GDPR Compliance
This page outlines how VivaEdu complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It is intended for data protection officers, legal teams, and compliance reviewers evaluating VivaEdu's data protection posture.
Overview
VivaEdu operates primarily as a data processor on behalf of educational institutions, which act as the data controllers. The platform provides oral assessment services integrated with institutional Learning Management Systems (LMS) via LTI 1.3.
Key Points: VivaEdu processes student and instructor data only as instructed by the institution. All data storage and processing occurs within the United Kingdom. There are no third-country data transfers.
Legal Bases for Processing
The institution, as data controller, determines the appropriate legal basis for processing student data. VivaEdu supports processing under the following legal bases:
| Legal Basis | GDPR Article | Usage in VivaEdu |
|---|---|---|
| Contract Performance | 6(1)(b) | Service agreements with institutions |
| Legitimate Interests | 6(1)(f) | Educational assessment services |
| Consent | 6(1)(a) | Camera activation, video recording |
| Legal Obligations | 6(1)(c) | Compliance requirements, audit logging |
Controller and Processor Relationships
Institutional Controller
The educational institution acts as the data controller and is responsible for:
- Determining the purposes and means of processing student data
- Providing privacy notices to students and staff
- Handling any required consents or accommodations per institutional policy
- Ensuring processing instructions to VivaEdu are lawful
VivaEdu as Processor
VivaEdu processes personal data only on documented instructions from the institution:
- Processes data only as instructed by the controller
- Implements appropriate technical and organisational security measures
- Engages subprocessors only under written contract with equivalent protections
- Assists with data subject rights requests
- Notifies the controller of personal data breaches without undue delay
- Deletes or returns data at the end of the service agreement
VivaEdu as Controller (Limited Scope)
VivaEdu acts as an independent data controller only for:
- Instructor and administrator account setup
- Platform usage analytics (aggregated and anonymised)
- Customer support and service troubleshooting
Data Processing Agreements
VivaEdu enters into Data Processing Agreements (DPAs) with institutional customers as part of the service agreement. Each DPA includes:
- Processing details: Subject matter, nature, purpose, and duration of processing
- Data categories: Types of personal data and categories of data subjects
- Security measures: Technical and organisational measures (TOMs)
- Subprocessor list: Approved third-party processors with locations
- Breach notification: Commitment to notify the controller within 4 hours of confirming a breach
- Deletion or return: Data handling at contract termination
Institutions can request a DPA template by contacting jex@vivaedu.co.uk.
Data Subject Rights
VivaEdu supports all data subject rights under GDPR. Students can exercise these rights through the platform or by contacting their institution.
Right to Access (Data Export)
- What is included: Account information, viva submissions, transcripts, grades, accommodation records, consent history
- Format: ZIP file containing JSON and PDF documents
- How to request: Settings → Data Export → Submit request
- Processing: Requests are sent to jex@vivaedu.co.uk and processed within 30 days
- Audit logging: All export requests are logged
Right to Erasure (Account Deletion)
- What is deleted: User account, viva submissions, audio/video recordings, transcripts, accommodation records, enrollments
- What is retained: Grade records (per institutional policy), anonymised audit logs (compliance requirement)
- How to request: Settings → Delete Account → Submit request
- Processing: Manual review required; processed within 30 days
Warning: Account deletion is permanent and cannot be undone. All submissions, recordings, and transcripts will be irretrievably deleted. Export your data first if you need to retain records.
Right to Rectification
- Update personal information in account settings
- Correct inaccurate data
- Add clarification comments to transcripts (for mispronunciations or technical issues)
- Contact instructor or admin for profile corrections
Right to Restrict Processing
- Revoke consent for camera/video recording in settings
- Request accommodations to avoid certain features
- Opt out of non-essential processing
Right to Data Portability
- Data provided in machine-readable format (JSON)
- Included in data export request
- Can be transferred to another service if applicable
Right to Object
- Object to processing based on legitimate interests
- Contact support at jex@vivaedu.co.uk
- Contact your institution's administrator
Data Categories Processed
Identity and Account Data
- Names and institutional identifiers (as provided via LMS/LTI)
- Role (student, instructor, administrator)
- LMS identifiers (opaque identifiers for linking and grade passback)
Assessment Content
- Audio recordings (if recording consent given)
- Video recordings (if enabled and consent given)
- Transcripts generated from audio responses
- Grades, rubrics, and instructor feedback
- Due dates, timestamps, and session status
Accessibility and Accommodation Data
- Accommodation settings (extra time, pause/resume, typing mode, camera exemptions)
- Accessibility preferences (high contrast, large buttons, reduced motion)
- Note: This data may reveal special category information (disability status)
Technical and Security Data
- IP address and user-agent (for security and audit logging)
- Audit log events (exports, deletions, consent changes, configuration updates)
Special Category Data
VivaEdu does not intentionally collect special category data (Article 9 data) beyond what may be implied by accommodation settings or what users include in assessment content.
- Accommodation settings may imply disability status
- No biometric identification is performed
- No emotion detection or sentiment analysis
- No profiling of students for unrelated purposes
Where special category data is present, it is processed only as instructed by the controller and protected with appropriate security measures.
Third-Party Processors (Subprocessors)
VivaEdu engages the following subprocessors, all with data processing agreements in place:
| Processor | Service | Data Categories | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, S3 storage | All assessment data | UK (eu-west-2) |
| Microsoft Azure Speech | Speech-to-text transcription | Student audio | UK South |
| Microsoft Azure OpenAI | Branch routing (optional, feature-flagged) | Student transcript excerpts, teacher routing hints | UK South |
| OpenAI | Text-to-speech | Teacher question text only | Vendor-managed |
OpenAI Guardrails: The OpenAI TTS endpoint fetches question text from the database by question ID and does not accept arbitrary text input. Student submissions, transcripts, audio, and video are never sent to OpenAI.
Data Residency
All personal data is stored and processed within the United Kingdom:
- Application hosting: AWS UK (eu-west-2, London)
- Object storage: AWS S3 UK (eu-west-2)
- Transcription: Microsoft Azure UK South
- Optional AI routing: Microsoft Azure OpenAI UK South
No third-country data transfers occur. Each institution is deployed with dedicated infrastructure (database, cache, storage) that is isolated from other institutions.
Breach Notification
In the event of a personal data breach affecting data processed on behalf of the controller, VivaEdu commits to:
- Notification timeline: Notify the controller without undue delay, and within 4 hours of confirming a breach
- Information provided: Nature of the breach, approximate number of data subjects affected, likely consequences, and mitigation measures taken or proposed
- Cooperation: Assist the controller in investigating and remediating the breach
- Regulatory notification: The controller handles notification to the ICO as required
Student Rights Summary
| Right | How to Exercise |
|---|---|
| Access | Request data export in student settings |
| Rectification | Update information in account settings, or add clarification comments |
| Erasure | Request account deletion in student settings |
| Restrict Processing | Revoke consents in settings |
| Data Portability | Included in data export (JSON format) |
| Object | Contact jex@vivaedu.co.uk or your institution admin |
Best Practices for Institutions
- Process data export and deletion requests within 30 days
- Document all manual data operations in audit logs
- Review automatic deletion schedules periodically
- Maintain Data Processing Agreements with all sub-processors
- Conduct annual GDPR compliance reviews
- Train staff on GDPR obligations and data handling procedures
- Respond to Subject Access Requests (SARs) promptly
- Keep records of processing activities (Article 30)
Related Topics
Questions or Concerns
For questions about GDPR compliance or to exercise your data protection rights, contact:
- Email: jex@vivaedu.co.uk
- Post: Jex Pearce CTO, VivaEdu Ltd, 20 Victoria Place, Budleigh Salterton, Devon EX9 6JP
- Response time: Within 30 days
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
Comments
Leave a comment, question, or feedback. Comments are public — please don’t include personal data.