Where does the student data go?
This is the first question every institution asks — and it should be. Here is a transparent answer for every deployment model.
Personal
Everything stays on your machine
- Exam PDFs never leave your computer
- AI inference runs via your own provider (local or API key you control)
- Only a license heartbeat reaches AEMS servers — no exam content, no student identifiers
- Works fully offline after initial activation
Department
EU-hosted cloud, strict retention
- Exam PDFs encrypted in transit and at rest in EU data centres
- PDFs automatically purged after 30 days
- Grading results retained for 1 academic year (configurable)
- AI inference via documented sub-processors (e.g., OpenAI EU endpoint)
- Backups stored in EU object storage, encrypted, 90-day retention
Institutional
Your infrastructure, your rules
- AEMS deployed entirely within your network perimeter
- No data leaves your firewall
- AI providers contracted directly by your institution
- Data retention and backup policies set by your IT team
- Telemetry disabled or fully audited
Data storage matrix
| Data type | Personal | Department | Institutional |
|---|---|---|---|
| Exam PDFs / PII | Your computer only | EU cloud, 30-day auto-purge | Your network |
| Grading results | Your computer only | EU cloud, 1-year retention | Your network |
| Account metadata | AEMS license service | AEMS cloud database | AEMS license service |
| System backups | N/A | EU storage, encrypted, 90 days | Your backup policy |
| AI inference | Your provider | AEMS sub-processors | Your contracted provider |
| Telemetry | Opt-in only | Standard monitoring | Disabled / audited |
GDPR and compliance
EU data residency
All Department-plan data is processed and stored in EU data centres (Germany and Finland). No student data is transferred outside the European Economic Area.
No training on student data
Student submissions are never used to train or fine-tune AI models — by us or by our sub-processors. Each submission is processed in isolation and discarded after marking.
Data Processing Agreements
A downloadable DPA template is available for Department-plan institutions, listing all sub-processors (hosting, AI inference, email delivery). Changes to the sub-processor list are communicated with 30-day advance notice.
Data subject access requests
Department-plan users can export or delete all workspace data via a self-service interface. Exports are delivered as a signed download. Deletion includes a 7-day cooling-off period, after which data is permanently removed from all systems including backups.
Audit trail
Every marking decision — original AI proposal, human adjustments, and final approved grade — is logged with timestamps and user identifiers. This trail supports internal quality audits and external examination board reviews.
Security measures
Encryption
TLS 1.3 in transit. AES-256 at rest for all stored data and backups.
Access control
Role-based access, CSRF protection on all forms, and optional MFA for administrator accounts.
Prompt injection protection
Invisible text detection identifies hidden content in PDFs that could manipulate AI marking. Suspicious submissions are flagged for manual review.
Input validation
Path traversal protection, SSRF prevention, and strict input sanitisation on all API endpoints.
Sub-processors (Department plan)
The following third parties process data on behalf of AEMS for the Department plan. Institutional deployments use only providers contracted by the customer.
| Provider | Purpose | Location |
|---|---|---|
| Hetzner | Application hosting and database | Germany / Finland |
| OpenAI / Anthropic / Google | AI inference (configurable) | EU endpoints where available |
| Stripe | Payment processing | EU |
| Postmark / Resend | Transactional email | EU / US |
Need the full security pack for your procurement process?
Request Security & Compliance PackIncludes DPA template, SOC 2 overview, and architecture diagrams. We respond within one business day.