Data Processing Agreement
Standard DPA template for every client school. Defines roles (controller, processor), processing purposes, retention periods, deletion policy.
Security
Protecting personal data.
Security is not a choice.
Students take exams. Teachers manage grades.
It's our responsibility to keep this information accessible
only to those who should access it.
GDPR
full compliance
Encrypted
connections everywhere
24h
backup archives
100%
audit log
Architecture
Layered protection from the device to the database
01
What you see
Application or browser. Encrypted connection from the moment you open it.
Application or browser. Encrypted connection from the moment you open it.
02
The link between you and us
Protected by modern protocols. No one along the way can read the communication.
Protected by modern protocols. No one along the way can read the communication.
03
Before it reaches the server
Request limits, security headers, filters. First line against automated attacks.
Request limits, security headers, filters. First line against automated attacks.
04
Who sees what
One active session at a time, role-based access, school-level isolation.
One active session at a time, role-based access, school-level isolation.
05
What happens
Business rule enforcement, checks for every action, audit of sensitive operations.
Business rule enforcement, checks for every action, audit of sensitive operations.
06
Where the data lives
Protected database in an isolated environment. Services have only the rights they need. Daily backups.
Protected database in an isolated environment. Services have only the rights they need. Daily backups.
GDPR
Transparency and control
GDPR compliance is built into the design. Export and deletion are tools inside the app — directly accessible, without forms and without waiting.
Right of access
Users see what data we hold about them — names, email, grades, exams, files. Transparent, in JSON export. (GDPR Art. 15)
Personal data export
One-button export in the app. JSON format — readable by humans and programs. No forms, no email to support. (GDPR Art. 15 + 20)
Minimized information
We don't collect unnecessary data. No tracking, no device fingerprinting, no advertising behavior. Only what's needed for the exam to work.
Deletion request
Users initiate account deletion from settings. The request goes through brief approval for audit purposes. On approval — full cascading deletion of all personal data. (GDPR Art. 17)
Breach notification
On a security breach — within 72 hours we notify affected schools with details: what happened, what data was affected, what measures we took. (GDPR Art. 33)
Active defense
Real-time security
Encrypted connections everywhere
All traffic is encrypted with modern protocols. Older versions are disabled. Certificates renew automatically 30 days before expiration.
Limits against excessive traffic
Each type of request — main API, files, management — has separate limits. Protection against automated attacks and excessive load.
One active session
On a new login for the same user, all previous sessions are terminated automatically. Protection against shared credentials.
School isolation
One school's data is not visible to another, even to an administrator. Requests are restricted at the database level — seeing other schools' students, grades, exams is impossible, accidentally or otherwise.
Transparency for everything important
Every sensitive action is recorded — who did it, when, on what. The school principal sees the history of everything within the school. Records cannot be deleted.
Isolated processes
Database, cache and application run as separate users without unnecessary rights. Each service has access only to what it needs.
Exam security
Protecting the exam environment
IP locking
Optional: the school can lock its exams to IP addresses from its own network only. Students cannot take exams from home, even if logged in.
Real-time monitoring
The teacher monitors student activity during the exam — who is active, who has stopped working, who has finished.
Safe resubmission
Exam submission is protected from duplication. Even when the network forces the client to retry many times, answers reach the server exactly once.
Auto-submission on expiration
When time expires, answers are submitted automatically. No possibility to continue beyond the specified deadline.
Protected exam files
Images and PDFs in exams open only from the app with session identification. A shared link in chat or browser does not work outside the session. Links have a limited lifespan.
Recording of every violation
Window switching, copying, opening a new tab are all recorded. The teacher sees violations immediately in the exam log.
Backups
A tested recovery procedure
We periodically restore data on a separate environment and verify its integrity — to know the procedure works when needed and our backups are not an illusion of security.
- Daily backup of the database
- 30-day history
- Recovery of critical data
- Backup before every production deployment
- Optional: off-site backup at a separate location
Specific requirements?
Get in touch for a detailed security review or for a DPA template.
Contact us