Edtech Security Compliance Support (Quebec School Network)
To sell your digital solution to Quebec school service centers, cyber requirements have become serious. We get you ready.
For Edtech vendors meeting the security requirements of CSSs, MEQ, and FCSSQ — without building a generic setup that won't answer anything specific.
Edtech compliance support is a structured engagement preparing your technology product or service for the Quebec school sector to meet the information security requirements imposed by school service centers (CSSs), the Quebec Ministry of Education (MEQ), and their reference frameworks. Factero leads the vendor-side process: reading applicable regulatory frameworks (LGGRI, Government Directive on Information Security, Law 25, CSS-specific requirements), gap analysis, evidence drafting, support during evaluations by your CSS clients. Our role is not to replace a certification — there is no official Edtech certification equivalent to health's TGV. Our role is to structure your security setup and documentation to respond honestly and effectively to contractual requirements that have hardened since 2023. Engagement led by a CISA-certified principal associate, with NIST-CSF, ISO 27002, and applicable provincial frameworks as supporting references.
Who is it for?
Educational software publishers, learning management platforms, virtual classroom solutions, assessment and tracking tools selling or planning to sell to Quebec school service centers.
Cloud service providers (SaaS) hosting student data (grades, attendance, communications, support files) discovering that CSS client security requirements have become significantly more demanding than basic Law 25 compliance.
Companies offering AI scribes, transcription, AI-based pedagogical analysis facing a dual challenge: security requirements plus privacy impact assessments (PIA) on AI use in school contexts.
Vendors already active in the health network (TGV-certified) or elsewhere in government wanting to expand into education by reusing existing setup.
Edtech publishers who received a security questionnaire from a CSS, a school federation, or a bid, and don't know how to respond credibly.
Companies whose deployment was blocked or slowed by a CSS IT team on security or privacy grounds.
International or out-of-Quebec vendors wanting to understand Quebec-specific school market requirements before investing in commercial efforts.
When does it help?
If you recognize yourself in any of these situations, this service is designed for you.
- A CSS client sent its information security management framework and requires you to demonstrate compliance before deployment.
- You received a 50- to 200-question security questionnaire from a CSS IT team and no one in your organization can answer most with certainty.
- You're an AI scribe, transcription tool, or AI pedagogical solution vendor discovering that beyond security, a PIA is required — often by each CSS separately, without provincial coordination.
- You've lost — or risk losing — a school bid for inability to convincingly demonstrate compliance.
- You're already TGV-certified for health and want to know what transfers to education (answer: a lot, but not everything).
- You're already Law 25 compliant but discover CSSs ask more — elements specific to information asset governance in public networks.
- You want to understand the difference between requirements set by MEQ provincially, those relayed by FCSSQ (Federation of Quebec School Service Centers), and those each CSS adds on top.
- You process minors' data and want to ensure your setup respects not only Law 25 but the school environment's ethical and operational expectations.
What will you receive?
A mapping of the regulatory and contractual landscape applicable to Quebec's school sector: provincial frameworks (LGGRI, Government Directive on Information Security, Law 25), MEQ orientations, FCSSQ practices, and specific requirements of the CSSs you're targeting.
A complete gap analysis between your current setup and all applicable requirements, prioritized by target CSSs and criticality.
A structured documentary setup: security policy, access management, incident management, backup management, vendor management, continuity plan — at the level expected by CSS IT teams, not a generic template.
A documented PIA (Privacy Impact Assessment) for your product — particularly critical for solutions handling minor student data, and systematically required for AI tools, scribes, and transcription solutions.
A template completed questionnaire you can reuse when each CSS sends theirs — with consistent, verifiable answers and the expected evidence.
A security overview for your commercial team — a 4- to 8-page document CSS IT teams will recognize as credible and that often unlocks detailed evaluation.
Active support during CSS client evaluations: question translation, technical interview preparation, contract modification management.
A maintenance plan: tracking provincial regulatory changes, adjusting the setup when new requirements emerge (e.g., AI use in school contexts, which evolves rapidly).
Not a good fit?
- Edtech compliance support works when your goal is to sell sustainably to the school network — not check boxes for a one-off deployment that won't survive the next renewal.
- If you're looking for a recognized certification like health's TGV, be transparent with your prospects: today, there is no official Edtech certification equivalent issued by the MEQ or a third-party accredited body. Presenting a Factero engagement as an "Edtech certification" would be misleading — that's not our approach, and likely not yours either.
- If your commercial target is the private education sector (private schools, private professional training, corporate training), requirements differ significantly: private schools don't operate under the same frameworks as CSSs, and requirements are generally less formal. A Factero independent audit or ISO 27001 / SOC 2 preparation will often be more relevant.
- If you target several regulated markets (health, education, provincial government, defence) with the same product, the angle should differ — we look at the common foundation (ISO 27001 or CAN/DGSI 104) before sector overlays. We discuss this at the discovery call.
- If you're at a very early stage (product in beta, no school revenue yet, no concrete contract in view), full Edtech support may be premature. A security overview and minimal PIA may be enough to start initial commercial conversations — without investing in a full setup.
How does the process work?
A rigorous and transparent approach, step by step.
Scoping and requirements identification
We start with precise scoping: which products or services, which features, what types of data handled (grades, attendance, communications, support files, biometric data where applicable), which CSSs targeted, what current or in-negotiation contracts. We then identify applicable regulatory frameworks (LGGRI, Government Directive on Information Security, Law 25) and specific contractual requirements from your CSS clients or prospects. Requirements vary from one CSS to another — there's no single provincial reference framework for education like health's TGV.
Gap analysis and strategy
We map your current setup against all applicable requirements. We identify what's already in place and documentable, what needs adjustment, and what must be built. We structure strategy around your commercial reality: if you target three specific CSSs, we optimize for their exact requirements; if you target the school network broadly, we build a solid generic foundation answering 80% of questionnaires.
Building the documentary setup
We draft expected policies, procedures, and evidence: information security policy, access management and authentication, logging and monitoring, incident management, backups and recovery, vendor and subcontractor management (sensitive in education), student data management, data residency. The ISO 27002 framework and NIST Cybersecurity Framework structure the drafting — also the language CSS IT teams recognize.
PIA and AI documentation
For products handling personal student data — most Edtech products — a PIA is required by Law 25 and systematically requested by CSSs. For products integrating AI (scribe, transcription, pedagogical analysis, adaptive tools), additional documentation is required: nature of models used, training data, continuous learning mechanisms, algorithmic transparency, bias governance. Factero structures these documents at the level expected by Quebec public bodies.
Commercial tools preparation
We prepare a template completed security questionnaire your commercial team can adapt for each CSS that sends theirs, and a 4- to 8-page security overview CSS IT teams will recognize as credible. This document often unlocks detailed evaluation and accelerates sales cycles.
Supporting CSS evaluations
During evaluations conducted by CSS IT teams, we translate. The CSS asks a precise technical question — we answer with evidence, in their language. You have a particular operational reality (multi-tenant architecture, out-of-Quebec cloud provider, integration with other school systems) — we explain it in technical notes that anticipate questions rather than wait. We handle contractual modifications requested by CSSs (Law 25 clauses, notification requirements, client audits) — a sensitive point where many Edtech vendors lose time.
Maintenance and regulatory monitoring
The Quebec school sector is evolving: new MEQ orientations on AI, provincial frameworks under update, evolution of CSS contractual requirements. We track these developments and adjust your setup when relevant — without an imposed recurring contract.
Frequently Asked Questions
Answers to the questions our clients ask before reaching out.
Is there an official "Edtech certification" in Quebec?
No — not at present, and it's important to be transparent about this. Unlike health's TGV, a formal certification issued by the MSSS / Santé Québec Bureau de certification, Quebec's school sector has no, to our knowledge, product certification program equivalent administered by the Ministry of Education or a third-party accredited body. What exists: (1) provincial regulatory frameworks (LGGRI, Government Directive on Information Security, Law 25) applicable to all public bodies including CSSs; (2) security management frameworks each CSS adopts (often inspired by provincial models and FCSSQ practices); (3) contractual requirements each CSS imposes on its vendors. Factero supports you to honestly meet these requirements — not to obtain a label that doesn't exist. If a competitor speaks of "MEQ Edtech certification," ask them to show the certifying body and accreditation: it's typically marketing.
Why do requirements vary from one CSS to another?
Because each CSS is an autonomous public body adopting its own management framework. All CSSs are subject to the same provincial laws and directives (LGGRI, Law 25, Government Directive on Information Security), but each translates these obligations into its own information security management framework, policies, and vendor questionnaires. The FCSSQ publishes orientations partially harmonizing practices, but local autonomy remains real. For a vendor, this means a robust setup will answer 70-80% of any CSS's requirements — but the remaining 20-30% requires client-by-client adaptation. Factero structures your setup to maximize the common foundation and minimize client-specific adaptation work.
We're already TGV-certified for health. Is that enough for education?
No, but it accelerates significantly. Both sectors share a foundation: provincial requirements (LGGRI, Law 25), security practices (ISO 27002, NIST-CSF), data governance. Much of your TGV setup is reusable — policies, procedures, PIA, continuity plan, access management. What differs: (1) data handled (student data, often minors, rather than health data); (2) interlocutors and their questionnaires (CSS IT teams rather than Bureau de certification); (3) some school-specific requirements (parental consent management where applicable, CSS-specific contractual requirements). We estimate 50-70% useful overlap between TGV and school requirements — gap analysis refines the figure for your case.
We sell an AI scribe / transcription / pedagogical AI. What's required?
Requirements hardened considerably in 2024-2025. For AI tools targeting the school sector, CSSs and MEQ generally require: (1) a documented security setup equivalent to what's asked of any vendor; (2) an AI-specific PIA covering AI-specific issues — training data, continuous learning mechanisms, algorithmic transparency, bias governance, possibility of data withdrawal; (3) often clarification on data residency and processing location (with particular implications when general AI models are used as subcontractors); (4) sometimes a demonstration that school data is not used to train models reused elsewhere — particularly sensitive point. Factero structures this documentation at the expected level. The AI-in-education situation is evolving rapidly — this is a service we regularly update.
How long does it take?
For a complete setup, expect 3 to 6 months depending on your starting point. If you're already Law 25 compliant, TGV-certified, ISO 27001, or SOC 2, much is reusable and timelines shorten significantly (sometimes 6 to 10 weeks to prepare a robust Edtech setup). If you start from a minimal setup, the timeline includes implementing missing technical controls beyond documentation. To answer a specific CSS questionnaire with an already-solid setup, 2 to 4 weeks may suffice. Factero gives a realistic estimate from the gap analysis.
What does it cost?
Factero's engagement covers the full preparation — scoping, gap analysis, documentary setup construction, PIA, commercial tools preparation, CSS evaluation support. Costs not included and paid directly by you: any technical investments identified (MFA strengthening, logging, data protection tools, etc.) and your internal team's time — always the main investment. Note: unlike TGV (health) or CPCSC (defence), there are generally no third-party certification fees to budget for education, since there's no certifying body. Evaluations are conducted directly by CSS IT teams, at no direct cost to you.
Our cloud provider is outside Quebec / outside Canada. Is that a problem?
Not necessarily, but it requires particular attention. Law 25 (article 17) requires a privacy impact assessment before any communication of personal information outside Quebec, with the assessment concluding that protection is equivalent. CSSs, as public bodies, are particularly sensitive on this point for student data. Edtech vendors using US or European infrastructures can respond — but must document convincingly: nature of data transferred, jurisdictions involved, contractual and technical protection mechanisms (contractual clauses, encryption, access control), response to foreign government access risk (notably US CLOUD Act). Factero structures this documentation rigorously — often the critical point of CSS evaluations.
Our MSP or hosting provider handles security. Do we still need an external review?
Because CSSs want to see what you, as the vendor, do — not just what your cloud infrastructure does. A SOC 2 or ISO 27001 certified host covers the infrastructure layer: data centers, physical management, underlying network security. But the application layer (your software, your user access controls, your client data management) remains your responsibility — and that's what the CSS evaluates. Factero documents your application and organizational setup, leveraging your host's certifications where relevant (shared responsibility model), without confusing the two layers. We have no commercial ties to your host or MSP: we structure the process, document reality, and let each play their role.
What methodology do you use?
Factero uses applicable provincial frameworks — LGGRI, Government Directive on Information Security, Law 25 — as regulatory requirements, complemented by ISO 27002 and NIST Cybersecurity Framework (NIST-CSF) for the technical structure of the setup. FCSSQ practices and management frameworks published by CSSs serve as references to calibrate the expected level of detail. The principal associate holds the CISA certification (Certified Information Systems Auditor) — the international reference in information systems auditing. The approach is adapted to each vendor's size and profile.
Is it confidential?
Yes, every support engagement conducted by Factero is governed by a formal confidentiality agreement in favor of the client, signed before any work begins. No information — product architecture, code, client data, commercial strategy — is shared with any third party, provider, or partner without your explicit written authorization, in accordance with our privacy protection policy and Law 25 requirements. Materials provided to CSS clients are shared under your control and with your approval.
Does this commit us to ongoing work?
No. The engagement ends with the setup delivered and support during first deployments. For maintenance — tracking provincial framework evolution, adjusting the setup against new AI requirements, preparing contractual renewals — some organizations prefer to keep us on a light cadence. Others internalize. Our Charter of Independence prohibits creating artificial dependency.
Why Factero for this engagement — what sets you apart?
Before signing with a support firm, verify a few fundamental elements. A serious firm demonstrates them without hesitation and in writing.
The firm itself is certified — Factero holds the CyberSecure Canada (CAN/DGSI 104:2021 / Rev 1:2024) certification, publicly verifiable through the IAF CertSearch registry and through our Trust Center. We apply to our own organization the same standards we support for our clients. A firm guiding you toward a recognized certification should, by consistency, hold one itself.
Incorporated and established since 2022 — Factero Service Conseil is duly incorporated with the Quebec Enterprise Registrar (REQ) since 2022, with no insolvency or bankruptcy proceedings on record. The legal status of any candidate firm can be verified free of charge through the REQ; insolvency and bankruptcy proceedings appear in the registry of the Office of the Superintendent of Bankruptcy Canada (osb-bsf.ic.gc.ca).
Complete team and operational continuity — Factero relies on an interdisciplinary team covering information technology, human resources, and accounting — the three dimensions that intersect in most governance engagements. A certification engagement extends over 6 to 18 months; the firm supporting you must have the team depth to go the distance, not just the availability of a single person.
Professional liability and cyber insurance — Factero maintains active professional liability (E&O) and cyber insurance coverage, adapted to its IT governance and cybersecurity consulting activities. A firm that recommends cyber insurance to you should, by consistency, hold one itself. Ask for the certificate before signing.
Written and public independence — Our engagements are governed by a public Charter of Independence that prohibits commissions, rebates, and commercial arrangements with vendors, brokers, or markets.
Public procurement registration — Factero is registered with the SEAO (Quebec) and the Ontario Tenders Portal — a process that involves regulatory verifications and up-to-date tax attestations.
These criteria are not commercial arguments. They are the minimum conditions to require of any candidate firm. The absence of a clear answer to any of these questions is, in itself, an answer.
Need to move forward on this?
Let's discuss your specific situation. No commitment, just expert advice.