GDPR / AVG

Roles and responsibilities

The university (or other educational institution) acts as the controller under Article 4(7) GDPR. The university determines the purposes and means of processing personal data collected through course evaluations. This includes deciding which courses are evaluated, which students participate, what questions are asked, how results are used, and how long data is retained.

Koji B.V. acts exclusively as the processor under Article 4(8) GDPR. Koji processes personal data solely on the documented instructions of the university, as set out in the Data Processing Agreement (DPA). Koji does not determine the purposes of processing, does not combine student data across institutions, and does not use personal data for any purpose beyond providing the contracted service.

This allocation of roles is formalised in the DPA, which is aligned with the SURF Model Verwerkersovereenkomst v4.0. The DPA specifies the subject matter and duration of processing, the nature and purpose of processing, the types of personal data involved, and the categories of data subjects.

Lawful basis for processing

As controller, the university is responsible for establishing and documenting the lawful basis for processing student data through course evaluations. Koji supports whichever lawful basis the controller selects.

For course evaluations conducted by public universities, the most common lawful bases are:

• Article 6(1)(e): public interest task. Course evaluation is part of the university's statutory obligation to assure and improve the quality of education. In the Netherlands, this obligation follows from the Wet op het hoger onderwijs en wetenschappelijk onderzoek (WHW). Many institutions rely on this basis because quality assurance is integral to their public task.
• Article 6(1)(f): legitimate interests. Private institutions or institutions in jurisdictions without an explicit statutory evaluation mandate may rely on their legitimate interest in maintaining and improving educational quality, balanced against the interests and rights of students.

Consent under Article 6(1)(a) is generally inappropriate as the sole lawful basis for course evaluations. The European Data Protection Board (EDPB) has noted that consent cannot be freely given where there is a clear imbalance of power between the data subject and the controller, as is the case in the student-institution relationship. Students may feel compelled to participate, undermining the voluntary nature that valid consent requires.

Koji's platform is designed to function correctly regardless of the lawful basis selected by the controller. Configuration options such as optional participation, anonymisation of responses, and granular consent toggles (for example, for voice recording) can be activated based on the institution's legal assessment.

Data minimisation

Koji collects and processes only the personal data strictly necessary to conduct the course evaluation and produce the resulting reports. The categories of personal data processed are:

• Email address (or institutional identifier via SAML SSO) for authentication and to prevent duplicate submissions.
• Conversation transcripts: the text of the student's responses during the AI-guided evaluation interview.
• Voice recordings (optional, only when the institution enables voice-based interviews). Recordings are transcribed and, by default, deleted after transcription is complete. Institutions can opt to retain recordings for a configurable period.
• Quality scores: structured ratings generated from the conversation (for example, satisfaction scores per evaluation dimension).
• Timestamps: date and time of participation, used for reporting and audit purposes.

Koji does not collect browsing behaviour, IP addresses beyond what is technically required for the HTTPS connection (and these are not stored), device fingerprints, location data, or any data from other applications on the student's device. No cookies are used for tracking or advertising. Session cookies are limited to authentication state.

Data subject rights

Koji provides the technical capability for the university to fulfil all data subject rights under Chapter III of the GDPR. Because the university is the controller, data subject requests should be directed to the university's data protection officer or designated contact point. Koji supports the following rights:

• Right of access (Article 15): the university can export a complete copy of all personal data associated with a specific student, including transcripts, scores, timestamps, and any retained audio files.
• Right to rectification (Article 16): the university can correct inaccurate personal data. Transcript corrections are logged to maintain an audit trail.
• Right to erasure (Article 17): the university can request deletion of all personal data related to a specific student. Koji executes verified erasure requests and provides a deletion confirmation certificate.
• Right to data portability (Article 20): personal data can be exported in structured, machine-readable formats (JSON and CSV).
• Right to restriction of processing (Article 18): the university can restrict processing of specific records, which places them in a frozen state where they are retained but not included in reports or analytics.
• Right to object (Article 21): where processing is based on Article 6(1)(e) or (f), the university can mark individual records as objected, removing them from active processing.

Koji commits to providing the technical fulfilment of any data subject request within 72 hours of receiving the controller's instruction. For erasure requests, this includes deletion from primary databases, backups (within the next backup rotation cycle, no longer than 30 days), and any cached copies.

Privacy by design and by default (Article 25)

Privacy considerations are embedded into the architecture, development process, and default configuration of the platform. The following measures are implemented:

• PII redaction: summaries and aggregated reports are processed through automated PII redaction filters before being made available to instructors and programme managers. Names, email addresses, student numbers, and other direct identifiers mentioned in free-text responses are detected and removed. The redaction pipeline is regularly tested and updated.
• Role-based access controls (RBAC): access to evaluation data is restricted by default. Instructors see only aggregated summaries and redacted quotes for their own courses. Programme directors see aggregated programme-level data. Institutional administrators can access raw data only when specifically authorised. These defaults can be adjusted per the institution's access policy, but the most restrictive configuration is applied unless the institution requests otherwise.
• Pseudonymised analytics: platform-level analytics and quality monitoring use pseudonymised data. No individual student can be identified from analytics datasets.
• Encryption at rest: all personal data stored in databases and file storage is encrypted using AES-256.
• Encryption in transit: all data transmitted between the student's browser and Koji's servers, and between internal services, is encrypted using TLS 1.3. Older TLS versions are not supported.
• Default retention limits: the platform is configured with the shortest reasonable retention periods by default. Institutions can extend retention where required (for example, for accreditation cycles) but must actively choose to do so.
• Secure development lifecycle: code changes are reviewed for privacy implications. Dependencies are scanned for vulnerabilities. Penetration testing is conducted annually by an independent third party.

Data Protection Impact Assessment (Article 35)

A Data Protection Impact Assessment (DPIA) is required for the use of Koji for Education. This requirement arises because the processing meets multiple criteria identified by the EDPB and the Dutch Autoriteit Persoonsgegevens:

• Systematic evaluation via automated processing: the platform uses AI to conduct structured interviews and generate quality scores, which constitutes systematic and extensive evaluation of personal aspects relating to natural persons (Article 35(3)(a)).
• Data from potentially vulnerable data subjects: students are recognised by the EDPB as a category of data subjects who may be in a position of imbalance relative to their institution, warranting additional protective measures.
• Innovative use of technology: AI-guided evaluation interviews represent a novel application of natural language processing in the educational context, triggering the innovation criterion from EDPB guidelines.

The university, as controller, is responsible for conducting or commissioning the DPIA. Koji cannot perform the DPIA on the university's behalf, as the assessment must consider the specific institutional context, including the university's own policies, the student population, and the intended use of evaluation results.

Koji supports the DPIA process by providing:

• A pre-completed DPIA template covering the processing activities performed by Koji as processor, including data flows, security measures, and risk mitigations.
• Technical documentation describing the AI models used, the types of inferences made, and the safeguards against automated decision-making that affects students.
• Direct participation in DPIA workshops or consultations with the university's DPO or privacy team, at no additional cost.
• Responses to supplementary questions from the Autoriteit Persoonsgegevens or other supervisory authorities if prior consultation under Article 36 is required.

Data retention

Retention periods are configurable per institution. The defaults below represent the shortest periods that balance operational requirements with data minimisation. Institutions may extend these periods where justified (for example, to meet accreditation requirements) but must document the justification under Article 5(1)(e).

• Raw conversation data (transcripts and individual scores): retained for 2 years after the end of the relevant course or academic period. After this period, data is automatically deleted unless the institution has configured a longer retention period.
• Aggregated reports (programme-level and institution-level summaries): retained for a minimum of 6 years to support accreditation review cycles (aligned with NVAO and other European accreditation body timelines). These reports contain no directly identifiable personal data.
• Voice recordings: deleted immediately after transcription is complete. If the institution opts to retain recordings (for example, for quality assurance of the transcription process), a maximum retention period must be configured. There is no indefinite retention option.
• System logs (access logs, error logs, authentication events): retained for 90 days for security monitoring and incident investigation. Logs are automatically purged after this period.
• Backups: encrypted backups are retained for a maximum of 30 days on a rolling basis. Data deleted from the primary database is removed from backups within this 30-day window.

Upon termination of the contract, all personal data processed on behalf of the institution is exported to the institution (upon request) and then permanently deleted within 60 days, in accordance with the DPA. A deletion certificate is provided.

Cross-border transfers

All student personal data is processed and stored within the European Union. Specifically:

• Primary infrastructure: hosted in the Netherlands and Germany, using EU-region data centres.
• AI model inference: each university connects Koji to their own enterprise LLM accounts. Conversation data flows through the institution's existing AI agreements, keeping AI inference under the university's direct control. For institutions without an enterprise LLM, Koji offers EU-native alternatives.
• No default third-country transfers: no student personal data is transferred outside the European Economic Area as part of standard platform operation.

If a specific sub-processor or service requires data transfer outside the EEA (for example, a support tool used by Koji staff), the following safeguards apply:

• The transfer is only initiated with the explicit prior approval of the controller (the university).
• Standard Contractual Clauses (SCCs), as adopted by the European Commission, are in place with the receiving party.
• A Transfer Impact Assessment (TIA) is conducted to evaluate the legal framework of the recipient country and the effectiveness of supplementary measures.
• Supplementary technical measures (such as encryption where the decryption keys remain within the EEA) are applied where the TIA identifies residual risk.

The current sub-processor register, including the location of each sub-processor, is available on the sub-processors page.

Records of Processing Activities (Article 30)

Koji maintains Records of Processing Activities (ROPA) as required of processors under Article 30(2) GDPR. These records include:

• The name and contact details of Koji as processor and of each controller.
• The categories of processing carried out on behalf of each controller.
• Where applicable, transfers of personal data to a third country, including identification of the third country and the safeguards in place.
• A general description of the technical and organisational security measures referred to in Article 32(1).

Koji's ROPA is available to supervisory authorities upon request. Koji also provides documentation and data flow descriptions to support the university's own ROPA obligations under Article 30(1). This includes a detailed description of the processing activities, the categories of personal data involved, the categories of data subjects, and the envisaged retention periods for each data category.

Special category data

Koji does not intentionally collect special category data as defined in Article 9(1) GDPR. The evaluation interview does not include questions designed to elicit information about health, ethnicity, political opinions, religious beliefs, sexual orientation, or other special categories.

However, in the context of open-ended course feedback, students may incidentally disclose information that qualifies as special category data. For example, a student might mention a health condition that affected their ability to participate in a course, or reference a religious observance that conflicted with an exam schedule.

Koji addresses this risk through the following measures:

• Automated detection: the PII redaction pipeline includes classifiers trained to identify potential special category disclosures in free-text responses. When detected, these segments are flagged for review and redacted from summaries and reports by default.
• Configurable handling policies: the university can configure how flagged special category data is handled. Options include automatic redaction (default), manual review by an authorised university staff member before inclusion, or complete exclusion of the affected response from all outputs.
• No processing for secondary purposes: any incidentally collected special category data is never used for profiling, analytics, or any purpose beyond the specific course evaluation in which it was disclosed.

Institutions should inform students in their privacy notice that free-text responses may be processed by AI, and advise against including sensitive personal information unless they consider it relevant to their feedback. This guidance is also displayed to students within the evaluation interface, in language configurable by the institution.