Assessment creationMarking & feedbackLesson planningAnalytics & insights About Sign in Get in touch

Security for school data.

How Rubrical protects pupil work, LMS credentials, marks, feedback and analytics.

Controls.

School-controlled data, server-side processing, role-bounded access, explicit LMS provenance and teacher approval before return.

Core storage in London

Core school app data is stored in Rubrical's Supabase project in West Europe (London), covering the main database, Auth, Storage, Realtime and vector data layer.

LMS token custody

Google and Microsoft connection tokens are encrypted server-side. Token ciphertext columns are not exposed to authenticated client grants, and local token copies are destroyed on disconnect/offboarding.

Training-data firewall

LMS-origin records are tagged by data origin and excluded from training, fine-tuning, benchmarking and evaluation datasets for any model, including Rubrical's own.

Teacher-reviewed AI

AI marks and feedback are drafts. A teacher reviews and finalises before anything is returned to students or written back to Google Classroom or Microsoft.

Least-privilege integrations

Learning-platform integrations use school-authorised access for visible Rubrical features such as roster sync, assignment import, submission import and teacher-approved return.

Operational audit

Rubrical records sync, analytics, cost and trace metadata so the service can be debugged, secured and supported without treating pupil work as training material.

Standards and assurance

OpenKit, which builds and operates Rubrical, holds ISO/IEC 27001, ISO 9001 and Cyber Essentials, and operates to UK GDPR. Rubrical is also mapped against the Google Workspace Limited Use requirements, Microsoft API least-privilege principles and the DfE generative AI product-safety standards. Our sub-processors hold their own certifications, such as Supabase (ISO 27001, SOC 2 Type 2) and Google Cloud (ISO 27001, SOC 2), which cover each provider's own services.

Sub-processors and locations

Core school data is in the London Supabase project. AI marking runs on Rubrical's own model on Modal in a UK or EEA region, with Google Vertex AI as a backup. Data may also be processed by document conversion, LMS API, observability, hosting, security and contact or email providers where a feature needs them.

Security documents.

DPA, sub-processor list, DPIA support, retention notes, LMS limited-use commitments and DfE mapping.

Get in touch Privacy policy