GDPR Compliance

VivaEdu is fully compliant with the General Data Protection Regulation (GDPR), providing comprehensive data protection and user rights.

GDPR Rights Supported

Right to Access (Data Export)

Users can request a complete export of their data:

• What's included:
  • Account information (name, email, ID)
  • All viva submissions
  • Transcripts of responses
  • Grades and feedback received
  • Accommodation records
  • Consent history
• Format: ZIP file with JSON/PDF documents
• How to request: Student settings → Data Export → Submit request
• Processing time: Typically 5-7 business days
• Delivery: Email with secure download link

Right to Erasure (Account Deletion)

Users can request complete account deletion:

• What's deleted:
  • User account and profile
  • All viva submissions
  • All audio/video recordings
  • All transcripts
  • Accommodation records
  • Enrollments
• What's retained:
  • Grade records (per institutional policy)
  • Anonymized audit logs (compliance requirement)
• How to request: Student settings → Delete Account → Submit request
• Processing: Manual review and confirmation required
• Cannot be undone

Right to Rectification

• Update personal information in account settings
• Correct inaccurate data
• Contact instructor or admin for profile corrections

Right to Restrict Processing

• Revoke consent for camera
• Request accommodation to avoid certain features
• Opt out of non-essential processing

Right to Data Portability

• Receive data in machine-readable format (JSON)
• Transfer data to another service (if applicable)
• Included in data export

Automatic Data Deletion

VivaEdu implements data minimization through automatic deletion:

90-Day Audio/Video Deletion

• 90 days after assignment due date
• All audio recordings automatically deleted
• All video recordings automatically deleted
• Instructor video prompts deleted
• Instructor video feedback deleted
• Transcripts retained
• Scheduled automatically when assignment is created

180-Day Full Purge

• 180 days after assignment due date
• All transcripts deleted
• All response data deleted
• Assignment metadata deleted
• Only grade records retained (per institutional policy)
• Scheduled automatically when assignment is created

Automatic Class Archiving

• 180 days of no activity in a class
• Class is automatically archived
• All assignments and viva data deleted
• Only if enabled by administrator (configurable)
• Prevents data accumulation

Manual Deletion Options

Teacher-Initiated Deletion

• Delete specific viva: Removes all data for that assignment
• Archive class: Deletes all assignments in the class
• Both require confirmation
• Both are logged in audit logs
• Recommended after final grades are submitted and appeal period ends

Student-Requested Deletion

• Full account deletion (as described above)
• Processed manually after verification
• Email confirmation required

Data Processing Purposes

VivaEdu processes personal data only for:

• Assessment delivery: Creating and administering vivas
• Grading and feedback: Instructor review and evaluation
• LMS integration: Single sign-on and grade passback
• Accommodations: Supporting accessibility needs
• Platform operation: Authentication, analytics, troubleshooting
• Compliance: Audit logging and data retention

Third-Party Data Processors

VivaEdu uses GDPR-compliant sub-processors:

• Azure: Transcription (Azure Speech Services), TTS, intelligent analysis
• Azure (Microsoft): Translation services, speech services
• AWS or similar: Infrastructure and storage
• All have data processing agreements
• All are GDPR-compliant

Data Storage Location

• Primary storage in EU/UK data centers (for EU/UK institutions)
• Or US data centers (for US institutions)
• Configurable based on institutional requirements
• Complies with data residency requirements

Student Rights Summary

Best Practices for Institutions