Skip to main content
Back to blog
gdprcompliancedata residencyai assessmentsecurity

GDPR-Compliant AI Assessment: Data Residency and Isolation

Adam Broons27 June 20267 min read

A GDPR-compliant AI assessment tool handles respondent submissions as personal data: it stores them in a known region, isolates each organisation's data from every other, encrypts it in transit and at rest, does not use it to train AI models, and keeps a clear record of how decisions were made. Assessment submissions are personal data - often revealing - so the bar is the same one you would apply to any sensitive record. This is a plain-language summary, not legal advice; confirm your own obligations with a qualified adviser.

Data residency: know where it lives

GDPR does not ban data leaving the EU, but it makes you account for where personal data is processed and stored. The simplest defensible answer is to keep it in the EU. Scorafy's primary region is EU (Dublin), with optional Sydney data residency for organisations that need data kept in Australia. The point is that the location is known and chosen, not incidental.

Tenant isolation: one organisation cannot see another

If you run a multi-tenant assessment platform, the most basic failure would be one customer seeing another's submissions. Scorafy isolates data per organisation using row-level security at the database, so access is enforced at the data layer rather than relying on application code to remember to filter. Every query is scoped to the organisation that owns the data.

Encryption and retention

Personal data should be encrypted in transit and at rest, and retained only as long as you need it. Submissions are encrypted both ways. Retention should match your purpose - keep assessment records as long as the assessment process and any appeals require, then dispose of them. Configurable retention lets you match your own policy rather than an arbitrary default.

Not used to train AI models

A specific question worth asking any AI assessment vendor: are our submissions used to train models? For Scorafy the answer is no. Respondent data is processed to produce the assessment report, not folded into model training. That keeps your respondents' answers from leaking into a system you do not control.

Traceability and the EU AI Act

GDPR is not the only frame. The EU AI Act treats AI used to evaluate learning outcomes as high-risk, which adds human oversight and record-keeping on top of your data obligations. In practice that means a person reviews and can override the AI's judgement, and you can reconstruct what was submitted, what the AI proposed, what evidence it cited, who reviewed it, and what they decided. We go deeper in AI grading and the EU AI Act and on what an audit trail should contain.

The checklist

  • Known data region, ideally EU - Scorafy: EU (Dublin) primary, optional Sydney.
  • Per-organisation isolation enforced at the data layer - Scorafy: row-level security.
  • Encryption in transit and at rest - yes.
  • Submissions not used to train AI models - confirmed.
  • Configurable retention and a reconstructable audit trail with human sign-off.

If compliance is the reason your current tool will not do, that is the gap Scorafy is built for. See the trust and security overview or try the demo.

Related articles

eu ai actcomplianceai gradingassessmentgdpr

AI Grading and the EU AI Act: What Assessment Teams Need to Know

How the EU AI Act treats AI used in education and assessment, why grading is often high-risk, and what your team should put in place.

Read article
human in the loopai assessmentsign-offcomplianceassessor

Human-in-the-Loop AI Assessment: Why a Person Still Has to Sign Off

What human-in-the-loop really means in AI assessment, the difference between rubber-stamping and real oversight, and how to design sign-off that holds up.

Read article

See it live

See AI-powered assessments in action.

Try the interactive demo - no sign-up required.

Try the demoGet started free