DidactLabs Trust Centre

We follow the GDPR principle of data minimization. We only process the data essential for providing our service. Here’s a breakdown:

• Teacher Data: We collect your name and email to create and manage your account, provide support, and communicate service updates. The legal basis is the fulfillment of our service contract with you.

• Assignment & Student Work Data: We process the assignment instructions you create and the content students write, including the text itself, edit history, and AI assistant interactions. This is the core data required to provide our primary feature: process visibility.

• Student Data (Anonymous by Default): For our Free and Teacher plans, no student Personally Identifiable Information (PII) is required. Students access assignments via a link and do not create accounts, ensuring their privacy by default. For School plans with LMS integration, student identifiers may be passed from the LMS to associate work with a student in your gradebook, processed under the school's legal basis as the data controller.

Yes. All core service data for our European customers is stored and processed exclusively within the European Union.

• Primary Infrastructure: Our backend services and databases run on Google Cloud Platform (GCP) in the europe-west1 region (Belgium). All student writing, process data, and educator content are stored here.
• AI Processing: We use Google Vertex AI, and all AI processing for our European customers occurs within the europe-west1 region (Belgium). No data is sent outside the EU for AI analysis.
• Educator Authentication: We use Auth0 as a secure, third-party identity provider. Our Auth0 instance is hosted in their EU tenant (Germany).
• Sub-processors: We maintain a transparent list of our essential sub-processors. All providers handling core service data are located and process data within the EU. The only exception is for our public marketing website (not the app itself), where we use US-based services like HubSpot for contact forms, which are covered by the EU-U.S. Data Privacy Framework.

Absolutely not. This is a core pillar of our commitment to trust and privacy.

We are explicit in our policy: we will never use student work, writing process data, or AI prompts to train or fine-tune any third-party or proprietary AI models.

The AI assistant within DidactLabs uses the data 'in-context' only to provide an immediate response for that specific assignment. Our agreement with our AI provider (Google) contractually ensures that this data is not retained or used for their model training. Your data is your data, period.

We implement multiple layers of enterprise-grade security to protect your data against unauthorized access, alteration, or destruction.

• Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using the AES-256 standard.
• Access Control: Internal access to user data is strictly limited to authorized personnel on a need-to-know basis for support and maintenance. This access is governed by the principle of least privilege, requires multi-factor authentication (MFA), and is logged and audited.
• Secure Infrastructure: We leverage the robust security architecture of Google Cloud Platform, which includes advanced network protection, intrusion detection, and physical security at its data centers.
• Incident Response Plan: We have a dedicated incident response team and a formal plan to swiftly contain any potential breach, mitigate damage, and notify affected users and authorities promptly, in line with GDPR requirements.
• Secure Development: We use separate environments for development, testing, and production to ensure that testing activities never impact live user data.

Access is tightly controlled and based on defined roles.

• Within Your Institution: Educators can only access the writing and analytics data for assignments they have personally created. They cannot see the work submitted to other teachers. On a 'School' plan, designated administrators can view school-wide analytics but not the content of individual student submissions unless granted specific permissions.
• At DidactLabs: Access is restricted to a small number of authorized engineering staff for the sole purposes of system maintenance, troubleshooting, and direct support at an educator's request. This access is temporary, logged, and subject to strict internal confidentiality and security policies.

Our policies are designed to give you control over your data's lifecycle.

• Retention: Data is retained as long as an educator's account is active. If a subscription ends, the data will be retained for a grace period to facilitate re-subscription. After this period, it is permanently deleted.
• Deletion: As the Data Controller, an educator or institutional administrator can request the deletion of their data at any time by contacting our Data Protection Officer at dpo@didactlabs.com. Upon request, the account enters a 60-day grace period for final data export. After this period, data is permanently removed from our production systems and fully erased from backups within an additional 30 days.
• Export: We support the right to data portability. Educators can request an export of their assignment data from the platform itself or by contacting our support team at support@didactlabs.com.

We support modern, secure authentication and integration standards to fit seamlessly into your school's IT ecosystem.

• Authentication & SSO: Educator accounts are managed by Auth0, a leading identity management platform. This allows for secure login via email/password or Single Sign-On (SSO) with existing Google or Microsoft accounts, which most institutions already use and trust.
• LMS Integration: Our School plan is LTI (Learning Tools Interoperability) compliant, the industry standard for integration. This allows DidactLabs to connect directly with all major Learning Management Systems (LMS) like Moodle, Google Classroom, Canvas, and Microsoft Teams, enabling a seamless workflow for creating assignments and viewing results.

We are committed to making the approval process as smooth as possible. We have prepared all necessary documentation to support your internal assessment.

Upon request we can provide a 'DPIA & Security Review Pack' which contains:

• A summary of data flows and processing activities.
• The location of all data processing and a list of our sub-processors.
• Details of our security and encryption measures.
• A copy of our Data Processing Agreement (DPA).
• A comprehensive Trust & Security FAQ.

Your IT team can review this pack, and our Data Protection Officer (dpo@didactlabs.com) is available to answer any further questions to help you complete your assessment efficiently.

We understand that AI usage permissions can vary between students. Here's how DidactLabs handles this:

• No AI Interaction = No AI Data: If a student chooses not to use the AI assistant during their assignment, no AI conversation data is collected or processed for that student. They can complete the entire assignment without ever opening the chat panel.

• Teacher Control: You can disable the AI assistant entirely for specific assignments if needed, ensuring no students have access to it for that task.

• School Plan Flexibility: Our School plan includes the ability to disable AI access for specific students while keeping it enabled for others in the same assignment. This allows you to respect individual permissions while maintaining a unified classroom experience.

If you need to manage AI permissions at the individual student level, please contact us about our School plan options.