Data security you can trust

More exam administrators are expanding their courses and exams to online platforms. This leads to an increase of test-taker data being transferred and stored. It also leads to concern over the security of that data.

At Proctorio, keeping test-taker information and data secure is our top priority. This means making an active effort to protect individual, recording, and personally-identifiable information.

Three layers are better than one

Exam recordings are secured and processed using three layers of encryption:

A shield in front of another shield layer, this one overlaid in binary

End-to-end

The end-to-end encryption layer is secured using AES-GCM.

Transmission

Transmission of data into the data center is only over TLS 1.2 or 1.3 and if the client supports it, we are able to use Perfect Forward Secrecy (PFS).

Data at rest

Recording data at rest within the data center is encrypted using AES-256 and is FIPS 140-2 compliant. All data centers are ISO 27001 certified, SOC 2 attested.

A padlock emblazoned on a shield protecting a background of binary

End-to-end encryption

Proctorio utilizes end-to-end encryption, which means encrypted audio, video, screen recordings and images cannot become unencrypted until they are unlocked by an institution-approved representative.

Daily vulnerability tests

Our platform goes through daily vulnerability scans and semi-annual penetration tests to assess the strength of our systems against a potential attack. Partnered institutions can see these daily vulnerability scans under an NDA. This creates a security system you can trust.

A machine scanning pages of data and analyzing them

A friendly reminder

Proctorio never requires test takers to provide additional Personally Identifiable Information (PII) to access an exam. Test takers simply sign in their Learning Management System (LMS) with their institution’s credentials and access their Proctorio exam. For third-party assessment platforms, a unique passcode is generated and managed by Proctorio, so that the test takers can access the exam effortlessly.

All recordings are transferred and stored with end-to-end encryption, and can only be accessed by institution-approved representatives.

Learn more about Proctorio’s Privacy standards in our comprehensive Privacy Policy.

View Privacy Policy

Keeping us accountable

Proctorio engaged a leading information security consulting company to perform a Security Assessment of our software and cloud environment on June 24th, 2020.

End-to-End Encryption Audit

With industry-leading tools, techniques, and penetration testing processes, the security consultant only identified a single low-impact issue. They also concluded that Proctorio appropriately implements end-to-end encryption and never possesses the encryption keys for the audio/video recordings they store. In addition to securing the encryption keys, the audit concluded that the cryptographic functionality was implemented appropriately using industry standard and vetted algorithms and their implementation libraries.

Data Privacy Compliance Audit

The third-party security consulting company determined that video and audio for exams are stored in the proper geographical regions based on the institution in accordance with local privacy and security laws. The regions tested include the USA, Canada, the European Union, the Middle East, and Australia.

HackerOne

We have partnered with HackerOne, a global team of security leaders with a mission to make the Internet safer. This partnership allows us to ensure that our software remains secure, private, and accessible for our end users: test takers and exam administrators.

We welcome ethical hackers to participate within our HackerOne program by filling out their vulnerability form and clicking below. We offer both a free and a paid bounty program.

As of January 1, 2022, we have updated our disclosure policy with HackerOne. In light of the quickness of our response time and in an effort at greater transparency, Proctorio will have the option to publish any patched vulnerabilities in a dramatically shortened window. Going forward, we will not need a second key to publish after 30 days.

Report a vulnerability
A person wearing headphones reclined on a beanbag, computer on lap. Above, we see their screen, populated with lines of code.