Last updated: 10 July 2026
eViva is an oral defence recording tool used by schools, operated by Copeland Digital Ltd, a company registered in England and Wales (Company No. 17207220). Teachers assign questions to students, who then record short video responses. Recordings are reviewed by the assigned teacher only.
For the purposes of the UK GDPR and the Data Protection Act 2018, the school is the data controller for student personal data processed through eViva. Copeland Digital Ltd acts as a data processor on the school’s instructions in respect of the metadata that eViva holds. Recordings stored in the teacher’s school cloud storage (Google Drive for Google Workspace schools, OneDrive for Microsoft 365 schools) remain under the school’s control, with Google or Microsoft respectively as the relevant processor for that storage layer.
eViva relies on the school’s lawful basis for processing student personal data, which is typically the school’s public task (for state-maintained schools) or its contract or legitimate interests (for independent schools and trusts). For teachers as users of the service, the lawful basis is the contract between Copeland Digital Ltd and the user. The school is responsible for issuing its own privacy notice to parents and students explaining how it uses eViva. Students are informed before recording begins that their responses will be shared with their teacher.
Because most students are minors, eViva limits the data it holds about students to the minimum required to operate the service. The school remains responsible for age-appropriate transparency to students and parents, including obligations arising under the Information Commissioner’s Office Age Appropriate Design Code.
A separate UK GDPR Article 28 data processing agreement is available to schools on request from admin@eviva.tech.
When a teacher creates an assignment, the following data is stored:
For teachers, we store:
We do not collect passwords, location data, persistent device identifiers, or browsing history. eViva does not capture screenshots or other images of the student’s screen, audio from the student’s microphone outside the recording itself, or content from other applications running on the student’s device.
eViva uses only strictly-necessary cookies required to maintain a teacher’s signed-in session. We do not use cookies for analytics, advertising, or tracking.
Student video recordings are uploaded directly from the student’s browser to the teacher’s own school cloud storage: Google Drive for Google Workspace schools, OneDrive for Microsoft 365 schools. The bytes do not pass through eViva’s servers. Recordings remain in the teacher’s storage under the school’s own storage policies and ownership.
eViva itself stores only the metadata required to operate the service: assignment titles, question text, student names and emails, timestamps, session events, a storage file ID (Google Drive or OneDrive) for each recording, and any written feedback a teacher records about a student’s responses. This metadata is stored in Supabase (hosted on AWS) in the EU (Frankfurt) region. All connections use HTTPS encryption in transit; data is encrypted at rest by the underlying provider.
Some sub-processors used to deliver eViva (in particular, Resend for email delivery and Vercel for web hosting) involve processing in the United States. Personal data transferred to these providers is governed by the UK International Data Transfer Agreement, or by the European Commission Standard Contractual Clauses with the UK addendum, as set out in each provider’s published data processing terms. Our use of Google services is governed by Google’s own data processing terms for Workspace customers, and our use of Microsoft services by Microsoft’s data protection terms for Microsoft 365 customers.
Teachers sign in with their school’s Google or Microsoft account; which applies depends on the school’s own platform, and eViva only ever holds credentials for the one the teacher signed in with. For Google schools: when a teacher signs in, eViva reads the teacher’s name and email address from the Google account so it can identify the signed-in user and display their name in the dashboard.
eViva also requests access to two Google services:
For Microsoft 365 schools, eViva uses Microsoft Entra ID sign-in and reads the teacher’s name and email address from the Microsoft account, exactly as above. eViva also requests delegated access to the teacher’s OneDrive (Microsoft Graph Files.ReadWrite) to create per-assignment and per-student folders and upload student video recordings into them.
We describe this permission as it actually is: Microsoft does not offer a per-app-file permission equivalent to Google’s drive.file, so the OneDrive grant technically covers the teacher’s whole OneDrive. eViva’s conduct is narrower than the grant: it only creates and addresses folders and files inside the eViva folder it makes, it validates every uploaded recording against the specific folder it created for that student, and it never lists, reads, or modifies the teacher’s other files. eViva does not import rosters from Microsoft services; Microsoft schools roster by CSV, by typing students in, or through their LMS via LTI.
eViva’s use and transfer to any other application of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. eViva affirms that Google Workspace APIs are not used to develop, improve, or train generalised or non-personalised AI or machine learning models. eViva does not retain or use Google Workspace data to train generalised AI or machine learning models. In particular:
Student recordings and personal information are accessible to the teacher who created the assignment, and, where the teacher leaves the setting enabled, to the student who made the recording, for their own responses only. Recording files live in the teacher’s Google Drive or OneDrive and are governed by the school’s own storage sharing policies. Metadata access is enforced at the database level through row-level security policies.
Student rewatch.So that students can revisit what they said, eViva can grant a student view-only access to their own recordings by adding a viewer permission for the student’s own school account to those files in the teacher’s Google Drive. This is on by default and can be switched off per assignment by the teacher. To prevent a student from revealing the questions to classmates who have not yet recorded, rewatch becomes available only once the assignment deadline has passed (or immediately where no deadline is set). Students can view but cannot edit or delete their recordings, and can see only their own. Because this access is a Drive permission on files the school owns, it persists until the teacher disables rewatch or the school removes the files or permissions through its own Drive administration; deleting an eViva assignment removes eViva’s metadata but does not by itself revoke a viewer permission already granted in the school’s Drive. Rewatch is currently offered only where recordings are stored in Google Drive; for schools whose recordings are stored in Microsoft OneDrive, students do not receive access to their recordings. Where a student or parent wishes to exercise rights of access, rectification, erasure, or objection under UK GDPR, the school routes that request to eViva (see Your Rights below).
Recordings may incidentally contain personal data of categories specified by UK GDPR Article 9 (for example, references to health, religion, or other protected matters within a spoken answer). eViva does not transcribe recordings, extract biometric templates from them, or otherwise process their audio or visual content. Once recordings are in the school’s Drive, the school’s own safeguarding and data protection arrangements apply.
eViva administrators (the development team) can access the metadata database for maintenance and support purposes only. eViva staff have no programmatic access to recording files in teachers’ Drives: the Drive integration is technically restricted to files that eViva creates itself, and those files are read by the teacher within the teacher’s own Google session.
Students do not create accounts. They receive a unique per-student link via email from their teacher. The link grants access to that student’s specific questions and recording interface only. No login is required.
Recording files in the teacher’s Drive are retained at the school’s discretion under the school’s own Drive policies; eViva does not delete files from teachers’ Drives. Metadata held by eViva is retained for the duration of the academic year in which the assignment was created, unless the teacher deletes the assignment sooner. Teachers can delete assignments at any time from their dashboard, which removes the metadata from eViva’s database; the underlying Drive files remain under the school’s control. Teacher feedback and follow-up questions are held as part of the assignment metadata and are deleted with it, whether by the teacher deleting the assignment or by the end-of-year purge.
eViva applies technical and organisational measures appropriate to the data it holds, including HTTPS encryption in transit, encryption at rest by the underlying provider, role-based access controls within the eViva team, and access enforcement at the database level through row-level security. In the event of a personal data breach affecting a school’s data, Copeland Digital Ltd will notify the affected school without undue delay and in any event within 72 hours of becoming aware, in line with UK GDPR Article 33.
Under the UK GDPR, individuals have the right to access, rectify, erase, restrict processing of, port, and object to the processing of their personal data, and the right to complain to the Information Commissioner’s Office at ico.org.uk.
For students and parents, these rights are exercised through the school in its capacity as data controller. A student or parent may ask the teacher or the school’s data protection lead to make a request on their behalf; the school will then route any necessary action to eViva, and we will comply within the timeframes required by law.
For teachers as users of the service, requests can be sent directly to admin@eviva.tech.
eViva does not make automated decisions about students based on their personal data within the meaning of UK GDPR Article 22. Recordings are not marked, scored, or otherwise processed by AI on behalf of eViva. Feedback and follow-up questions are written by the teacher; eViva does not generate, summarise, or score them.
No data is sold to or shared with advertisers or analytics providers.
For questions about this policy or to request data deletion, contact the eViva team at admin@eviva.tech.
Copeland Digital Ltd is registered in England and Wales (Company No. 17207220). Registered office: 6 Brynbala Way, Rumney, Cardiff, CF3 1SX.