DATA SECURITY

How we protect
student data.

Evalent handles sensitive information on behalf of schools. This page describes, plainly and accurately, the technical and organisational measures we use to protect it.

Last updated: March 2026

Evalent handles sensitive personal data on behalf of schools, including student names, dates of birth, nationalities, and academic assessment responses. We take this responsibility seriously. This page describes the technical and organisational measures we use to protect that data. We are honest about what we have and what we are working towards. We do not claim certifications we have not achieved.

Infrastructure

Hosting

The Evalent application is hosted on Vercel, running on AWS infrastructure. All compute and storage operates within managed, enterprise-grade cloud environments with physical security controls, redundancy, and 24/7 monitoring maintained by AWS.

Database

Student data, assessment responses, and school records are stored in Supabase (PostgreSQL on AWS). Data at rest is encrypted using AES-256. Supabase maintains SOC 2 Type II certification.

Data region

The primary database region is eu-west-1 (Ireland). All data remains within AWS EU infrastructure. Schools requiring specific regional data residency should contact us.

Backups

Database backups are taken automatically on a daily schedule with point-in-time recovery. Backups are encrypted and stored within the same regional infrastructure.

Encryption

In transit

All data transmitted between users and Evalent is encrypted using TLS 1.2 or higher. HTTPS is enforced on all endpoints, HTTP connections are automatically redirected. SSL certificates are managed and auto-renewed via Vercel.

At rest

Data stored in the database is encrypted at rest using AES-256 encryption, managed by the underlying AWS/Supabase infrastructure.

Passwords

User passwords are hashed using bcrypt with a cost factor of 12 before storage. Plaintext passwords are never stored or logged. Passwords must be a minimum of 12 characters.

Session tokens

Authentication sessions use signed JWT tokens with an 8-hour expiry. Partner portal sessions also expire after 8 hours. Tokens are stored in httpOnly cookies, inaccessible to JavaScript.

Access Controls

School data isolation

Each school account can only access its own data. API endpoints validate school identity on every request. It is not possible for one school to access another school’s students, assessments, or reports.

Role-based access

The platform enforces role-based access control. School administrators have access only to their school’s data. Super-admin functions require a separate authenticated role that cannot be assumed by school users.

Database-level security

Row-level security (RLS) is enabled on all tables containing student data, assessment responses, decisions, and user accounts. Direct database access is blocked for all application-level credentials.

Rate limiting

Login and signup endpoints are rate-limited to prevent brute-force attacks. Repeated failed login attempts result in temporary lockout. Rate limiting is enforced at the infrastructure level via Upstash Redis.

Internal APIs

Internal scoring and processing APIs require a shared secret header in addition to any authentication. These endpoints are not accessible from the public internet without the correct credentials.

Data Handling

What we store

Evalent stores student registration data (name, grade, date of birth, nationality, first language), assessment responses, Evalent-generated evaluation scores and narratives, and school decision records. We do not store payment card data, payments are processed by Paddle as Merchant of Record.

Who can access student data

Student data is accessible only to authenticated users at the school that registered the student, and to Evalent staff for the purposes of support and platform operation. Data is never sold, shared with third parties for marketing purposes, or used to train language models without explicit consent.

Evalent processing

Assessment responses are processed by Anthropic’s Claude API to generate evaluation narratives and scores. Data sent to Anthropic is subject to their enterprise data processing terms. Anthropic does not use API data to train models by default. Evalent maintains a Data Processing Agreement with Anthropic.

Assessment delivery

Student assessments are delivered via Jotform, an enterprise form platform. Student responses are transmitted to Jotform’s servers during assessment completion and then processed by Evalent’s scoring pipeline. Jotform is SOC 2 Type II certified.

Audit logging

Sensitive actions, including student registration, assessment dispatch, and decision recording, are written to an immutable audit log with timestamp, actor identity, and action details. This supports accountability and investigation in the event of a dispute.

Retention

School accounts and associated student data are retained for the duration of the subscription and for 12 months following cancellation, after which data is deleted. Schools may request earlier deletion by contacting us.

Application Security

Security headers

All responses include security headers: X-Frame-Options (clickjacking protection), X-Content-Type-Options (MIME sniffing protection), Referrer-Policy, and Permissions-Policy. Content Security Policy is managed by Vercel’s edge infrastructure.

Input validation

All API inputs are validated using Zod schema validation before processing. Unexpected or malformed inputs are rejected with appropriate error responses.

Dependency management

Application dependencies are managed via npm with automated vulnerability scanning. Critical security updates are applied promptly.

Secret management

API keys, database credentials, and other secrets are stored as environment variables in Vercel’s encrypted secrets store. Secrets are never committed to source control.

Compliance & Certifications

We are transparent about our current compliance posture.

GDPR

Evalent operates as a Data Processor on behalf of schools, who act as Data Controllers. We are working towards a formal Data Processing Agreement (DPA) for all school customers. Schools with GDPR obligations should contact us to discuss their requirements.

Infrastructure certifications

Our infrastructure providers hold relevant certifications: AWS (ISO 27001, SOC 2 Type II, ISO 27017, ISO 27018), Supabase (SOC 2 Type II), Vercel (SOC 2 Type II). These certifications cover the physical and infrastructure layer on which Evalent operates.

Penetration testing

Formal penetration testing has not yet been conducted on the Evalent application layer. This is on our roadmap. Schools with specific requirements should contact us.

ISO 27001 / SOC 2

Evalent does not currently hold ISO 27001 or SOC 2 certification at the application level. These are on our roadmap as the platform scales.

Incident Response

In the event of a data breach or security incident affecting school or student data, Evalent will notify affected schools within 72 hours of becoming aware of the incident, in line with GDPR Article 33 requirements. Notification will include the nature of the incident, the categories of data affected, likely consequences, and measures taken or proposed. To report a security vulnerability, please contact us at security@evalent.io. We aim to acknowledge reports within 24 hours and respond substantively within 5 business days.

How we protectstudent data.