Legal

Trust Center

Viva Proof, Inc. · Last updated: June 2026

At Viva, security, privacy, and responsible AI are built into the platform, not added on top. We serve educational institutions across the world, and our approach to compliance is designed to meet the highest standards in every jurisdiction we operate in.

This page explains how we protect student data, how we meet education privacy law obligations globally, and how we approach AI fairly and transparently.

Questions? Contact privacy@vivaproof.com or request our full Vendor Security Overview.

Section 1 — Security & Data Protection

How We Protect Student Data

Encryption

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. This includes voice recordings, transcripts, grades, and all other student information.

Tenant Isolation

Each school's data is kept strictly separate from every other school's through row-level security in the database. A teacher or student at one school cannot access data from another.

Access Controls

Access to student data is limited to personnel who need it to operate the service. All access is logged and auditable. Admin access requires multi-factor authentication.

Vulnerability Management

We run automated dependency scanning on every code change (GitHub Dependabot). Critical vulnerabilities are patched within 7 days; high-severity issues within 30 days. We conduct security reviews at every major release and commission third-party penetration tests annually.

Breach Notification

If a data breach affects student data, we notify affected schools within 72 hours of becoming aware, consistent with applicable data protection laws in each jurisdiction we serve, including GDPR Article 33 (EEA/UK), Korea PIPA Article 34, and equivalent national requirements elsewhere.

Data Deletion

Voice recordings are automatically deleted within 30 days of each session. Voiceprints (if enabled) are deleted within 90 days of account closure. All student data is deleted or anonymised after the contract period. We provide written deletion confirmation on request.

Our Subprocessors

We work with a small number of trusted technology providers to operate the platform. Subprocessors are primarily based in the United States; Supabase and PostHog each offer EU/UK data residency options. Each is bound by a written data processing agreement with terms no less protective than our own.

ProviderRoleLocationSOC 2
SupabaseDatabase, auth, file storageUS / EU-UK availableType II ✓
VercelApplication hostingUSType II ✓
Anthropic (Claude)AI grading, question generationUSType II ✓
ElevenLabsVoice interview agent (audio not retained after session)USType II ✓
RenderVoice-identity / speaker-verification microserviceUSType II ✓
ResendTransactional emailUSType II ✓
SentryError monitoring (PII scrubbed before logging)USType II ✓
MicrosoftOffice document viewer (.docx / .pptx preview)USType II ✓
PostHogProduct analyticsUS / EUType II ✓
StripeBilling (Viva does not store card data)USType II ✓

Google Gemini. Viva uses Google Gemini to generate non-personalised platform assets (anti-cheat diagram images). No student or user personal data is transmitted to Google in connection with this use. Google is therefore not acting as a subprocessor in respect of personal data.

Slack. Viva uses Slack for internal operational alerting (system health, usage metrics, and de-identified product-feedback summaries). No Student Data or other personal data is transmitted to Slack, so Slack is not acting as a subprocessor of personal data.

SOC 2 Readiness

Viva is currently in the SOC 2 Type II readiness phase. Our controls are operating today. The formal audit period and Type II report are targeted for 2027.

Near-term milestones:

  • SAML SSO via Microsoft Entra ID and Google Workspace
  • Admin MFA enforcement by policy
  • Third-party penetration test commissioned

Want the full Vendor Security Overview? Contact privacy@vivaproof.com.

Section 2 — Education Privacy Compliance

Viva is designed to comply with education privacy laws across every jurisdiction we serve. Below we explain our obligations under the two primary US frameworks. If your institution is located outside the US, we work with you to put the appropriate compliance documentation in place. Contact privacy@vivaproof.com for details relevant to your country.

FERPA (United States)

What Is FERPA?

The Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of student education records. It gives parents and eligible students the right to inspect, correct, and control access to education records.

Viva's Role Under FERPA

Viva acts as a "school official" with a "legitimate educational interest" in student data, as defined under 34 CFR § 99.31(a)(1)(i)(B). This means:

  • We perform a service for which the school would otherwise use its own employees, specifically, conducting oral assessments and generating AI-suggested grades
  • We are under the direct control of the school with respect to the use and maintenance of student data
  • We are bound by the same use-and-redisclosure restrictions that apply under 34 CFR § 99.33(a)

What We Do Not Do

  • We do not share student education records with third parties except as necessary to provide the service
  • We do not use student data for advertising or commercial purposes unrelated to the school's educational purpose
  • We do not disclose personally identifiable information except as permitted by the school or required by law

Parental and Student Rights

Students who are 18 or older (or who attend a post-secondary institution) hold their own FERPA rights. Parents hold FERPA rights for students under 18. Through their school, parents and eligible students may inspect, request correction of, and control disclosure of education records.

For questions about FERPA rights, contact your school's registrar or data protection contact, who will liaise with Viva.

COPPA (United States — Under-13 Students)

For students under age 13, Viva operates as a service provider to schools under the Children's Online Privacy Protection Act (COPPA). Schools are responsible for obtaining verifiable parental consent before enrolling students under 13. Viva does not knowingly collect data from under-13 students without school authorisation.

Other Jurisdictions

Viva maintains equivalent compliance documentation and contractual addenda for other jurisdictions, including (but not limited to):

  • Republic of Korea: Korea PIPA (Personal Information Protection Act) — cross-border transfer disclosure, voiceprint consent, under-14 guardian consent
  • EEA / UK: EU GDPR / UK GDPR — Standard Contractual Clauses (SCCs), UK IDTA, data subject rights
  • Other national laws: available on request

Contact privacy@vivaproof.com for compliance documentation specific to your institution's jurisdiction.

Section 3 — Data & AI Ethics

Our Approach to AI in Education

AI should support teachers, not replace them. Viva is built on one core principle: the AI never makes the final grading decision. Here is what that means in practice.

The Teacher Always Decides

Every AI-generated grade and piece of feedback in Viva is advisory. A teacher is responsible for every grade and can override any AI suggestion at any time, for any reason, without explanation. The teacher either reviews each result before it is released or, per assignment, chooses to release results automatically once grading is complete; the AI never decides a final grade on its own. The AI is a tool; the educator is the decision-maker.

Transparency

When Viva generates a suggested grade, the AI also produces a structured rationale explaining why. Teachers can see exactly what the AI assessed, what questions it asked, and how the student responded. Students can request access to their interview recording and transcript through their school.

No "Black Box" Grading

Viva does not issue grades from an unexplained algorithm. Every assessment result is tied to a specific interview, a specific set of teacher-designed criteria, and a visible AI explanation that a teacher can read, question, and override.

Responsible Data Use

  • We do not sell student data, ever
  • We do not use student data for advertising
  • We do not use student data to train our AI models without explicit written permission from the school
  • Where a school grants us permission to use de-identified, aggregated data for research, such use is documented in the Data Processing Agreement and applies only prospectively

Bias and Fairness

Oral assessment is not neutral, and we take that seriously. We design Viva's interview system to:

  • Allow for a range of communication styles and linguistic backgrounds
  • Assess understanding of content, not fluency of expression (unless fluency is the explicit learning objective)
  • Support accommodations for students with disabilities, including extra time, captioning, and first-language options

We conduct reviews of assessment outputs for patterns that may indicate demographic bias. Our Bias & Validity Audit Methodology is available on request.

Student Voice and Agency

Students are informed about how Viva works before their first interview through the Student Privacy Notice. They consent explicitly to voice recording. They can request access to their recording. They can raise concerns about their assessment with their teacher. Viva does not make educational decisions about students; schools do.

Contact Us

For questions about our security practices, compliance, or AI ethics:

privacy@vivaproof.com
Viva Proof, Inc., 120 Kingston Street, Unit 909, Boston, MA 02111, USA
vivaproof.com/legal/trust-center