Compliance
GDPR Compliance Report
How AEMS processes, stores, and protects personal data under the General Data Protection Regulation.
Last updated: March 2026
Data we process and why
AEMS processes the minimum data required to grade exams and deliver results. What we process depends entirely on your deployment model.
| Data category | Personal plan | Department plan | Institutional plan |
|---|---|---|---|
| Exam PDFs & submissions | Stored on your device via agent; accessed by hosted AEMS during grading | EU-hosted, 30-day auto-purge | Your infrastructure |
| Grading results & annotations | Hosted AEMS workspace and local exports | EU-hosted, 1 academic year | Your infrastructure |
| Student identifiers | Processed in the hosted grading workflow when you grade | Encrypted at rest (AES-256) | Your infrastructure |
| Account & licence data | Account, billing, and agent-pairing metadata | Name, email, role, institution | Name, email, role |
| Usage analytics | Security and billing logs | Cookieless (Plausible) | None unless opted in |
Legal bases for processing
- Contract performance (Art. 6(1)(b)): processing necessary to deliver the grading service you have subscribed to
- Legitimate interest (Art. 6(1)(f)): security monitoring, fraud prevention, service improvement
- Consent (Art. 6(1)(a)): optional analytics, marketing communications
- Legal obligation (Art. 6(1)(c)): tax records, regulatory compliance
Data subject rights
AEMS implements all data subject rights required under GDPR. You can exercise these by contacting privacy@aems.app.
| Right | Article | Implementation |
|---|---|---|
| Access | Art. 15 | Full data export in machine-readable format within 30 days |
| Rectification | Art. 16 | Correct inaccurate personal data via account settings or support request |
| Erasure | Art. 17 | Irreversible anonymisation of all personal data, with 7-day cooling-off period. Grade audit records are retained in anonymised form for academic integrity |
| Restriction | Art. 18 | Freeze processing while disputes are resolved |
| Portability | Art. 20 | Download all your data in structured JSON format |
| Objection | Art. 21 | Opt out of processing based on legitimate interest |
Automated decision-making
AEMS uses AI to draft marks and feedback, but it does not make final grading decisions. All AI-generated marks are presented as proposals requiring mandatory human review before publication. This means AEMS does not engage in solely automated decision-making with legal or similarly significant effects (Art. 22).
Instructors retain full authority to accept, modify, or override every mark. All review decisions are logged in the audit trail.
Technical and organisational measures
- Encryption in transit: TLS 1.3 for all connections
- Encryption at rest: AES-256 for stored data
- EU data residency: Department plan hosted on Hetzner (Germany/Finland), ISO 27001 and BSI C5 Type 2 certified
- Access control: Role-based permissions (Admin, Instructor, TA, Grader, Reviewer)
- Audit logging: Tamper-evident SHA-256 hash chain for all grade modifications
- Retention limits: Exam PDFs auto-purged after 30 days; grading results after 1 academic year; backups after 90 days
- No model training: Student data is never used to train or fine-tune AI models
- Prompt injection protection: Invisible text detection prevents manipulation of AI marking
Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner ISO 27001, BSI C5 Type 2 | Hosting, database, storage | Germany / Finland (EU) |
| OpenAI / Anthropic / Google | AI inference (configurable; EU endpoints used where available) | EU / US (provider-dependent) |
| Stripe | Payment processing | EU |
| Postmark / Resend | Transactional email | EU / US |
The Personal plan and Institutional plan do not involve any sub-processors for exam data. AI inference sub-processors are only used when the institution chooses cloud-based AI providers. Local models (Ollama) process everything on-device.
Data Processing Agreements
AEMS maintains signed Data Processing Agreements (Art. 28 GDPR) with all sub-processors. The hosting DPA with Hetzner Online GmbH (v1.2, February 2026) governs infrastructure processing and guarantees EU-only data residency for EU-located servers.
A DPA template for Department and Institutional plan customers is available on request. Contact contact@aems.app or use the enterprise booking form to download the full compliance pack including DPA, architecture diagrams, and security questionnaire responses.
Contact
For data protection enquiries: privacy@aems.app