GDPR Compliance
VivaEdu is fully compliant with the General Data Protection Regulation (GDPR), providing comprehensive data protection and user rights.
GDPR Rights Supported
Right to Access (Data Export)
Users can request a complete export of their data:
- What's included:
- Account information (name, email, ID)
- All viva submissions
- Transcripts of responses
- Grades and feedback received
- Accommodation records
- Consent history
- Format: ZIP file with JSON/PDF documents
- How to request: Student settings → Data Export → Submit request
- Processing time: Typically 5-7 business days
- Delivery: Email with secure download link
Note: Data export requests are sent to jex@vivaedu.co.uk and processed manually to ensure security and compliance. All requests are logged in audit logs.
Right to Erasure (Account Deletion)
Users can request complete account deletion:
- What's deleted:
- User account and profile
- All viva submissions
- All audio/video recordings
- All transcripts
- Accommodation records
- Enrollments
- What's retained:
- Grade records (per institutional policy)
- Anonymized audit logs (compliance requirement)
- How to request: Student settings → Delete Account → Submit request
- Processing: Manual review and confirmation required
- Cannot be undone
Warning: Account deletion is permanent. All submissions, grades, and data are lost. Export your data first if you want to keep records.
Right to Rectification
- Update personal information in account settings
- Correct inaccurate data
- Contact instructor or admin for profile corrections
Right to Restrict Processing
- Revoke consent for camera
- Request accommodation to avoid certain features
- Opt out of non-essential processing
Right to Data Portability
- Receive data in machine-readable format (JSON)
- Transfer data to another service (if applicable)
- Included in data export
Automatic Data Deletion
VivaEdu implements data minimization through automatic deletion:
90-Day Audio/Video Deletion
- 90 days after assignment due date
- All audio recordings automatically deleted
- All video recordings automatically deleted
- Instructor video prompts deleted
- Instructor video feedback deleted
- Transcripts retained
- Scheduled automatically when assignment is created
180-Day Full Purge
- 180 days after assignment due date
- All transcripts deleted
- All response data deleted
- Assignment metadata deleted
- Only grade records retained (per institutional policy)
- Scheduled automatically when assignment is created
Automatic Class Archiving
- 180 days of no activity in a class
- Class is automatically archived
- All assignments and viva data deleted
- Only if enabled by administrator (configurable)
- Prevents data accumulation
Manual Deletion Options
Teacher-Initiated Deletion
- Delete specific viva: Removes all data for that assignment
- Archive class: Deletes all assignments in the class
- Both require confirmation
- Both are logged in audit logs
- Recommended after final grades are submitted and appeal period ends
Student-Requested Deletion
- Full account deletion (as described above)
- Processed manually after verification
- Email confirmation required
Data Processing Purposes
VivaEdu processes personal data only for:
- Assessment delivery: Creating and administering vivas
- Grading and feedback: Instructor review and evaluation
- LMS integration: Single sign-on and grade passback
- Accommodations: Supporting accessibility needs
- Platform operation: Authentication, analytics, troubleshooting
- Compliance: Audit logging and data retention
Third-Party Data Processors
VivaEdu uses GDPR-compliant sub-processors:
- Microsoft Azure Speech (UK South): Audio transcription services (and optional translation when enabled) (all processing in UK region only)
- Microsoft Azure OpenAI (UK South): Optional branch follow-up routing using student transcripts (all processing in UK region only), when enabled by the institution
- AWS (UK): Infrastructure hosting for the institutional deployment, object storage (S3). Each institution is deployed as a dedicated environment (database, cache, storage) with dedicated object storage for media/files.
- OpenAI: Text-to-speech for reading teacher-authored question text only (no student submissions, transcripts, audio, or video are sent to OpenAI)
- All have data processing agreements
- All operations are GDPR-compliant
- AWS infrastructure holds ISO 27001, ISO 27017, and ISO 27018 certifications
Data Storage Location
- Institution deployments are hosted in the UK.
- Database: PostgreSQL hosted in the institutional deployment (Durham: on-instance)
- Object storage: AWS S3 (UK region)
- Cache/queue: Redis hosted in the institutional deployment (Durham: on-instance)
- Transcription: Microsoft Azure Speech (UK South region)
- No third-country data transfers
- AWS infrastructure holds ISO 27001, ISO 27017, and ISO 27018 certifications
Student Rights Summary
| Right | How to Exercise |
|---|---|
| Access | Request data export in settings |
| Rectification | Update in account settings |
| Erasure | Request account deletion in settings |
| Restrict Processing | Revoke consents in settings |
| Data Portability | Included in data export |
| Object | Contact support or admin |
Best Practices for Institutions
- Process data export and deletion requests within 30 days
- Document all manual data operations in audit logs
- Review automatic deletion schedules periodically
- Maintain data processing agreements with sub-processors
- Conduct annual GDPR compliance reviews
- Train staff on GDPR obligations
- Respond to subject access requests promptly
Comments
Leave a comment, question, or feedback. Comments are public — please don’t include personal data.