UAE data protection compliant. GDPR-aligned for EU and UK data subjects. School is the data controller. Student assessment data is never used to train language models. Ever.
Watch this 90-second video
Independent schools assess applicants who are minors. That data, names, writing samples, scores, contact details, carries serious legal and ethical weight. Every school using Evalent needs to be confident that the platform meets its obligations under applicable data protection law and EU GDPR, and that student data is never misused. This page explains exactly how Evalent handles that responsibility.
Under GDPR, the organisation that determines the purpose and means of processing personal data is the data controller. For student applicant data, that is your school, not Evalent. Evalent acts only as a data processor, processing data strictly on your school's instructions. This means your school retains full ownership and control of all assessment data from day one.
Assessment responses, including extended writing, are processed by Evalent only to generate the report for that specific student. This processing is governed by a data processing agreement with Anthropic, our language model sub-processor, which contractually prohibits the use of your students' data for AI training purposes. Student data is used for one purpose: producing the admissions report your school requested.
Evalent is operated by Evalent LLC TZE, a company registered in the Ras Al Khaimah Economic Zone (RAKEZ), UAE. We comply with both UK GDPR (as administered by the Information Commissioner's Office) and EU GDPR. Where sub-processors operate outside the UK and EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK ICO and European Commission.
Schools can configure their own data retention period in Evalent's settings. Assessment data is automatically deleted after the period you specify, or immediately on request by emailing hello@evalent.io. You are never locked into holding data longer than your school's own policy requires.
Evalent shares data only with the sub-processors required to deliver the service: database hosting (Supabase), Evalent evaluation (Anthropic), transactional email (Resend), and platform infrastructure (Vercel). Each is bound by a formal data processing agreement. We do not sell personal data to any third party, and we do not use student data for advertising, profiling, or any purpose beyond delivering your school's reports.
All data is encrypted in transit (TLS 1.2+) and at rest. Access to assessment data is restricted to authenticated school users only, assessors receive a secure, time-limited link to view the specific report they need, with no access to any other student data. Multi-factor authentication is available for all school accounts.
Compliant with both UK ICO and EU GDPR frameworks
You are the data controller. We are the processor.
Contractually prohibited. No exceptions.
Read the full legal detail in our documentation:
No credit card. No contract. Set up in 5 minutes.