MATCHAGet MATCHA
For Educators/Educator's Guide

Educator's Guide

End-to-end encryption keys

Organizations can require cloud .mcha submissions to be encrypted before they leave a student's computer. In that mode, submissions can be opened only by people whose MATCHA keys were included when the file was uploaded.

Open MATCHA DashboardEducator's Guide index

What changes when encryption is enabled

  • MATCHA encrypts each cloud .mcha submission locally before upload. The cloud storage provider and MATCHA servers do not receive a readable .mcha file.
  • Instructors must create a key before encrypted submissions come in. MATCHA uses the instructor's public key when students upload submissions and the instructor's private key when the submission is opened later.
  • Organization admins are also included as recovery recipients. Graders who need to open submissions should create keys before submissions are collected.
  • The private key is stored encrypted. The passcode is used only on the user's computer and is not stored by MATCHA.

AI Assistant and encrypted submissions

End-to-end encryption protects cloud .mcha submission files after they leave the student's computer. It does not by itself prevent activity content from being processed by MATCHA services when a feature needs that processing. If an activity enables MATCHA's AI assistant, student text or browser context may be sent for AI assistance according to the assistant settings.

Configure the assistant at the level that fits the activity: off, grammar only, grammar and style, or full composition. AI-made changes are tracked and reported in the Writing Analysis, so permitted AI use remains visible in the work record. Be explicit with instructors, graders, and students about whether AI assistance is allowed in activities that also use encrypted cloud submissions.

Enable encryption for an organization

  1. Open the MATCHA Dashboard as an organization administrator.
  2. Go to organization settings, then open the Security tab.
  3. Turn on Enable end-to-end encryption for cloud .mcha submissions.
  4. Tell instructors and graders who need submission access to open MATCHA and create their keys before students begin submitting work.

Create a key in MATCHA

  1. Open the MATCHA desktop app and sign in to the relevant account.
  2. Open Application Settings and select the Keys tab.
  3. Enter a key passcode and confirm it. The passcode should be at least eight characters long. For maximum security, do not use the same password as your MATCHA account.
  4. Select Create key.
  5. Select Save key to store an encrypted backup package somewhere durable, such as a cloud-synced folder. The backup contains metadata such as your name and organization name so you can confirm it is the right key when importing it later.

Keep the passcode in a safe place. You will not be able to read encrypted submissions without it.

Import a saved key

  1. Open MATCHA on the computer where you want to use the key.
  2. Open Application Settings, then Keys.
  3. Select Import key and choose the saved key package.
  4. Check the displayed name, organization, key label, and creation date before confirming the import.
  5. Enter the original key passcode to unlock the key when you need to open encrypted submissions.

Recovery requests

Recovery is a last resort for cases where an instructor or grader created a replacement key and needs access to submissions that were encrypted for an older key. Recovery requires an organization admin whose own key can open those submissions.

  1. The requester creates a new key in MATCHA.
  2. The requester selects Request recovery for that key. MATCHA shows a six-digit verification code.
  3. The requester sends the request through MATCHA and separately gives the six-digit code to an organization admin using an offline or out-of-band channel.
  4. The organization admin opens MATCHA, goes to Application Settings, then Keys, and loads Recovery requests (Administrators only).
  5. The admin approves the request only if the code displayed in MATCHA matches the code received from the requester.

If no organization admin has an unlockable key for the affected submissions, MATCHA cannot recover the lost passcode.

Operational checklist

  • Enable encryption before collecting submissions that need this protection.
  • Confirm the instructor for the activity has an active key before submissions begin.
  • Ask graders who will open submissions to create keys before students submit work.
  • Ask admins to create and test their keys before relying on recovery.
  • Keep saved key packages and passcodes separate; the package is encrypted, but the passcode unlocks it.
Back to Educator's Guide