Compliance & procurement
GDPR & Swiss nDSG parent communication: what to check before you sign
If your school is choosing a GDPR parent communication tool, the product demo is the easy part. The hard part is the paperwork your data-protection officer will ask for — and most tools in this category were built for a US market where that paperwork is an afterthought. This guide walks through what EU data residency school software actually has to prove, why Swiss nDSG school software has its own bar, and the exact questions to put to any vendor before a single parent record changes hands.
Why parent communication is high-stakes under GDPR
A parent-communication platform handles names, contact details, and information about children — and children's data is treated as a special category that deserves extra care. Under the GDPR (EU Regulation 2016/679), the school is the data controller and any vendor processing that data on the school's behalf is a data processor. That relationship is not optional or informal: GDPR requires it to be governed by a written contract — the data processing agreement (DPA).
So the first procurement question is not "what can the tool do?" It is "will the vendor sign a DPA, and what does it say?" A vendor that treats the DPA as a formality, or only offers one on its enterprise tier, is telling you something.
What "EU data residency" really means
"Hosted in Europe" is a phrase that gets used loosely. For a school that needs EU data residency, the questions that matter are concrete:
- Where is the data stored? The database holding parent and student records should sit on EU infrastructure.
- Where does the AI run? If the tool summarises or translates email with AI, the inference itself — not just the storage — should run in Europe. A US-based model endpoint sends the content abroad even if the database stays put.
- Is anything transferred to the United States? Many tools route operational metadata (billing, monitoring) through non-EU vendors. That can be acceptable under Standard Contractual Clauses, but it should be stated plainly, not hidden.
- Is school data used to train AI models? This should be a contractual no, in writing — not a privacy-policy sentence that can change next quarter.
C’noté's position on each of these is documented in the trust pack: hosting in France, AI inference in Paris, no school data ever used to train a model, and an honest note about the limited operational metadata that may transit non-EU vendors under Standard Contractual Clauses.
Switzerland's nDSG: the second bar
Schools operating in Switzerland — including international schools serving expatriate families — also fall under the revised Swiss Federal Act on Data Protection (the nDSG / FADP, in force since September 2023). It is closely aligned with the GDPR but is its own law with its own expectations. A tool marketed as "GDPR-compliant" has not automatically cleared the Swiss bar. Swiss nDSG school software should name the nDSG explicitly and align its DPA with it.
This is a corner of the market that is genuinely underserved: most established broadcast platforms are US-centric and say little about Swiss law. A tool built in Switzerland, for international schools, starts here rather than retrofitting it.
The data processing agreement: a checklist
When you ask a data processing agreement school vendor for their DPA, here is what a DPO will check it contains:
- Roles — the school named as controller, the vendor as processor.
- Scope & purpose — what data is processed, and only for the agreed purpose.
- Sub-processors — a published, current list of any third parties (hosting, AI inference) and a route to object to changes.
- Data location — EU hosting and EU inference stated, with any cross-border transfers covered by Standard Contractual Clauses.
- Breach notification — a committed timeframe (GDPR's standard is within 72 hours).
- AI training — an explicit guarantee that your data is never used to train models.
- Deletion & return — what happens to the data when the contract ends.
C’noté provides the DPA, the data-flow diagram, and the current sub-processor list before a pilot begins — not after a purchase order. The detail is on the trust page, written for the person who has to sign off.
A note on accuracy, which is also a compliance question
AI that summarises a school's email can also invent things — and an assistant that makes up information about a child is a data-quality and trust problem, not just a feature flaw. The right design constraint is that the tool only repeats what the school actually wrote, links each statement to its source, and says so plainly when it is unsure rather than guessing. That groundedness is part of what makes the tool defensible to a DPO, not only useful to a parent.
Bring it to procurement
If you are evaluating C’noté for your school, the compliance answers are designed to be handed straight to your data-protection officer. The buyer-side overview lives on the for schools page, and the full security pack — DPA, data-flow diagram, sub-processor list — is available before your demo ends via the trust pack.