For IT admins
The tech sheet you'll ask for before signing
OAuth 2.0 / LTI 1.3 with your LMS. Tokens AES-256-GCM encrypted. Data in the EU. Students don't access Merital — they don't even have an account. Written so you can forward this page to your DPO.
What you need to validate before signing
Three typical blockers in an edtech SaaS evaluation.
Not multiplying minors' personal data
Every extra SaaS is another cluster of student PII. Merital doesn't create student accounts: it never holds their passwords or login data.
Integrate without opening new attack vectors
Standard OAuth 2.0 with your LMS. Tokens encrypted in DB with AES-256-GCM. Rotation and revocation on demand.
Pass GDPR / ENS / ISO without auditing it yourself
EU data residency (eu-west-1). Public subprocessors list. Security whitepaper available under NDA.
Architecture built for your team
Three non-negotiable product decisions.
Student files live in your LMS
Merital never permanently duplicates them. It downloads on demand when a teacher grades, caches temporarily, and discards.
Strict multi-tenancy
Isolation by lms_connection_id on every query. Two schools on the same LMS = two connections encrypted with different keys.
Deletion on disconnect
Disconnect the LMS → credentials deleted immediately. Grading data becomes orphaned (GDPR right to erasure). Rubrics exportable before deletion.
Technical FAQ
We'll prepare the tech sheet
Tell us which LMS and which compliance requirements you have. We'll prepare a technical demo against your stack.