Legal
Security & Compliance
Last updated · 12 May 2026
Schools and ministries entrust us with sensitive student work. This page summarises the technical and organisational measures (TOMs) we maintain, our compliance roadmap, and how to reach our security team.
Standards and frameworks
- GDPR (Regulation 2016/679) and the Dutch UAVG — operational today.
- ISO/IEC 27001:2022 — controls implemented; certification audit scheduled for Q4 2026.
- ISO/IEC 27701:2019 (Privacy Information Management) — gap analysis complete.
- SOC 2 Type II — observation period under way for Security and Confidentiality criteria.
- EU AI Act — risk classification and conformity workflows tracked; AI Essay Grader Europe is a limited-risk system used under human oversight.
- OWASP ASVS Level 2 — applied to product engineering.
Hosting and data residency
- Primary infrastructure in the European Union (Frankfurt).
- All databases encrypted at rest with AES-256; backups encrypted and retained for 30 days.
- All traffic encrypted in transit with TLS 1.3.
Access control
- Single sign-on with mandatory two-factor authentication for all staff.
- Role-based access control with least-privilege defaults; production access requires a ticket and is logged.
- Customer data is segregated logically per tenant and per row via database policies.
Application security
- Secure SDLC with mandatory code review, static analysis and dependency scanning on every change.
- Annual third-party penetration test; an executive summary is available to school customers under NDA.
- Public bug-bounty channel at security@classx.eu.
AI safety and content handling
- Teacher-uploaded content is never used to train AI models.
- Prompt and response logs are retained for at most 30 days for abuse investigation, then purged.
- Model providers are bound by zero-retention agreements where the provider supports them.
- Outputs are clearly marked as AI-generated and require teacher review.
Resilience and continuity
- Multi-AZ deployment with automated failover; RPO ≤ 15 minutes, RTO ≤ 4 hours.
- Incident response runbooks tested quarterly.
- Status page at status.classx.eu.
Incident response
Suspected incidents trigger our 24/7 on-call. Confirmed personal-data breaches are notified to affected controllers within 72 hours, with all information required by Art. 33 GDPR.
Vendor management
Every subprocessor is reviewed annually against our security and privacy standards. The current list lives at classx.eu/legal/subprocessors.
Trust resources
School and ministry customers can request our security questionnaire responses (CAIQ-Lite, SIG-Lite), DPIA summary and SOC 2 readiness letter from trust@classx.eu.
This document is provided as a starting template adapted for European education providers. It does not constitute legal advice. Have qualified counsel review and tailor it to your jurisdiction and processing activities before relying on it.