- Student data is stored on US-hosted infrastructure, encrypted in transit and at rest.
- A signed Data Processing Agreement (DPA) is available for schools that need one.
- Access is role-based with row-level security and audit logging.
- Teachers own export, and permanent deletion is available on request.
- Schools remain responsible for their own FERPA or national data-protection obligations; Evident supports that review.
Schools evaluating Evident, especially international and private schools subject to GDPR or similar laws, ask the same core questions: where does our data live, who can see it, and can we get it out or delete it. This article answers those plainly. Evident does not claim a GDPR certification; it provides a signed Data Processing Agreement and data-minimal, access-controlled workflows for your data protection officer to review.
Where your data is stored
Evident runs on US-hosted infrastructure, with student data encrypted in transit and at rest through the underlying infrastructure providers. Row-level security scopes every record to its organization so one school cannot read another school's data.
Schools outside the US should evaluate Evident against their own national data-protection obligations. We answer residency and sub-processor questions directly, and we provide the documentation your data protection officer needs to make that assessment.
The Data Processing Agreement
A signed Data Processing Agreement is available. It sets out what data Evident processes, the purposes, the sub-processors involved, and the security measures in place.
We do not claim a GDPR certification. A vendor handing you a blanket compliance badge is not a substitute for a DPA your own DPO has read. Ask us for the DPA and review it.
Who can see what
Access is role-based. Teachers see their own students, school and support roles see what their role allows, and per-item visibility controls keep staff-only notes out of family-facing exports.
Every confidential and parent-facing access path is auditable, so a later review can show who could see a record and when.
Export and permanent deletion
Teachers own their data and can export it. When a school or a family requests deletion, permanent-delete workflows remove the record rather than merely hiding it.
Keep a labeled record of access and deletion requests. A dated, consistent trail is what holds up when someone later asks whether data was handled responsibly.
Frequently asked questions
Does Evident comply with GDPR?
Evident is built around data-minimal, access-controlled workflows with per-item visibility, export, and permanent-delete controls, and a signed DPA. We do not claim a GDPR certification. Schools subject to GDPR or similar laws should review the DPA with their data protection officer, and we support that review.
Where is our data stored?
On US-hosted infrastructure, encrypted in transit and at rest, with row-level security and audit logging. A signed DPA is available.
Can we permanently delete a student's data?
Yes. Permanent-delete workflows remove the record rather than hiding it. Teachers can also export their data at any time.
Is Evident a safeguarding case management system?
No. Evident documents day-to-day behavior and well-being evidence. Statutory safeguarding concerns belong in your school's designated safeguarding system. Evident complements that work; it does not replace it.