More exam administrators are expanding their courses and exams to online platforms. This leads to an increase of test-taker data being transferred and stored. It also leads to concern over the security of that data.
At Proctorio, keeping test-taker information and data secure is our top priority. This means making an active effort to protect individual, recording, and personally-identifiable information.
Exam recordings are secured and processed using three layers of encryption:
The Zero-Knowledge Encryption layer is secured using AES-GCM.
Transmission of data into the data center is only over TLS 1.2 or 1.3 and if the client supports it, we are able to use Perfect Forward Secrecy (PFS).
Recording data at rest within the data center is encrypted using AES-256 and is FIPS 140-2 compliant. All data centers are ISO 27001 certified, SOC 2 attested.
Proctorio utilizes Zero-Knowledge Encryption, which means encrypted audio, video, screen recordings and images cannot become unencrypted until they are unlocked by an institution-approved representative.
Our platform goes through daily vulnerability scans and semi-annual penetration tests to assess the strength of our systems against a potential attack. Partnered institutions can see these daily vulnerability scans under an NDA. This creates a security system you can trust.
Proctorio never requires test takers to provide additional Personally Identifiable Information (PII) to access an exam. Test takers simply sign in their Learning Management System (LMS) with their institution’s credentials and access their Proctorio exam. For third-party assessment platforms, a unique passcode is generated and managed by Proctorio, so that the test takers can access the exam effortlessly.
All recordings are transferred and stored with Zero-Knowledge Encryption, and can only be accessed by institution-approved representatives.
Proctorio engaged a leading information security consulting company to perform a Security Assessment of our software and cloud environment on June 24th, 2020.
With industry-leading tools, techniques, and penetration testing processes, the security consultant only identified a single low-impact issue. They also concluded that Proctorio appropriately implements Zero-Knowledge Encryption and never possesses the encryption keys for the audio/video recordings they store. In addition to securing the encryption keys, the audit concluded that the cryptographic functionality was implemented appropriately using industry standard and vetted algorithms and their implementation libraries.
The third-party security consulting company determined that video and audio for exams are stored in the proper geographical regions based on the institution in accordance with local privacy and security laws. The regions tested include the USA, Canada, the European Union, the Middle East, and Australia.
We have partnered with HackerOne, a global team of security leaders with a mission to make the Internet safer. This partnership allows us to ensure that our software remains secure, private, and accessible for our end users: test takers and exam administrators.
We welcome ethical hackers to participate within our HackerOne program by filling out their vulnerability form and clicking below. We offer both a free and a paid bounty program.
As of January 1, 2022, we have updated our disclosure policy with HackerOne. In light of the quickness of our response time and in an effort at greater transparency, Proctorio will have the option to publish any patched vulnerabilities in a dramatically shortened window. Going forward, we will not need a second key to publish after 30 days.Report a vulnerability