> ## Documentation Index
> Fetch the complete documentation index at: https://docs.puddin.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security and Privacy for Puddin Core Administrators

> Understand how Puddin encrypts student data, controls access by role, supports GDPR compliance, and lets administrators configure retention and deletion.

As the Administrator of your institution's Puddin environment, you are responsible for ensuring that the platform is configured in accordance with your institution's data governance obligations and applicable data protection law. This page explains how Puddin protects student data, what controls you have as an Administrator, and how to configure retention, export, and deletion to meet your institution's requirements.

## Data storage and encryption

Puddin stores all institutional data — including writing process records, authorship logs, user account information, and assignment metadata — in secure cloud infrastructure with the following protections:

* **Encryption at rest** — All data is encrypted at rest using AES-256. This includes keystroke logs, paste event records, session data, and uploaded documents.
* **Encryption in transit** — All data transmitted between student devices, teacher browsers, and Puddin's servers is encrypted using TLS 1.2 or higher. Unencrypted connections are rejected.
* **Data residency** — Puddin offers data residency options for institutions with jurisdictional requirements. Contact Puddin support to confirm or change the region in which your institution's data is stored.
* **Backups** — Data is backed up automatically and continuously. Backups are encrypted and stored in the same region as your primary data.

<Info>
  Puddin's infrastructure undergoes regular independent security audits. Audit reports and penetration test summaries are available to institutional Administrators on request. Contact Puddin support to request the latest security documentation.
</Info>

## Access controls

Access to student writing data is controlled by role-based permissions enforced at every level of the platform.

<Accordion title="What each role can access">
  * **Administrators** can access all assignments, authorship records, and user data within their institution. They cannot access data belonging to other institutions.
  * **Teachers** can access only the assignments they have created and the submissions within those assignments. They cannot access other teachers' assignments or institution-level settings.
  * **Students** can access only the assignments they are enrolled in and cannot view their own authorship record after submission.
</Accordion>

<Accordion title="Authentication requirements">
  All users authenticate with a username and password. Passwords must meet Puddin's minimum complexity requirements (at least 12 characters, including uppercase, lowercase, number, and symbol). Administrators can enforce additional password policies from **Settings → Security**.

  When using LMS integration via LTI 1.3, users authenticate through their LMS identity provider. Puddin does not store or have access to LMS passwords.
</Accordion>

<Accordion title="Administrator account security">
  Protect your Administrator account carefully — it has access to all institutional data. Puddin recommends:

  * Enabling multi-factor authentication (MFA) for all Administrator accounts. MFA can be made mandatory for Administrators from **Settings → Security → Require MFA for Administrators**.
  * Using a role-based institutional email address for the primary Administrator account rather than a personal address.
  * Reviewing the Administrator account list regularly and deactivating any accounts that are no longer needed.
</Accordion>

## GDPR and data protection compliance

Puddin is designed to support institutions operating under the General Data Protection Regulation (GDPR) and equivalent data protection legislation. The following features and provisions support your compliance obligations.

**Data processing agreement**

Puddin acts as a data processor on behalf of your institution (the data controller) when recording and storing student writing data. Before any student data is collected, you must sign the data processing agreement (DPA) in **Settings → Data & Privacy → Data Processing Agreement**. The DPA sets out the terms under which Puddin processes data on your behalf, including security obligations, sub-processor disclosures, and breach notification commitments.

**Lawful basis for processing**

Your institution is responsible for establishing and documenting the lawful basis under which you collect student writing process data. Puddin recommends working with your institution's data protection officer (DPO) to confirm that your use of Puddin is appropriately documented in your institution's records of processing activities (RoPA).

**Student data notices**

Puddin provides a template student data notice explaining what data is collected during a writing session, how it is used, how long it is retained, and what rights students have. You can view and download this template from **Settings → Data & Privacy → Student Notice Template**. Review this with your DPO before publishing it to students.

**Data subject rights**

Students have the right to access, correct, and request deletion of their personal data. As the data controller, your institution is responsible for handling these requests. Puddin provides Administrator tools to export and delete individual student records — see the [Exporting and deleting student records](#exporting-and-deleting-student-records) section below.

<Warning>
  Do not use Puddin as your sole mechanism for responding to data subject access requests. Your institution's data protection team should coordinate requests and ensure that all systems holding student data are included in the response, not just Puddin.
</Warning>

## Data retention policies

Data retention governs how long Puddin stores student writing records — including keystroke logs, paste events, authorship records, session data, and submission files — before they are automatically deleted or flagged for review.

### Configuring your retention policy

1. Navigate to **Settings → Data & Privacy → Retention Policy**.
2. Set the **retention period** for authorship records. Choose a value that complies with your institution's data minimisation obligations and any legal requirements for retaining academic records in your jurisdiction.
3. Choose the **expiry action**:
   * **Automatic deletion** — records are permanently deleted when the retention period expires. No further action is required.
   * **Administrator review** — records are flagged in the Administrator dashboard when they reach their expiry date, and an Administrator must manually confirm deletion.
4. Select **Save Policy**.

<Note>
  Retention periods apply from the date of submission, not the date of assignment creation. A record created on the last day of term will be retained for the full retention period from that date.
</Note>

### Retention categories

You can set different retention periods for different categories of data if your institution's policy requires it:

| Category             | What it includes                                                                    |
| -------------------- | ----------------------------------------------------------------------------------- |
| Authorship records   | Keystroke logs, paste events, revision data, session boundaries, writing speed data |
| Submission files     | The final submitted document                                                        |
| Process summaries    | Automatically generated session summaries                                           |
| Verification records | Exported PDF verification reports                                                   |
| User account data    | Names, email addresses, role assignments                                            |

To configure category-level retention, go to **Settings → Data & Privacy → Retention Policy → Advanced Settings**.

## Exporting and deleting student records

### Exporting a student's data

To export all data Puddin holds for a specific student — for example, in response to a data subject access request:

1. Navigate to **Users → Students** and search for the student by name or email address.
2. Open the student's profile.
3. Select **Export Student Data**.
4. Choose the format (JSON for machine-readable data, PDF for human-readable summary) and select **Export**.
5. A download link is generated and emailed to the requesting Administrator's address within a few minutes.

### Deleting a student's data

To permanently delete all data Puddin holds for a specific student — for example, following a deletion request or the end of a retention period:

1. Navigate to **Users → Students** and open the student's profile.
2. Select **Delete Student Data**.
3. Review the deletion summary, which lists all records that will be permanently removed.
4. Type the student's name to confirm and select **Permanently Delete**.

<Warning>
  Student data deletion is permanent and irreversible. Once deleted, authorship records, keystroke logs, and submission files for that student cannot be recovered. Ensure that any active academic integrity proceedings that reference this student's records are concluded before deleting their data.
</Warning>

### Bulk deletion at retention expiry

If you have set **Automatic deletion** as your expiry action, Puddin deletes expired records automatically without requiring Administrator intervention. If you have set **Administrator review**, expired records appear in **Settings → Data & Privacy → Pending Deletions**. Review and confirm each batch of deletions from this view.

## Institutional data governance

As Administrator, you are the primary point of accountability for your institution's use of Puddin. Puddin recommends the following governance practices:

* **Involve your DPO early** — share the Puddin data processing agreement and student data notice template with your data protection officer before going live.
* **Document your use in your RoPA** — add Puddin to your institution's records of processing activities with the correct lawful basis, data categories, retention periods, and sub-processor details.
* **Review Administrator accounts regularly** — at least once per academic year, check the Administrator account list and deactivate any accounts belonging to staff who have left or no longer need access.
* **Monitor the audit log** — Puddin maintains an audit log of all Administrator actions (user management, settings changes, data exports, deletions). Review the audit log from **Settings → Audit Log** if you need to investigate a governance concern.
* **Keep your DPA current** — when Puddin updates the data processing agreement (for example, following a change in sub-processors), you will be notified by email and prompted to review and re-sign. Do not delay this — operating without a current DPA may breach your data protection obligations.

<Tip>
  Puddin's security and compliance documentation — including the current DPA, sub-processor list, and security audit summaries — is available in **Settings → Data & Privacy → Compliance Documents**. Share these with your DPO, procurement team, or legal counsel as needed.
</Tip>
