Legal
Viva Proof, Inc. · Last updated: June 2026
At Viva, security, privacy, and responsible AI are built into the platform, not added on top. We serve educational institutions across the world, and our approach to compliance is designed to meet the highest standards in every jurisdiction we operate in.
This page explains how we protect student data, how we meet education privacy law obligations globally, and how we approach AI fairly and transparently.
Questions? Contact privacy@vivaproof.com or request our full Vendor Security Overview.
Section 1 — Security & Data Protection
All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. This includes voice recordings, transcripts, grades, and all other student information.
Each school's data is kept strictly separate from every other school's through row-level security in the database. A teacher or student at one school cannot access data from another.
Access to student data is limited to personnel who need it to operate the service. All access is logged and auditable. Admin access requires multi-factor authentication.
We run automated dependency scanning on every code change (GitHub Dependabot). Critical vulnerabilities are patched within 7 days; high-severity issues within 30 days. We conduct security reviews at every major release and commission third-party penetration tests annually.
If a data breach affects student data, we notify affected schools within 72 hours of becoming aware, consistent with applicable data protection laws in each jurisdiction we serve, including GDPR Article 33 (EEA/UK), Korea PIPA Article 34, and equivalent national requirements elsewhere.
Voice recordings are automatically deleted within 30 days of each session. Voiceprints (if enabled) are deleted within 90 days of account closure. All student data is deleted or anonymised after the contract period. We provide written deletion confirmation on request.
We work with a small number of trusted technology providers to operate the platform. Subprocessors are primarily based in the United States; Supabase and PostHog each offer EU/UK data residency options. Each is bound by a written data processing agreement with terms no less protective than our own.
| Provider | Role | Location | SOC 2 |
|---|---|---|---|
| Supabase | Database, auth, file storage | US / EU-UK available | Type II ✓ |
| Vercel | Application hosting | US | Type II ✓ |
| Anthropic (Claude) | AI grading, question generation | US | Type II ✓ |
| ElevenLabs | Voice interview agent (audio not retained after session) | US | Type II ✓ |
| Render | Voice-identity / speaker-verification microservice | US | Type II ✓ |
| Resend | Transactional email | US | Type II ✓ |
| Sentry | Error monitoring (PII scrubbed before logging) | US | Type II ✓ |
| Microsoft | Office document viewer (.docx / .pptx preview) | US | Type II ✓ |
| PostHog | Product analytics | US / EU | Type II ✓ |
| Stripe | Billing (Viva does not store card data) | US | Type II ✓ |
Google Gemini. Viva uses Google Gemini to generate non-personalised platform assets (anti-cheat diagram images). No student or user personal data is transmitted to Google in connection with this use. Google is therefore not acting as a subprocessor in respect of personal data.
Slack. Viva uses Slack for internal operational alerting (system health, usage metrics, and de-identified product-feedback summaries). No Student Data or other personal data is transmitted to Slack, so Slack is not acting as a subprocessor of personal data.
Viva is currently in the SOC 2 Type II readiness phase. Our controls are operating today. The formal audit period and Type II report are targeted for 2027.
Near-term milestones:
Want the full Vendor Security Overview? Contact privacy@vivaproof.com.
Section 2 — Education Privacy Compliance
Viva is designed to comply with education privacy laws across every jurisdiction we serve. Below we explain our obligations under the two primary US frameworks. If your institution is located outside the US, we work with you to put the appropriate compliance documentation in place. Contact privacy@vivaproof.com for details relevant to your country.
The Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of student education records. It gives parents and eligible students the right to inspect, correct, and control access to education records.
Viva acts as a "school official" with a "legitimate educational interest" in student data, as defined under 34 CFR § 99.31(a)(1)(i)(B). This means:
Students who are 18 or older (or who attend a post-secondary institution) hold their own FERPA rights. Parents hold FERPA rights for students under 18. Through their school, parents and eligible students may inspect, request correction of, and control disclosure of education records.
For questions about FERPA rights, contact your school's registrar or data protection contact, who will liaise with Viva.
For students under age 13, Viva operates as a service provider to schools under the Children's Online Privacy Protection Act (COPPA). Schools are responsible for obtaining verifiable parental consent before enrolling students under 13. Viva does not knowingly collect data from under-13 students without school authorisation.
Viva maintains equivalent compliance documentation and contractual addenda for other jurisdictions, including (but not limited to):
Contact privacy@vivaproof.com for compliance documentation specific to your institution's jurisdiction.
Section 3 — Data & AI Ethics
AI should support teachers, not replace them. Viva is built on one core principle: the AI never makes the final grading decision. Here is what that means in practice.
Every AI-generated grade and piece of feedback in Viva is advisory. A teacher is responsible for every grade and can override any AI suggestion at any time, for any reason, without explanation. The teacher either reviews each result before it is released or, per assignment, chooses to release results automatically once grading is complete; the AI never decides a final grade on its own. The AI is a tool; the educator is the decision-maker.
When Viva generates a suggested grade, the AI also produces a structured rationale explaining why. Teachers can see exactly what the AI assessed, what questions it asked, and how the student responded. Students can request access to their interview recording and transcript through their school.
Viva does not issue grades from an unexplained algorithm. Every assessment result is tied to a specific interview, a specific set of teacher-designed criteria, and a visible AI explanation that a teacher can read, question, and override.
Oral assessment is not neutral, and we take that seriously. We design Viva's interview system to:
We conduct reviews of assessment outputs for patterns that may indicate demographic bias. Our Bias & Validity Audit Methodology is available on request.
Students are informed about how Viva works before their first interview through the Student Privacy Notice. They consent explicitly to voice recording. They can request access to their recording. They can raise concerns about their assessment with their teacher. Viva does not make educational decisions about students; schools do.
For questions about our security practices, compliance, or AI ethics:
privacy@vivaproof.com
Viva Proof, Inc., 120 Kingston Street, Unit 909, Boston, MA 02111, USA
vivaproof.com/legal/trust-center