July 8, 2026

Choosing childcare software: the GDPR questions to ask your vendor

Children's data deserves more scrutiny than any other. Six questions every daycare should ask a software vendor before signing — and the answers to expect.

When you choose software for your daycare, you’re not just buying features — you’re choosing who processes the most sensitive data you hold: children’s names, birth dates, health notes and photos. Under GDPR, your daycare stays responsible for that data even when a vendor stores it. So before you sign, ask these six questions.

1. Where is the data hosted?

Data on servers inside the EU keeps you within the GDPR framework without extra safeguards. If a vendor hosts outside the EU — or can’t answer plainly — that’s a red flag. KidLogg hosts all data in the European Union, full stop.

2. Will you sign a Data Processing Agreement?

A DPA (art. 28 GDPR) is mandatory, not optional: it pins down what the vendor may do with your data, which security measures apply, and what happens when the contract ends. A serious vendor offers one proactively. KidLogg provides every daycare with a DPA covering security measures, EU hosting, sub-processors and breach notification.

3. Who are your sub-processors?

Almost every vendor relies on other companies — hosting, e-mail, payments. You’re entitled to know who they are and where they operate. Ask for the list; a vendor who hesitates probably hasn’t mapped it themselves.

4. What happens after a data breach?

GDPR gives your daycare 72 hours to notify the supervisory authority — but you can only do that if your vendor tells you first, fast. Ask what their notification commitment is. KidLogg commits to notifying affected daycares without undue delay so you can meet your own 72-hour clock.

5. Can you delete and export data — really?

“Deleted” sometimes means “hidden”. Ask whether erasure removes the actual files, and whether you can export a child’s complete file in a structured format when a parent asks (art. 20). In KidLogg both are built in: one-click export of the full child file and permanent erasure of photos, including the stored files.

6. Who can see what, and is it logged?

Not every staff member needs every record. Ask how access is restricted — and whether changes to sensitive data are logged, so there’s an answer to “who changed this?”. KidLogg restricts staff to the children in their own groups and keeps an audit trail of changes to sensitive data.

A vendor who answers all six without hesitation is doing GDPR as a practice, not a paragraph. Those are the ones to trust with children’s data.

Want our answers in writing, including the DPA? Request a demo.