Where does the student data go?
This is the first question every institution asks, and it should be. Here is a transparent answer for every deployment model.
Personal
Hosted account plus paired local storage
- Source exam PDFs are stored on your machine via the paired AEMS Agent
- AI inference runs via your own provider (local or API key you control)
- The hosted AEMS app stores account, subscription, and pairing metadata
- When you start grading, the hosted app fetches the required PDF from your paired agent
Department
EU-hosted cloud, strict retention
- Exam PDFs encrypted in transit and at rest in EU data centres
- PDFs automatically purged after 30 days
- Grading results retained for 1 academic year (configurable)
- AI inference via documented sub-processors (e.g., OpenAI EU endpoint)
- Backups stored in EU object storage, encrypted, 90-day retention
Institutional
Your infrastructure, your rules
- AEMS deployed entirely within your network perimeter
- No data leaves your firewall
- AI providers contracted directly by your institution
- Data retention and backup policies set by your IT team
- Telemetry disabled or fully audited
Data storage matrix
| Data type | Personal | Department | Institutional |
|---|---|---|---|
| Exam PDFs / PII | Stored on your machine via agent; accessed by the hosted app during grading | EU cloud, 30-day auto-purge | Your network |
| Grading results | Hosted AEMS workspace and downloaded exports | EU cloud, 1-year retention | Your network |
| Account metadata | AEMS account, billing, and agent-pairing metadata | AEMS cloud database | AEMS license service |
| System backups | Hosted account and workspace backups; local agent files remain under your control | EU storage, encrypted, 90 days | Your backup policy |
| AI inference | Your provider | AEMS sub-processors | Your contracted provider |
| Operational logs | Account, billing, and security logs | Standard monitoring | Disabled / audited |
GDPR and compliance
EU data residency
All Department-plan data is processed and stored in EU data centres (Germany and Finland). No student data is transferred outside the European Economic Area.
No training on student data
Student submissions are never used to train or fine-tune AI models, by us or by our sub-processors. Each submission is processed in isolation and discarded after marking.
Data Processing Agreements
A downloadable DPA template is available for Department-plan institutions, listing all sub-processors (hosting, AI inference, email delivery). Changes to the sub-processor list are communicated with 30-day advance notice.
Data subject access requests
Department-plan users can export or delete all workspace data via a self-service interface. Exports are delivered as a signed download. Deletion includes a 7-day cooling-off period, after which data is permanently removed from all systems including backups.
Audit trail
Every marking decision, including the original AI proposal, human adjustments, and final approved grade, is logged with timestamps and user identifiers. This trail supports internal quality audits and external examination board reviews.
Security measures
Encryption
TLS 1.3 in transit. AES-256 at rest for all stored data and backups.
Access control
Role-based access, CSRF protection on all forms, and optional MFA for administrator accounts.
Prompt injection protection
Invisible text detection identifies hidden content in PDFs that could manipulate AI marking. Suspicious submissions are flagged for manual review.
Input validation
Path traversal protection, SSRF prevention, and strict input sanitisation on all API endpoints.
Sub-processors (Department plan)
The following third parties process data on behalf of AEMS for the Department plan. Institutional deployments use only providers contracted by the customer. A signed Data Processing Agreement (Art. 28 GDPR) is in place with each sub-processor.
| Provider | Purpose | Location |
|---|---|---|
| Hetzner ISO 27001, BSI C5 Type 2 | Application hosting and database | Germany / Finland |
| OpenAI / Anthropic / Google | AI inference (configurable) | EU endpoints where available |
| Stripe | Payment processing | EU |
| Postmark / Resend | Transactional email | EU / US |
Need the full security pack for your procurement process?
Request Security & Compliance PackIncludes DPA template, SOC 2 overview, and architecture diagrams. We respond within one business day.