How Proctorio approaches data security and test-taker privacy
At Proctorio, we are proud that administrators at 850+ institutions around the world trust us to be their partner as we develop high-quality, high-integrity online education experiences for learners around the world.
Being an education technology provider means that institutions use our technology in scenarios where very sensitive data changes hands, such as conversations between exam administrators and test takers, answers to exam questions, and homework, to name just a few examples.
Because of the sensitive nature of our place in the education technology stack, we take data security very seriously. We use advanced technology to keep your data safe. Let us explain!
What data can Proctorio access? Proctorio does not require additional personally identifiable information (PII) to use our software or access support beyond what is already required by the assessment platform. Test takers simply sign in their LMS with their institution’s credentials and access their assessment.
Exam recordings are transferred and stored with Zero-Knowledge Encryption, meaning that only institution-approved representatives have access to the encryption keys needed to decrypt and review the recordings.
The only time Proctorio records a test taker during an exam is if and when the exam administrator chooses the video or audio recording option for the assessment. Video/audio recording information is not kept forever; depending on the institution, this information might only exist on our servers for as little as 7 days.
Once it is accessed, how is it protected? Proctorio is differentiated by its usage of Zero-Knowledge Encryption. This proprietary technology means only institution-approved representatives have access to the encryption keys needed to decrypt and review exam recordings.
This unique design ensures that nothing leaves the computer of an administrator or learner until after it is encrypted. This means that if Proctorio were ever to be hacked, the attackers would get a bunch of meaningless gibberish.
On top of that, Zero-Knowledge Encryption is merely one layer of encryption that Proctorio applies! Learner data (including all video, screen and audio recordings) is secured and processed through three layers of encryption:
The zero-knowledge layer is secured using AES-GCM.
Transmission into the datacenter is only over TLS 1.2 or 1.3 and, if the client supports it, we use Perfect Forward Secrecy (PFS).
Data at rest within the data center is encrypted using AES-256 and is FIPS 140-2 compliant. All data centers are ISO 27001 certified, SOC 2 attested.
Our platform goes through daily vulnerability and penetration tests to assess the strength of our systems against a potential attack.
Could a computer be attacked through the software that test takers need to install on their computers to use Proctorio? Proctorio requires no native software. It runs only as a browser extension, allowing test takers to easily install and uninstall Proctorio as they take online exams. We request very specific permissions to even further limit the information that the browser extension could capture; see our Privacy page for a breakdown.
How is Proctorio technology used in exam integrity decision making? Proctorio does not use technology that makes exam integrity decisions through an algorithm. If our face detection or gaze detection software finds something unusual, we flag it to the exam administrator, who will make all determinations and grading decisions. Proctorio flags behaviors; it does not make decisions.
What third-party organizations have vetted Proctorio’s safety standards? Proctorio’s privacy has been vetted by a number of third-party organizations to ensure we are upholding the highest data privacy standards.
Proctorio has been recognized by The Internet KeepSafe Coalition, who review and certify digital products for compliance with state and federal requirements for handling protected personal information, and has confirmed that Proctorio makes every effort to comply with Family Education Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Act (COPPA). Proctorio has also proudly signed the Student Privacy Pledge, supporting the privacy of K-12 students in the United States. Proctorio makes every effort to be GDPR compliant.
For institutions in Canada, Proctorio also makes every effort to comply with the Privacy Act (British Columbia), Personal Information Protection and Electronic Documents Act (PIPEDA), and Freedom of Information and Protection of Privacy Act (FIPPA). Exam-related data of Canadian test takers is stored locally and securely in Canada.
We also engaged a leading information security consulting company to perform a Security Assessment of our software and cloud environment. Here’s a summary of what they found:
Proctorio appropriately implements Zero-Knowledge Encryption and only institution-approved representatives possess the encryption keys for the audio/video data stored.
In addition to securing the encryption keys, the audit concluded that the cryptographic functionality was implemented appropriately using industry standard and vetted algorithms and their implementation libraries.
Video and audio for exams are stored in the proper geographical regions based on the institution in accordance with local privacy and security laws. The regions tested include USA, Canada, European Union, Middle East and Australia.
Trust and integrity is at the core of what we do at Proctorio. We are proud of the technologies and measures we have put in place to keep data safe, and to protect the test takers and administrators who trust us as partners.
Note: This blog post was updated for clarity on June 23, 2021.