Data protection for schools.
How Rubrical processes pupil work, LMS data, AI outputs, analytics and operational data.
What data we process.
Rubrical stores the school data needed to run the platform. Data leaves the core app only where a feature needs another processor or integration.
| Category | Examples | Stored or sent | Purpose |
|---|---|---|---|
| Account and staff data | Teacher/admin names, work emails, roles, school memberships, auth identifiers. | Supabase Auth/Postgres in London; email/support providers where used. | Access, school admin, support, service notices and security. |
| School, class and roster data | Schools, departments, classes, courses, rosters and class membership. | Supabase in London; Google Workspace or Microsoft APIs where the school connects them. | Class setup, roster sync, assignment matching and analytics. |
| Student identity data | Student names, emails or IDs, local student records and LMS identifiers. | Supabase in London; LMS APIs during sync/write-back. | Match work to the right pupil/class and avoid duplicate records. |
| Assessments and rubrics | Papers, questions, mark schemes, rubrics, files, extracted text and metadata. | Supabase Postgres/Storage in London; document conversion/extraction workers; AI inference providers when needed. | Create rubrics, structure papers and prepare marking. |
| Student submissions and feedback | Scans/files, extracted answers, evidence spans, AI draft marks, teacher-finalised marks and feedback. | Supabase in London; conversion/extraction workers; AI inference providers; LMS APIs for teacher-approved return. | Draft marking, teacher review, feedback and returned work. |
| Knowledge base and teaching resources | Uploaded teaching materials, LMS materials, OCR/extracted text, chunks, embeddings and metadata. | Supabase Storage/Postgres/vector data in London; OCR/embedding/AI processors where needed. | Retrieval-augmented marking, feedback, lesson planning and resources. |
| Assessment analytics | Class/student marks, AO breakdowns, at-risk flags, teacher analytics questions, audit/cache/rate-limit data. | Supabase in London; AI provider for natural-language query classification when that feature is used. | Dashboards, intervention flags, class insight and reliability. |
| LMS credentials and sync state | Encrypted OAuth tokens, scopes, provider IDs, push/watch state, sync runs and provider errors. | Supabase in London; Google/Microsoft OAuth endpoints; Cloudflare/RISC proxy for RISC/PubSub traffic. | Connect/disconnect LMS, refresh tokens and sync school-approved data. |
| Operational logs and traces | Request metadata, errors, provider/model usage, costs, object hashes, trace IDs and security events. | Supabase and configured observability/hosting/security providers. | Debugging, reliability, audit, abuse prevention and cost control. |
| Website/contact data | Contact form content, name, email, school and normal request metadata. | Website/contact provider, hosting and edge/security providers. | Respond to enquiries and run the public website. |
Where data is stored and sent.
| Provider/system | What it does | Data involved | Location/notes |
|---|---|---|---|
| Supabase | Core database, Auth, Storage, Realtime, Edge Functions and vector search. | Account, school, class, student, assessment, submission, rubric, analytics, LMS sync and knowledge-base data. | West Europe (London). |
| Document conversion workers | Convert files, extract text/questions/answers, render resources and retry failed jobs. | Uploaded papers, submissions, extracted text, source materials and job metadata. | Production region and retention are listed in school data-processing documents. |
| Google Workspace APIs | Google Classroom/Drive/Admin/PubSub/RISC features. | Authorised classes, rosters, assignments, submissions, selected files and provider IDs. | Used only when a school connects Google. Handled under Google API Services User Data Policy and Limited Use requirements. |
| Microsoft Graph / Teams / Education APIs | Microsoft school integration. | Classes, rosters, assignments, submissions, tenant IDs and sync metadata. | Used only when a school connects Microsoft and grants the required tenant/admin consent. |
| Modal | Hosts Rubrical's own fine-tuned marking and rubric models. Primary AI path. | Assessment, submission and rubric content needed for the request, and generated outputs. | EU or UK region. Modal Inc is US-incorporated, covered by the UK IDTA in Modal's DPA. |
| Google Vertex AI (Gemini) | Backup AI provider for OCR, marking, rubric generation and embeddings. | Task content needed for the request and generated outputs. | UK or EU region. Google LLC is US-incorporated, covered by the UK Addendum in Google Cloud's DPA. School data is not sent to unpaid consumer AI services. |
| Other approved AI providers | Model or reranking services for specific features. | Task content needed for that feature. | Not used for LMS data unless processor terms, no-training commitments and retention requirements are approved. |
| Langfuse | LLM observability and tracing. | Trace IDs, provider/model usage and limited prompt/output data when observability is enabled. | Used for debugging and reliability. |
| Cloudflare | DNS, edge, WAF, RISC proxy or CDN. | Request metadata, IP/device metadata and RISC/PubSub traffic when used. | Global edge processing. |
| Hosting, email and contact providers | Frontend delivery, form handling, service email and support messages. | Request metadata, contact forms and service emails. | Provider list is supplied in school data-processing documents. |
AI processing and model training
- Student work, LMS data and data derived from them are not used to train, fine-tune or improve any AI or machine-learning model, including Rubrical's own models.
- Rubrical does not sell personal data, use it for advertising, or use it for credit or eligibility decisions.
- By default, marking runs on Rubrical's own model on Modal in the UK or EEA, with Google's Gemini via Vertex AI as a backup, both under no-training terms.
- AI marks and feedback remain drafts until a teacher reviews them.
Google Classroom and Microsoft
- Google Workspace API data is handled under Google's API Services User Data Policy, including Limited Use requirements.
- Rubrical does not retain Google Workspace API data to develop, improve or train non-personalized AI and/or ML models.
- Microsoft integrations use school-authorised access and least-privilege permissions where possible.
- LMS tokens are encrypted server-side and destroyed locally on disconnect/offboarding.
Retention and deletion.
School education records are retained while the school uses Rubrical, or as instructed in the school's agreement and data processing terms. Learning-platform credentials are destroyed locally when a connection is disconnected or offboarded.
Operational logs, observability records and backups are retained only for a limited period for security, reliability, support, legal or contractual reasons. Backups may remain until overwritten or deleted according to infrastructure backup cycles.
Documents
Available for school review: DPA, sub-processor list, DPIA support notes, data-flow summary, retention/erasure notes, Google Limited Use addendum and DfE product-safety mapping.
Request the pack