← BackSecurity and responsible disclosure
Version 1.0 · Effective from 11 June 2026
How eViva approaches security
eViva is built so that the most sensitive data it handles, video recordings of students, never sits on eViva’s own servers. Recordings upload directly from the student’s browser to the school’s own Google Drive or OneDrive. eViva holds the surrounding assessment metadata only, in the EU (Frankfurt, Germany), encrypted in transit and at rest, with row-level security isolating each teacher’s data. The full picture, including our sub-processors and the documents available for a school’s DPIA, is on the compliance page.
Reporting a vulnerability
If you believe you have found a security vulnerability in eViva, we want to hear from you, and we will treat your report with priority and respect. Email admin@eviva.tech with:
- A description of the issue and where you found it.
- Steps to reproduce it (a proof of concept helps; a full exploit chain is not required).
- What you believe the impact is.
- How you would like to be credited, if at all.
A machine-readable version of this policy is published at /.well-known/security.txt.
What we commit to
- We will acknowledge your report within two working days.
- We will investigate promptly, keep you informed of progress, and tell you when the issue is resolved.
- We will not take legal action against you for good-faith security research that follows the rules below.
- If your report leads to a fix, we will credit you here if you wish.
Rules for good-faith research
This page is the coordinated arrangement referred to in our Terms of Service. Research is in good faith when you:
- Do not access, modify, or delete data belonging to anyone else. If you encounter personal data, stop, do not copy it, and report immediately.
- Do not degrade or disrupt the service (no denial-of-service, spam, or volumetric testing).
- Do not use social engineering, phishing, or physical attacks against eViva, schools, teachers, or students.
- Test only against eviva.tech and your own accounts or test data, never against a school’s live assignments.
- Give us a reasonable opportunity to fix the issue before any public disclosure.
Out of scope
- The school’s own Google Workspace or Microsoft 365 tenancy and its Drive/OneDrive (governed by the school’s agreement with Google or Microsoft).
- Vulnerabilities in our sub-processors’ platforms (Supabase, Vercel, Google, Microsoft, Resend, Stripe), which should be reported to those providers directly.
- Findings that require physical access to a user’s device.
- Reports from automated scanners without a demonstrated impact.
Security incidents
If you are a school and need to report a suspected personal-data breach, email admin@eviva.tech. Our incident-response procedure commits us to notifying affected schools within 24 hours of becoming aware of a breach affecting their data.
eViva is operated by Copeland Digital Ltd, registered in England and Wales (Company No. 17207220).