[ CONSULTING ] // EDUCATION

Education software that survives the SIS rollover and the procurement committee.

We build and modernize systems for K-12 districts, universities, and EdTech vendors — with FERPA, COPPA, OneRoster, LTI 1.3, and PowerSchool/Banner integrations handled by engineers who've shipped them before.

Veteran-Owned SDVOSB
[001 / 005] Field Conditions

Most education software fails the same way: it ignores how schools actually buy and run software.

// SITUATION

Vendors arrive with a SaaS playbook built for enterprise IT — quarterly releases, on-demand procurement, generic SSO. Then they meet a district that buys on a 9-month RFP cycle, runs PowerSchool nightly batch jobs, requires a signed Student DPA before a single byte moves, and freezes change windows from August through October. The tool ships, integration breaks the first week of school, the help desk gets buried, and the renewal conversation in March is short. The technology was fine. The fit to the operational reality was not.

  • Roster sync built against OneRoster 1.1 silently drops students mid-year when the district upgrades to 1.2 or switches SIS vendors.
  • FERPA classification done at the end of the project, forcing a rewrite of audit logging and a renegotiated Data Privacy Agreement.
  • LTI 1.1 integrations that stop working after a Canvas or Blackboard security update, with no migration path to 1.3.
  • Go-live scheduled for August — the worst possible week — with no staging environment that mirrors the SIS year-end rollover.
OneRoster 1.2
Standards-first SIS integrations
< 6 wks
Typical pilot-to-classroom timeline
SDVOSB
Eligible for federal education set-asides
[002 / 005] Operational Approach

Build for the school year calendar, not the demo cycle.

  1. STEP-01

    Map the data contracts first

    Before writing code, we document the OneRoster 1.2 and Ed-Fi fields your district or vendor actually uses. PowerSchool's plugin model, Infinite Campus OneRoster API, and Banner's INB views each have quirks. We pin field-level ownership so nightly rosters don't silently break in October.

  2. STEP-02

    FERPA/COPPA scoped from day one

    We classify PII, directory info, and education records up front, then design data flows around the lowest-privilege path. Vendor agreements get a DPA aligned to the SDPC standard, parental consent workflows for under-13 users, and audit logging that survives a district records request.

  3. STEP-03

    LMS integration via LTI 1.3, not screen scraping

    Canvas, Blackboard Ultra, Schoology, and D2L all support LTI 1.3 with NRPS and AGS. We build deep links, grade passback, and roster sync the way the LMS vendor expects, so your tool survives the next platform update without a 2 AM page.

  4. STEP-04

    Pilot one school, then scale

    We deploy to a single school or department for a full grading period, instrument usage, and fix the real failures (SSO edge cases, IEP data handling, sub-teacher accounts) before district-wide rollout. Procurement gets clean evidence; IT gets a runbook.

  5. STEP-05

    Hand off with the summer in mind

    Districts roll students in July. We deliver migration scripts, year-end archival jobs, and a staging environment that mirrors the SIS rollover. Your team gets documentation an actual K-12 sysadmin can follow, not a 200-slide deck.

// TYPESCRIPT PATTERN 
// Nightly OneRoster pull from PowerSchool / Infinite Campus
// Scoped to the fields we actually need. Never pull what you can't justify.

import { OneRosterClient } from './oneroster';
import { auditLog } from './ferpa-audit';

const ALLOWED_FIELDS = [
  'sourcedId', 'status', 'givenName', 'familyName',
  'email', 'grades', 'enabledUser', 'orgSourcedIds'
] as const;

export async function syncRoster(districtId: string) {
  const client = new OneRosterClient(districtId);
  const since = await getLastSync(districtId);

  // Delta pull — full pulls melt SIS servers at 2 AM
  const users = await client.getUsers({ modifiedSince: since });

  for (const u of users) {
    const scoped = pick(u, ALLOWED_FIELDS);

    if (u.status === 'tobedeleted') {
      await softDeleteUser(scoped.sourcedId);
      auditLog('roster.delete', { sourcedId: scoped.sourcedId, districtId });
      continue;
    }

    await upsertUser(scoped);
    auditLog('roster.upsert', { sourcedId: scoped.sourcedId, districtId });
  }

  await setLastSync(districtId, new Date());
}

function pick<T, K extends keyof T>(obj: T, keys: readonly K[]): Pick<T, K> {
  return keys.reduce((acc, k) => ({ ...acc, [k]: obj[k] }), {} as Pick<T, K>);
}

A minimal OneRoster 1.2 roster sync handler that respects FERPA scoping and handles the realistic case of mid-year enrollment changes.

[003 / 005] Common Questions

Field FAQ.

How is education software consulting different from enterprise SaaS work?

Budget cycles are annual and tied to state funding, not quarterly. Procurement runs through RFPs, cooperative purchasing agreements (TIPS, Sourcewell, OMNIA), and board approval — often 6 to 12 months. End users are minors, so COPPA and state student-privacy laws (SOPIPA, NY Ed Law 2-d, Student DPA) apply. Uptime windows revolve around the school calendar, not 24/7 commerce. We design around those constraints instead of fighting them.

Do you handle PowerSchool, Infinite Campus, and Skyward integrations directly?

Yes. We've built against PowerSchool's plugin framework and PowerQueries, Infinite Campus OneRoster and Campus Learning APIs, and Skyward's SMS 2.0 endpoints. For higher ed we work with Banner (Ethos and INB), Workday Student, and Colleague. Where vendors offer OneRoster 1.2 or Ed-Fi 5.x, we prefer those standards over proprietary endpoints because they survive version upgrades and reduce the cost of replacing the SIS later.

What's your approach to FERPA and COPPA compliance?

FERPA isn't a checkbox — it's a data architecture decision. We classify every field as PII, directory info, or education record, then enforce access at the application layer with audit logging that meets a records-request bar. For COPPA, we build verifiable parental consent flows for under-13 users and avoid behavioral advertising entirely. We sign the SDPC National Data Privacy Agreement when districts require it and align DPAs to state addenda (California AB 1584, NY 2-d, Colorado HB 16-1423).

Can you help us respond to a district RFP or state contract vehicle?

We support EdTech vendors on the technical sections of RFPs — security questionnaires (HECVAT Lite and Full), accessibility (WCAG 2.1 AA, VPAT/ACR), data privacy addenda, and integration capability statements. As an SDVOSB, we can also partner on federal education contracts (Department of Education, Impact Aid, DoDEA schools) where set-aside eligibility matters. We don't write the boilerplate marketing sections; we write the parts engineers and CIOs actually read.

How do you integrate with Canvas, Blackboard, and other LMS platforms?

LTI 1.3 with OAuth 2.0 client credentials, Names and Roles Provisioning Service for rosters, and Assignment and Grade Services for grade passback. We build the tool once and certify against Canvas, Blackboard Ultra, D2L Brightspace, Schoology, and Moodle. For deeper integrations we use Canvas Live Events, Blackboard REST APIs, or Caliper Analytics. We avoid LTI 1.1 for new work — it's deprecated and the security model is weak.

What does a typical engagement look like and how long does it take?

Discovery and architecture run 2 to 4 weeks and produce a data flow diagram, FERPA classification, and integration plan. Build phases are 8 to 16 weeks depending on scope. We aim to have a single-school pilot live before a grading-period boundary so you collect real usage data. District-wide rollout typically follows the next semester or school-year start. Higher ed engagements often align to term breaks instead.

Do you work with small EdTech startups or only large districts?

Both. For early-stage EdTech vendors we focus on getting your first three district deployments to look identical — same SSO (Clever, ClassLink, Google Workspace, Azure AD), same roster sync, same DPA template — so sales doesn't drown in custom integrations. For districts and universities we focus on getting off legacy systems without breaking the registrar. The work is technically similar; the stakeholders differ.

Can AI features like Claude or GPT be used safely with student data?

Sometimes, with care. Student PII should not be sent to a model provider that trains on inputs. We use enterprise tiers (Anthropic, Azure OpenAI, AWS Bedrock) with zero-retention agreements, redact identifiers before inference where possible, and keep audit logs of every prompt that touches an education record. For under-13 users we recommend constraining AI features to teacher-facing workflows or requiring explicit parental consent. The compliance lift is real but tractable.

Are you eligible for federal education set-aside contracts?

Yes. VooStack is a Service-Disabled Veteran-Owned Small Business (SDVOSB), verified through SBA's VetCert. That makes us eligible for sole-source and set-aside awards under FAR 19.14 with the Department of Education, DoDEA (Department of Defense Education Activity), Bureau of Indian Education, and federally-funded research at universities. We can also subcontract to primes seeking SDVOSB participation credit on larger education IDIQs and BPAs.

[004 / 005] Adjacent Files

Continue recon.

REL-01

All services

Custom builds, AI integration, modernization, and senior staff augmentation.

 REL-02

Past engagements

How we approached SIS migrations, LMS integrations, and district rollouts.

 REL-03

Engagement packages

Fixed-scope discovery, pilot, and modernization options sized for ed budgets.

 REL-04

Talk to an engineer

No SDR funnel — you'll speak directly with someone who's done this work.
[ NEXT ACTION ]

Ship education software that survives the August rollover.

Talk to a VooStack operator. We respond within one business day.

Open a Channel Full Services