← Back

Security and responsible disclosure

Version 1.0 · Effective from 11 June 2026

How eViva approaches security

eViva is built so that the most sensitive data it handles, video recordings of students, never sits on eViva’s own servers. Recordings upload directly from the student’s browser to the school’s own Google Drive or OneDrive. eViva holds the surrounding assessment metadata only, in the EU (Frankfurt, Germany), encrypted in transit and at rest, with row-level security isolating each teacher’s data. The full picture, including our sub-processors and the documents available for a school’s DPIA, is on the compliance page.

Reporting a vulnerability

If you believe you have found a security vulnerability in eViva, we want to hear from you, and we will treat your report with priority and respect. Email admin@eviva.tech with:

A machine-readable version of this policy is published at /.well-known/security.txt.

What we commit to

Rules for good-faith research

This page is the coordinated arrangement referred to in our Terms of Service. Research is in good faith when you:

Out of scope

Security incidents

If you are a school and need to report a suspected personal-data breach, email admin@eviva.tech. Our incident-response procedure commits us to notifying affected schools within 24 hours of becoming aware of a breach affecting their data.

eViva is operated by Copeland Digital Ltd, registered in England and Wales (Company No. 17207220).