VivaEdu
Instructor Sign In

VivaEdu Privacy Policy

Last Updated: 09/12/2025 • Version: 1.2

Definitions

  • “Platform” means the VivaEdu oral assessment service, accessible via LMS integrations and web application.
  • “Institution” means the educational institution that licenses and uses VivaEdu.
  • “Student” means an individual enrolled at an Institution who uses VivaEdu for oral assessments.
  • "Instructor" means an individual employed or engaged by an Institution to deliver and assess coursework through VivaEdu.
  • “LMS” means Learning Management Systems such as Moodle, Canvas, or other integrated providers.
  • "Sandbox Environment" means any non-production instance of the Platform, including demo, pilot, or Blackboard test sites, used for evaluation, training, or testing.

Introduction

VivaEdu Ltd ("VivaEdu", "we", "us", or "our") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, store, and protect information when you use the VivaEdu oral assessment platform (the "Platform"). This policy applies to all users of our Platform, including students and instructors at educational institutions. VivaEdu operates primarily as a data processor on behalf of educational institutions (the data controllers). The institution remains responsible for the lawfulness of processing student data. We also act as a data controller for certain platform operations such as account management and service improvement.

Contact Information:
Jex Pearce, Chief Technology Officer
VivaEdu Ltd, 15 Ranulf Road
Email: jex@vivaedu.co.uk

Legal Basis for Processing

We process personal data under the following legal bases:

  • Legitimate Interests (Article 6(1)(f) GDPR): For providing and improving educational assessment services. We have conducted balancing tests for our legitimate interests processing.
  • Contract Performance (Article 6(1)(b) GDPR): To fulfill our service agreements with educational institutions.
  • Consent (Article 6(1)(a) GDPR): For features such as camera activation and video recording.
  • Legal Obligations (Article 6(1)(c) GDPR): To comply with applicable laws and regulations.
  • LMS Accounts: Where students access VivaEdu exclusively through their institution’s LMS, the institution remains the primary data controller for account data. VivaEdu processes only the minimum assessment data necessary for service delivery. For LMS-based users, VivaEdu creates internal user profiles that contain only the information provided by your LMS. We use high-privacy identifiers (opaque IDs) and system-generated emails solely for linking assessments and enabling grade passback.
Processor Activities
  • Oral assessments (recording, transcription, grading workflows).
  • Storage of assessment responses and related materials.
  • LMS data exchange (assignment metadata, grades).
  • Adaptive follow-up routing based on prior responses when configured by instructors.
Controller Activities
  • Instructor and administrator account setup.
  • Platform usage analytics (aggregated).
  • Customer support and service troubleshooting.

Data We Collect

Account Information:

  • Full name; institutional email address; role (student or instructor).
  • Instructor ID (stored for authentication).
  • Student identification via LMS (passwordless, not stored).
  • Course enrollment information.

For LMS-only users, enrollment data is passed as opaque identifiers. We do not independently store student names or emails beyond what the LMS provides for linking and grade passback. Pseudonymised identifiers and assessment content are retained per the retention schedule.

Assessment Data

  • Audio recordings (AWS S3, UK region).
  • Transcripts generated from audio via Microsoft Azure Speech UK (stored in PostgreSQL, UK region).
  • Assessment responses and submissions (text in PostgreSQL, UK region).
  • Question images and context cards (AWS S3, UK region).
  • Timestamps and duration data (PostgreSQL).
  • Question responses and interactions (PostgreSQL).
  • Student video is recorded or stored by the platform upon enabling (stored in AWS S3, UK region).
  • Optional Instructor video prompts for questions and feedback (stored in AWS S3, UK region) and related playback and delivery metadata.
  • Adaptive-branch routing metadata related to question flow.

Optional Monitoring Data (with explicit consent)

  • Tab-switching activity; browser focus events; excessive reload tracking.

Accessibility and Accommodation Data

  • Accommodation settings (extra time, pause/resume, rerecords, typing mode, extensions, late submissions).
  • Accessibility preferences (high contrast, larger buttons, screen reader compatibility) configured by instructors and students.
  • Other disability-related accommodations and multilingual capabilities as configured by instructors.

Academic Performance Data

  • Grades and rubric evaluations; instructor feedback and comments.
  • Assignment metadata from LMS integration; due dates and submission times.

Technical Data

  • Browser and device information; session logs; platform usage analytics.

Sandbox and Demo Environments in Blackboard, Moodle, and future LMSs

We operate non-production sandbox and demo environments, including a usable Blackboard demo sandbox site, for evaluation, testing, training, and demonstrations. These environments are separate from institutional production deployments.

  • Sandbox and demo environments are intended primarily for those interested in the platform.
  • Data from LMS sandbox courses is isolated to your own environment. No other sandbox data is shared, visible, or accessible to other sandboxes or users who have not been provided your credentials.

How We Use Your Data

Core Platform Functions

  • Deliver oral assessments; record and transcribe responses with synchronized highlighting.
  • Provide accessibility accommodations; integrate with LMS via LTI 1.3.
  • Create assignments in LMS and push grades and feedback back to LMS.
  • Batch processing for reviews and exports.

For LMS users: assessment data links to your LMS profile and is returned to the LMS after processing. Educators and students initiate access via the LMS. Only educators can sign into the web app directly.

Educational Support

  • Generate performance analytics (in development); support academic integrity measures; enable progress tracking.

Platform Improvement

  • Analyze usage patterns; troubleshoot technical issues; ensure platform security; develop new tools.

Compliance and Safety

  • Meet legal and regulatory requirements; investigate policy violations; protect against fraud.
  • Maintain audit trails for educational institutions.

Data Sharing and Disclosure

Educational Institution

  • Share assessment data with your institution as required for academic purposes.
  • Instructors have access to their students' assessment data.
  • Institutional administrators may access data for legitimate oversight.

Service Providers

  • AWS S3 (object storage, UK region), AWS RDS PostgreSQL (database, UK region), AWS ElastiCache Redis (queue, UK region), LMS providers (LTI 1.3).
AI Processing Disclosure
  • Microsoft Azure Speech (UK South): converts audio recordings to text transcripts. All transcription is processed exclusively in the UK region.
  • OpenAI TTS (Text to Speech): provides accessibility support and demo content for question reading.

Legal Requirements

  • Court orders or legal proceedings; government or regulatory requests; protection of rights, safety, or property; investigation of suspected violations.

Consent-Based Sharing

  • Research (anonymized), institution-approved third-party integrations, and optional services.

VivaEdu processes the minimum necessary assessment data for assignment delivery and review. We use pseudonymised identifiers to link assessment data to the correct LMS user.

Data Retention

Automatic Deletion

  • Audio recordings: deleted 90 days after assignment due date.
  • Transcripts: deleted 180 days after assignment due date.
  • Instructor video prompts and feedback, student video recordings: deleted 90 days after assignment due date.
  • Inactive classes: archived and deleted after 180 days of inactivity.
  • Demo data: All deleted after 2 hours.

Extended Retention

  • Grade records per institutional policy; account information while the account is active; legal holds as required.

Manual Deletion

  • Students can request deletion via jex@vivaedu.co.uk.
  • Instructors can delete vivas and classes (with confirmation) and force re-takes.
  • Requests are processed within 30 days.
  • Archived classes are permanently deleted.

Student identifiers are pseudonymised personal data under GDPR and protected accordingly.

Your Rights Under GDPR

Right to Access
Students can view their transcripted responses and listen to their audio responses after they submit a viva. Holistically, you can request a copy of your data; receive it in a machine-readable format; export via settings.
Right to Rectification
Students can identify and state inaccurate transcriptons in their work in the aforementioned feature. Correct inaccurate data; complete incomplete data; update profile information.
Right to Erasure
Request deletion via jex@vivaedu.co.uk (official vivaedu email in the works to come). Some data may be retained for legal obligations.
Right to Restrict Processing
Limit how we use your data; suspend processing while concerns are investigated.
Right to Data Portability
Receive a ZIP export and transfer to another provider upon request.
Right to Object
Object to processing based on legitimate interests; opt out of optional features; withdraw consent for camera.
Right to Withdraw Consent
Manage consent in settings. Withdrawal does not affect prior lawful processing; some features may become unavailable.
Right to Complain
Contact the ICO at ico.org.uk or 0303 123 1113.

Consent Management

  • Explicit opt-in required for camera.
  • Consent can be granted or revoked in account settings; changes apply immediately.
  • Historical data collected with consent is retained per our retention policy.
  • VivaEdu is focused on higher education, but if a user is under 13, they may require institutional or parental consent as determined by their institution.
  • Instructors consent to storage and delivery of their recorded optional video viva questions and feedback to assigned students. Students consent to storage and delivery of their recorded video responses to their instructors upon consent granted. Student videos are never used for marketing. Instructor videos are not used for marketing without explicit opt-in.

Data Security

  • TLS encryption in transit; SSE-S3 encryption at rest for object storage; encrypted RDS for database; secure APIs with rate limiting.
  • Organizational measures include least-privilege access, confidentiality agreements, training, incident response, and DPIAs.
  • All infrastructure is hosted on AWS UK (eu-west-2, London region), which holds ISO 27001, ISO 27017, and ISO 27018 certifications.

Limitation of Liability

VivaEdu provides its services "as is" without warranties of any kind. We shall not be liable for any direct, indirect, incidental, special, or consequential damages arising from the use of our platform, including but not limited to technical failures, data loss, service interruptions, or AI processing inaccuracies. Our total liability shall not exceed £100 per incident. Educational institutions remain solely responsible for academic decisions and assessment outcomes.

International Transfers

All data storage and processing occurs within the United Kingdom. Infrastructure is hosted on AWS UK (eu-west-2, London) and transcription is processed via Microsoft Azure UK South. AWS UK holds ISO 27001, ISO 27017, and ISO 27018 certifications. No third country transfers occur.

Cookies and Tracking

We use essential cookies for session management, security tokens, user preferences, and platform functionality.

Children's Privacy

The platform is intended for users 13 and older. Users under 18 may require institutional or parental consent as determined by their institution.

Changes to This Policy

Upon institutional usage of VivaEdu, from there on out, we will notify users of material changes via email. Continued use after changes constitutes acceptance. Previous versions are available upon request.

Governing Law

This Privacy Policy is governed by the laws of England and Wales. Any disputes are subject to the exclusive jurisdiction of the courts of England and Wales. If any provision is held invalid, the remaining provisions remain in full force and effect.

Questions and Complaints

Email: jex@vivaedu.co.uk
Post: Jex Pearce CTO, VivaEdu Ltd, 15 Ranulf Road London NW2 2bT
Response Time: Within 30 days of receipt
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk — 0303 123 1113

Accessibility and Adjustments

Learn how VivaEdu supports accessibility and reasonable adjustments.

Accessibility StatementReasonable Adjustments Policy