EU Data Protection and GDPR Compliance
We work with educators and educational institutions all over the world, and processing your personal data lawfully in order to earn your trust is our top priority. We understand that data protection is essential for good customer service. At GradeLab, our objective is to operate transparently, with accountability, and consistently with the EU, US, and international regulatory environments so that our valued customers feel secure and in control.
GradeLab's Commitment to Data Protection
GradeLab is fully committed to the following practices to protect your data:
- We will NEVER sell your data
- We will NEVER use your data for targeted advertising or behavioral profiling
- We will NEVER use student work to train AI models
- We secure your data with strong encryption and security best practices on US-based infrastructure (Vercel & Cloudflare)
- We respect local privacy laws and work with legal experts to stay abreast of changes
- When we collect data, we use it for a specific, stated purpose: to provide grading and assessment services
- If we need to send any of your data to a third-party service provider, we require a strict contractual agreement that they handle and secure your data with the same high level of protection and care that we deliver
- We respect your right to retain ownership and control of your data, so that you can modify, update, or delete it as needed
Compliance Today
We currently meet stringent data protection laws across jurisdictions and are proactively reviewing every aspect of how we handle data and investing in operational measures to ensure that we continue to meet our customers' requirements. For detailed compliance information, please visit our Trust & Compliance Center.
GradeLab uses Standard Contractual Clauses (SCCs) approved by the European Commission to meet the requirements for data transfers from the European Union (EU) and European Economic Area (EEA) to the United States. These are standardized contracts that certify that any data transferred outside the EU is adequately protected. This provides legal certainty for our EU-based customers.
Similarly, for data transfers from India to the United States, we implement appropriate safeguards including contractual protections and technical security measures.
The steps we take to maintain the integrity and confidentiality of personal data include:
- We strongly recommend that educational institutions provide notice to students and parents that The GradeLab Platform involves data processing on US-based servers (Vercel & Cloudflare), and we recommend that appropriate consent or legal basis is obtained from students/parents as required by local law
- Educational institutions are free to inspect or audit our data processing practices at any time
- All student work and any associated personal data is encrypted and kept secure at all times using industry-leading security measures
- Students can maintain privacy by educators using student ID numbers instead of full names, or by submitting work in formats that contain minimal identifying metadata
- Educators control access to student data and can delete it at any time through their dashboard or by contacting us
General Data Protection Regulation (GDPR)
The GDPR has legal effect in all EU Member States from 25 May 2018. The Data Protection Directive (Directive 95/46/EC) has been replaced by the GDPR. Although it is a regulation and immediately effective in all EU Member States, there are certain aspects within the GDPR that Member States may legislate upon at a national level for specific reasons, therefore this policy may be updated accordingly from time to time.
The Legal Basis for Processing Personal Data
GradeLab primarily relies upon the following legal bases under the GDPR for processing personal data:
- Article 6(1)(b) - Contract: Processing is necessary for the performance of a contract to which the data subject (educator or institution) is party. When an educator signs up for GradeLab, we need to process their data to fulfill our contractual obligations to provide grading services.
- Article 6(1)(e) - Public Task: GradeLab relies upon the official authority of the Data Controller (the educational institution that is GradeLab's customer) to process student data for educational assessment purposes.
- Article 6(1)(f) - Legitimate Interests: It is in the legitimate interests of educators and educational institutions to process student assessment data to evaluate learning outcomes and provide feedback.
Consent is not the primary basis for processing upon which GradeLab relies for educational data processing. However, we encourage educational institutions to obtain appropriate consent or ensure another valid legal basis exists under their local laws.
Data Processing Roles
GradeLab acts as a Data Processor: Educational institutions and educators act as Data Controllers. GradeLab processes personal data on behalf of and under the instructions of the Data Controller.
Data Controller Responsibilities: The educational institution or educator is responsible for ensuring they have a lawful basis for processing student data and for complying with data subject rights requests.
Data Processor Responsibilities: GradeLab is responsible for processing data only as instructed, implementing appropriate security measures, and assisting the Data Controller in fulfilling their obligations.
Key Aspects of the GDPR
The following are some notable aspects of the GDPR that guide our operations:
- Scope: The GDPR applies to all personal data processed about EU residents, regardless of where the processing occurs
- Accountability: We must demonstrate compliance with GDPR principles through documentation, policies, and procedures
- Privacy by Design: Privacy must be embedded into everything (services, software, systems, and processes) by design and by default
- Data Subject Rights: Individuals' rights have been strengthened, including rights to access, rectification, erasure, and data portability
- International Transfers: To export data outside the EEA, Standard Contractual Clauses (SCCs) or other appropriate safeguards must be used, which GradeLab implements
- Breach Notification: We must notify Data Controllers of any personal data breaches within 72 hours
GDPR Data Processing Details
The following information applies to our data processing activities under the GDPR:
| Subject matter of processing | Processing of student academic work (handwritten/digital submissions) and associated personal data to provide AI-assisted grading and assessment services |
| Duration of processing | Storage of submissions continues until educator account closure or deletion request from the Data Controller |
| Nature of processing | Collection, storage, retrieval, OCR transcription, AI-assisted grading analysis (not used for AI training) |
| Purpose of processing | To enable educators to efficiently grade student work, provide feedback, and analyze learning outcomes |
| Type of personal data | Educator: name, email, institution, job title, phone; Student: name, student ID (optional), academic work, grades |
| Categories of data subjects | Educators (teachers, professors, instructors) and students |
| Sub-processors | Vercel (hosting and infrastructure), Cloudflare (CDN, security, and Web Application Firewall), Clerk (authentication and role-based access control), AI service providers (OCR and document processing), Intercom (customer support and communication), database and storage providers - all with strict data processing agreements and GDPR-compliant contracts |
Data Subject Rights Under GDPR
Individuals (both educators and students) have the following rights under the GDPR:
- Right to Access: The right to obtain confirmation that personal data is being processed and to access that data
- Right to Rectification: The right to correct inaccurate personal data
- Right to Erasure ("Right to be Forgotten"): The right to request deletion of personal data under certain circumstances
- Right to Restriction of Processing: The right to request that processing be restricted under certain circumstances
- Right to Data Portability: The right to receive personal data in a structured, commonly used format
- Right to Object: The right to object to processing based on legitimate interests
- Rights Related to Automated Decision-Making: The right not to be subject to decisions based solely on automated processing
Exercising Rights: Because GradeLab acts as a Data Processor, students must exercise their GDPR rights by contacting their educational institution or educator (the Data Controller). The institution will then work with GradeLab to fulfill the request.
Educators can exercise their own rights directly by logging into their account or contacting info@gradelab.io.
Book a demo and get 90-day trial, free migration, and locked-in 2026 pricing.
Join thousands of educators and institutions using GradeLab's AI-powered grading platform to save time, ensure accuracy, and provide instant feedback to students.
Save 100+ hours per month
AI-powered accuracy & consistency
Instant student feedback
Easy LMS integration