<span style="color: rgba(0, 0, 0, 0.85); font-family: Roboto, sans-serif; font-size: 18px; background-color: #fafafa;">DigiAssess is a digital assessment platform that enables institutions to design, conduct, evaluate, and improve assessments, including examinations, results, learning outcomes, accreditation, and quality assurance.</span>
Effective Date: 1 July 2026
Last Updated: 1 July 2026
DigiVal IT Solutions Limited ("DigiVal", "we", "us", "our") is the data controller for personal data processed through the DigiAssess online assessment platform and our website at www.digiassess.com.
Registered address: Unit 13B, Level P7, Damac Park Towers, Dubai International Financial Centre (DIFC), Dubai, UAE
Data Protection Officer:
Name: Shirajuddeen Desai
Email: privacy@digi-val.com
All data protection enquiries, Subject Access Requests, and exercise of rights should be directed to the DPO at the email address above.
1.1 Data you provide directly
1.2 Data collected automatically
1.3 Special category data (collected only where enabled by your institution)
Collection of special category data requires separate explicit consent (see Section 8 — Biometric Data & Proctoring). You have the right to request a non-biometric alternative. Refusing biometric proctoring will not prevent access to the service — an alternative verification method will be offered.
We process your personal data on the following legal grounds under GDPR Article 6 and Article 9:
Processing Activity | Lawful Basis | Details |
Creating and managing your DigiAssess account | Contract (Art. 6(1)(b)) | Necessary to deliver the service you have signed up for. |
Delivering assessments and scoring | Contract (Art. 6(1)(b)) | Core service delivery — assessment administration and results. |
Sending transactional emails (login, results, confirmations) | Contract (Art. 6(1)(b)) | Necessary to inform you about your account and assessment activity. |
Institutional reporting (to schools, universities) | Contract (Art. 6(1)(b)) | Sharing results with the institution that enrolled you, as part of the service agreement. |
Security monitoring and fraud prevention | Legitimate Interests (Art. 6(1)(f)) | Protecting the platform and our users from unauthorised access. LIA available on request. |
System analytics and performance monitoring | Legitimate Interests (Art. 6(1)(f)) | Maintaining and improving platform stability and performance. |
Sending marketing emails | Consent (Art. 6(1)(a)) | Only where you have opted in. Withdraw at any time by clicking ‘Unsubscribe’. |
Non-essential cookies and tracking | Consent (Art. 6(1)(a)) | Collected only after you give consent via our cookie banner. |
Proctoring / biometric verification (where enabled by your institution) | Consent (Art. 6(1)(a)) + Explicit Consent (Art. 9(2)(a)) | Special category data. Separate explicit consent is obtained. You may request a non-biometric alternative — see Section 8. |
Complying with legal obligations | Legal Obligation (Art. 6(1)(c)) | E.g. responding to lawful requests from supervisory authorities. |
A Legitimate Interests Assessment (LIA) for processing carried out on the basis of legitimate interests is available on request from the DPO.
4.1 Your institution
If you access DigiAssess through a school, university or employer, your assessment results and performance data will be shared with that institution as part of the service agreement. Your institution is an independent data controller for how it uses your results.
4.2 Service providers (processors)
We share data with third-party service providers who process data on our behalf under signed Data Processing Agreements:
Provider | Service | Data Shared |
Amazon Web Services (AWS) | Cloud hosting (EU-West-1) | All platform data |
Google Cloud Platform (GCP) | Cloud hosting (ME-Central2, Dammam) | All platform data |
MongoDB Atlas | Database hosting | Assessment and user data |
New Relic | Performance monitoring | System logs, usage metrics (anonymised) |
Email service provider | Transactional and marketing emails | Name, email address |
Cookie Consent Platform | Consent management | Consent records, IP (anonymised) |
4.3 We do not sell your data
DigiVal does not sell, rent, or trade your personal data to any third party for commercial purposes.
Your personal data may be transferred to and stored in countries outside the European Economic Area (EEA), including the UAE, Saudi Arabia and India. DigiVal ensures that all international transfers are protected by appropriate safeguards:
Copies of the applicable SCCs and TIA summaries are available on request from the DPO.
We retain personal data only for as long as necessary. Specific retention periods by data category are set out below:
Data Category | Retention Period | Reason |
Account / profile data | Duration of account + 24 months after account closure | Service delivery and legal claims period. |
Assessment records and scores | Duration of account + 36 months after account closure | Institutional requirements and academic record integrity. |
Consent records | 7 years from date of consent | GDPR accountability — proof of consent must be retained. |
Proctoring / biometric data | 90 days from assessment date, then securely deleted | Minimum period for review or dispute resolution. |
Security and access logs | 12 months | Security investigation and incident response. |
Marketing consent and activity | Until consent is withdrawn, then 2 years | Accountability for direct marketing activity. |
Support / communication records | 3 years from last interaction | Dispute resolution and legal claims. |
Billing and payment records | 7 years | Legal and tax obligations. |
When the applicable retention period expires, personal data is securely deleted or anonymised, including from backup copies, within a defined backup rotation window of 30 days.
Where your institution has enabled proctored assessments, DigiAssess may collect biometric and behavioural data (facial scan, keystroke patterns, screen activity) to verify your identity and maintain assessment integrity.
DigiAssess uses automated systems to assist in assessment scoring and, where proctoring is enabled, to flag potential academic integrity concerns (e.g. unusual behavioural patterns).
Your right to human review (Art. 22 GDPR): If an automated decision significantly affects you (e.g. a flagged academic integrity decision, an unexpectedly low score), you have the right to request a human review of that decision. Submit your request to privacy@digi-val.com. We will acknowledge within 5 working days and complete the review within 1 month.
DigiAssess is used by educational institutions including those serving students under the age of 16. We take additional care when processing children’s personal data:
We use cookies and similar tracking technologies on our website and platform. A cookie consent banner is presented to all users on first visit. Non-essential cookies (e.g. analytics, advertising) are only loaded after you give your consent.
You can manage or withdraw your cookie consent at any time using the cookie preference centre accessible from the footer of every page.
Under GDPR, you have the following rights. We will respond to all requests within 1 calendar month of receipt. Complex requests may be extended by a further 2 months — we will notify you if this applies.
Right | What It Means | How to Exercise It |
Access (Art. 15) | Request a copy of all personal data we hold about you. | Email us at privacy@digi-val.com. We will respond within 1 month. |
Rectification (Art. 16) | Correct any inaccurate or incomplete data. | Update your profile in DigiAssess or email us. |
Erasure (Art. 17) | Request deletion of your data where there is no overriding reason to keep it. | Submit a deletion request from Account Settings. An admin will review and process it. |
Restriction (Art. 18) | Ask us to pause processing while a dispute is resolved. | Email us at privacy@digi-val.com. |
Portability (Art. 20) | Download your data in a machine-readable format. | Use ‘Download My Data’ in Account Settings. |
Object (Art. 21) | Object to processing based on legitimate interests or for direct marketing. | Email us, or use the ‘Unsubscribe’ link in any marketing email. |
Human Review (Art. 22) | Request a human to review any automated decision that significantly affects you (e.g. AI-flagged academic integrity decision). | Email us at privacy@digi-val.com. We will arrange a review within 1 month. |
Withdraw Consent (Art. 7) | Withdraw any previously given consent at any time. | Account Settings > Privacy, or email us. |
There is no fee for exercising your rights in ordinary circumstances. We may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive.
If you have a concern about how we process your personal data, please contact our DPO at privacy@digi-val.com in the first instance. We aim to resolve all concerns within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:
DigiVal is SOC 2 Type II certified, having completed an independent third-party audit of its security controls across the Trust Services Criteria of Security, Confidentiality and Availability. This certification demonstrates that DigiVal’s technical and organisational measures have been independently verified to operate effectively over a sustained period — not just at a point in time.
Specific security measures in place include encryption in transit (TLS 1.3) and at rest (AES-256 via cloud-native key management), role-based access controls, multi-factor authentication on all critical systems, monthly automated vulnerability scanning, annual penetration testing by CyberHeals (a qualified third-party provider), business continuity and disaster recovery plans tested annually, and continuous compliance monitoring via the Truzta platform.
A copy of the SOC 2 Type II report is available to customers and institutional partners on request, subject to a signed non-disclosure agreement.
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the highest reasonable standard.
This Privacy Policy was last updated on 16 June 2026. We may update it periodically to reflect changes in our processing activities or applicable law. We will notify you of material changes by email or by a prominent notice in the platform at least 30 days before the change takes effect. The current version is always available at www.digiassess.com/privacy.
©2026. All rights reserved by DigiAssess.