Security overview
Plain-English answers to the questions your IT director will ask before approving student use. If you need a Data Processing Agreement or have additional questions, contact us.
What data does Veramio capture?
Veramio captures document text snapshots at regular intervals while the add-in is active. Specifically:
- Plain text content of the document (no formatting metadata)
- Timestamps for each snapshot
- Word count deltas between snapshots
- Session start and end times
Veramio never captures:
- Screen recordings or screenshots
- Webcam or microphone data
- Individual keystrokes or typing patterns
- Browser history or other open tabs
- Other applications or system data
- Any data outside the active document
Where is data stored?
All data is stored in PostgreSQL, self-hosted on a dedicated Hetzner server in a private network. Data is encrypted at rest using AES-256 and in transit using TLS 1.3.
Writing session data is associated with a student account and is only accessible to:
- The student who owns the document
- Parent/guardian accounts linked to the student (Family and College plans)
- Teachers or reviewers who have been sent a share link by the student
- Veramio support staff, only with the account holder's consent for debugging purposes
Cryptographic verification
Each writing session is cryptographically signed on the client device using the Web Crypto API (SHA-256) before any data leaves the student's computer. The signature is verified server-side on upload. This means:
- Timeline data cannot be tampered with after the fact — any modification invalidates the signature
- Private signing keys never leave the student's device
- Veramio's servers hold the public key only
Compliance
COPPA
For families with under-13 students
Parental consent required for users under 13. Parent account is primary. No data collected from minors without guardian approval.
FERPA
For US schools and districts
Students own their data. No educational records shared with third parties without consent. Schools can request data deletion.
GDPR
For users in the EU and UK
EU users may request data access, correction, or deletion at any time. Data Processing Agreements available on request.
Data retention
| Plan | Session history retained |
|---|---|
| Free | 30 days |
| Family | 1 year |
| College | 3 years |
Data is permanently deleted at the end of the retention period or upon account deletion, whichever comes first.
Requests from schools and districts
We support the following institutional requests:
- Data Processing Agreement (DPA): Available for institutions and districts. Request via contact form.
- Student data deletion: Schools may request deletion of a specific student's data. We process these within 5 business days.
- Security questionnaires: We're happy to complete your standard vendor security assessment. Contact us to get started.
Incident response
In the event of a security incident affecting student data, we will notify affected account holders within 72 hours in accordance with GDPR requirements, and within the timeframes required by applicable US state laws.
To report a security vulnerability, email security@veramio.com. We have a responsible disclosure policy and will respond within 48 hours.
Need more information?
We're happy to hop on a call with your IT team, complete a security questionnaire, or provide a DPA.
Get in touch →