulator. The vendor has not, contractually, agreed to show the work to you.
Second, the operational record of the breach establishes an actual notification floor that the standard contract does not bind. Ten days from stated awareness to district notification. Approximately twenty days from forensically-established unauthorized access to district notification. There is no contractual maximum number of hours between awareness and notification in most standard PowerSchool customer agreements. The ten-day practice is the demonstrated baseline in the absence of a contract number.
These two gaps matter under FERPA, COPPA, and state student data privacy laws because the Ontario IPC ruling has clarified, on parallel legal architecture, that the district’s accountability for its own statutory obligations is independent of the vendor’s contractual failure. A district that points to a vendor breach as the source of a FERPA exposure is, in the IPC’s framing, pointing at the wrong actor. The district is the accountable party. The contract is one piece of the evidence of how the district managed that accountability. A standard, unmodified PowerSchool template is, in this framing, weak evidence.
The Action Line
This week, send one email to your PowerSchool account representative with two questions.
First: “Per Section III of PowerSchool’s July 15, 2025 Letter of Commitment to the Privacy Commissioner of Canada, PowerSchool committed to ISO/IEC 27001 recertification, an independent external security assessment, and a system access privileges review on named deadlines. Will PowerSchool confirm completion of each commitment to our district, and provide our district the same evidence provided to the OPC?”
Second: “What is the maximum elapsed time, in hours, PowerSchool now contractually commits between awareness of a Security Incident affecting our district’s data and notification to our district? Is this commitment in our MSA, in an amendment, or only in public statements?”
While you are waiting for the response, run two parallel internal actions. Have counsel pull and read the actual PowerSchool MSA the district signed and identify any provisions the district has enforced in the past twelve months, with dates. And calendar a quarterly contract review beginning this quarter. File all four records in your governance binder. The vendor’s response is one piece of evidence. The internal enforcement record is another. The Ontario ruling has changed which one matters more.
This brief uses the Forensic Read, a four-stage method (Read, Trace, Surface, Build) for analyzing the operative language of vendor agreements, privacy policies, and federal compliance documents. Stage 1 inventories modal verbs, agentless passives, and indefinite phrases. Stage 2 traces how those features distribute across the clause. Stage 3 surfaces what the distribution conceals or commits. Stage 4 builds the finding into action a named accountable human can take. The full method is at languagefirm.org/the-forensic-read.
The Vendor Language Brief is a free weekly publication of The Language Firm. It is not legal advice. Each issue performs a forensic read on one piece of vendor language used widely in K-12 or higher education. Issues are filed Tuesdays.