For school IT teams

Security overview

Plain-English answers to the questions your IT director will ask before approving student use. If you need a Data Processing Agreement or have additional questions, contact us.

§ 01 — Data collection

What data does Veramio capture?

Veramio captures document text snapshots at regular intervals while the add-in is active. Specifically:

  • Plain text content of the document (no formatting metadata)
  • Timestamps for each snapshot
  • Word count deltas between snapshots
  • Session start and end times

Veramio never captures:

  • Screen recordings or screenshots
  • Webcam or microphone data
  • Individual keystrokes or typing patterns
  • Browser history or other open tabs
  • Other applications or system data
  • Any data outside the active document
§ 02 — Storage

Where is data stored?

All data is stored in PostgreSQL, self-hosted on a dedicated Hetzner server in a private network. Data is encrypted at rest using AES-256 and in transit using TLS 1.3.

Writing session data is associated with a student account and is only accessible to:

  • The student who owns the document
  • Parent/guardian accounts linked to the student (Family and College plans)
  • Teachers or reviewers who have been sent a share link by the student
  • Veramio support staff, only with the account holder's consent for debugging purposes
§ 03 — Cryptography

Cryptographic verification

Each writing session is cryptographically signed on the client device using the Web Crypto API (SHA-256) before any data leaves the student's computer. The signature is verified server-side on upload. This means:

  • Timeline data cannot be tampered with after the fact — any modification invalidates the signature
  • Private signing keys never leave the student's device
  • Veramio's servers hold the public key only
§ 04 — Compliance

Compliance

COPPA

For families with under-13 students

Parental consent required for users under 13. Parent account is primary. No data collected from minors without guardian approval.

FERPA

For US schools and districts

Students own their data. No educational records shared with third parties without consent. Schools can request data deletion.

GDPR

For users in the EU and UK

EU users may request data access, correction, or deletion at any time. Data Processing Agreements available on request.

§ 05 — Retention

Data retention

PlanSession history retained
Free30 days
Family1 year
College3 years

Data is permanently deleted at the end of the retention period or upon account deletion, whichever comes first.

§ 06 — Institutional requests

Requests from schools and districts

We support the following institutional requests:

  • Data Processing Agreement (DPA): Available for institutions and districts. Request via contact form.
  • Student data deletion: Schools may request deletion of a specific student's data. We process these within 5 business days.
  • Security questionnaires: We're happy to complete your standard vendor security assessment. Contact us to get started.
§ 07 — Incidents

Incident response

In the event of a security incident affecting student data, we will notify affected account holders within 72 hours in accordance with GDPR requirements, and within the timeframes required by applicable US state laws.

To report a security vulnerability, email security@veramio.com. We have a responsible disclosure policy and will respond within 48 hours.

Need more information?

We're happy to hop on a call with your IT team, complete a security questionnaire, or provide a DPA.

Get in touch →