Security & Data Protection
One-page summary for schools, DPOs, and IT departments. Last updated 2026-05-06.
Teacher Marking Assistant (“the Service”) is a single-teacher marking tool: it lets a teacher upload scanned exam papers, annotate them, calculate scores, and optionally email marked copies back to students. This document explains how the Service handles personal data, what protections are in place, and what a school’s DPO needs to know before rollout.
Who we are
Controller / Processor: Teacher Marking Assistant, United Kingdom.
Contact: Teacher Marking Assistant
Role: For the teacher’s own account data (email, OAuth identity) we act as controller. For student data entered by the teacher (names, emails, exam pages, annotations, scores), we act as data processor on behalf of the teacher’s school.
Data Processing Agreement: template available on request — signed before any paid or school-managed deployment.
What data is processed
| Category | Examples | Source | Location |
|---|---|---|---|
| Teacher identity | Display name, email, profile photo | OAuth (Google / Microsoft / Apple) or self-provided | Firebase Auth (EU region) |
| Class roster | Student first/last name, email, optional parent email | Entered by teacher (manual or CSV) | Firestore (EU) + teacher’s browser IndexedDB |
| Exam pages | Scanned images of student work | Uploaded by teacher | Teacher’s browser IndexedDB + optional Google Drive / OneDrive (teacher’s own cloud) |
| Annotations & scores | Ticks, comments, marks per question, final grade | Teacher-entered during marking | Firestore + IndexedDB |
| OCR text | Student names extracted from paper headers (to auto-assign papers) | Google Cloud Vision API, or on-device Tesseract | Not persisted — discarded after match |
No behavioural profiles, tracking, advertising identifiers, or third-party analytics are collected. No cookies beyond session authentication.
How data is protected
In transit
- All traffic over TLS 1.2+.
- OAuth tokens never passed in URLs — sent in request bodies only.
- Content Security Policy restricts outbound connections to Firebase, Google OAuth, Microsoft Graph, and Stripe endpoints.
At rest
- Firebase Auth and Firestore data encrypted by Google with AES-256. (We do not use Firebase Cloud Storage — paper images and annotations live in browser IndexedDB on the teacher's device, optionally synced to the teacher's own Google Drive or OneDrive.)
- Browser IndexedDB encrypted by OS-level profile storage (Windows DPAPI, macOS Keychain, Chrome OS lock).
- Stripe-handled payment data never touches our servers (tokenised by Stripe directly).
Access control
- Firestore security rules enforce strict per-teacher isolation: every document lives under
/teachers/{teacherId}/…and is readable or writable only by the authenticated teacher it belongs to. - Class-sharing between teachers requires explicit invitation by email; recipients get view-only or mark-only permission, never admin rights.
- OAuth tokens expire after ~55 minutes; sessionStorage-scoped (cleared on tab close), never persisted to disk.
- Configurable auto-logout on inactivity (default 30 minutes).
API keys
- Google Cloud Vision API: server-side in Secret Manager for the Cloud Function proxy; restricted fallback key in the client build is limited by Google Cloud Console to the Vision API only and to the app’s authorised domains.
- Daily request quota capped at 30 requests/minute to bound any misuse.
Google API Services User Data Policy
Teacher Marking Assistant's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Scopes requested and what they are used for
| Scope | User-facing feature | What we do with the data |
|---|---|---|
email, profile, openid | Sign-in with Google | Used solely to authenticate the teacher and display their name and profile photo inside the Service. |
gmail.send | "Email marked paper to student" | Used solely to send the marked exam paper composed by the teacher, from the teacher's own Gmail account, to the student email address the teacher entered. We never read, list, search, label, or store any other Gmail content. |
drive.file | Cloud sync of classes, papers and annotations | Used solely to create and update files inside a single folder named marking-assistant-sync in the teacher's own Google Drive. The drive.file scope by design only grants access to files the Service itself created or that the teacher explicitly opened with the Service. We never list, read, or modify any other file in the teacher's Drive. |
Limited Use commitments
- Use only for prominent user-facing features. Information received from Google APIs is used only to provide and maintain the marking, sync, and email features visible in the Service's user interface. We do not use Google user data for analytics on user content, profiling, model development, research, or marketing.
- No transfer to others. We do not transfer information received from Google APIs to any third party, except (a) as strictly necessary to provide or improve those same user-facing features, (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of assets, with prior notice to users.
- No advertising. Google user data is never used to serve advertisements of any kind. The Service contains no advertising.
- No human reading. Humans (including our developers, operators, or any contractor) do not read information received from Google APIs, except (i) with the teacher's specific affirmative agreement, (ii) where strictly necessary for security investigations, (iii) to comply with applicable law, or (iv) where the data has been aggregated and anonymised.
- No AI/ML training. We do not use information received from Google APIs — including Gmail content, Drive file content, or anything derived from them — to develop, train, fine-tune, or improve any artificial intelligence or machine-learning model, generalised or otherwise. Google user data is never passed to any AI provider.
Sub-processors
| Sub-processor | Purpose | Region | Safeguard |
|---|---|---|---|
| Google Firebase (Auth, Firestore, Hosting, Cloud Functions) | Auth, data storage, hosting | EU (europe-west2) | Standard Contractual Clauses via Google’s DPA |
| Google Cloud Vision | Handwriting OCR for name auto-detection | Global (request not logged by us) | Processed in-memory; text result not stored |
| Stripe | Subscription billing (optional) | EU / US | Stripe DPA; no card data crosses our servers |
| Google Drive / Microsoft OneDrive | Optional sync into the teacher’s own cloud | Teacher’s choice | Teacher’s existing account; we never see the files |
Data retention & deletion
- Teacher-initiated deletion: Settings → Danger Zone → Reset All Data clears local browser storage, Firestore records, and (optionally) the cloud sync folder.
- Conflict archive: when two devices disagree during sync, the older version is kept locally for 90 days before auto-purge — the teacher can view and delete entries at any time via Settings → Conflict Archive.
- Account deletion: on request to Teacher Marking Assistant, Firebase Auth identity is removed within 30 days.
- Inactive accounts: teacher-configurable via Settings → Security → Data Retention (default: never).
Student-facing protections
- Students have no accounts and never log in. All student data is entered and controlled by the teacher or school.
- The Service is designed for school staff and is not marketed to under-18s.
- Where students are under the age of digital consent (13 in UK / Canada, 13–16 in EU depending on member state), processing relies on the school’s public-task or parental-consent legal basis — the Service does not obtain parental consent directly.
Compliance posture
- UK GDPR & EU GDPR: processes personal data under the lawful bases of public task (state schools) or contract / consent (independent). Supports data-subject rights: access, rectification, erasure, portability, objection. Response target: 30 days.
- DfE / KCSIE (UK): the Service is a tool controlled by the teacher; all safeguarding obligations remain with the school. No direct student communication occurs through the Service unless the teacher composes and sends it.
- FERPA (US): the Service acts as a school official under the FERPA school-official exception when retained by a US school; direct disclosure to third parties does not occur.
- ICO registration: registration number available on request.
Incident response
In the event of a personal-data breach affecting a school’s records, we will notify the affected school’s nominated contact within 72 hours of becoming aware, with: (1) nature of the breach, (2) categories and approximate numbers of records affected, (3) containment and remediation steps taken, (4) contact for further questions.
What schools should check before rollout
- Sign the DPA — template provided on request; return countersigned to info@ed-planner.com.
- Confirm the legal basis under which the school processes student data using the Service.
- Review sub-processor list above against your acceptable-providers list.
- Decide on cloud sync — if your school disallows teachers syncing into personal Google Drive / OneDrive accounts, disable cloud sync in Settings.
- Add info@ed-planner.com to your allowed-sender list so security notifications reach you.
Questions
Email Teacher Marking Assistant — we respond within 2 working days for general enquiries and within 24 hours for security- or compliance-related questions.