By Mike Olsen CEO
At Proctorio, we are proud that administrators at 850+ institutions around the world trust us to be their partner as we develop high-quality, high-integrity online education experiences for learners around the world.
Being an education technology provider means that academic institutions use our technology in scenarios where very sensitive data changes hands, such as conversations between faculty and test takers, answers to exam questions, and homework, to name just a few examples.
Because of the sensitive nature of our place in the education technology stack, we take data security very seriously. We use advanced technology to keep your data safe. Let us explain!
What data can Proctorio access? Proctorio never requires personally identifiable information (PII) to use our software or access support. Test takers simply sign in their LMS with their institution’s credentials and access their assessment.
The exam data is transferred and stored with zero-knowledge encryption, and can only be accessed by your exam administrators.
The only time Proctorio records a test taker during an exam is if and when the instructor chooses the video or audio recording option for the assessment. Video/audio recording information is not kept forever; depending on the institution, this information might only exist on our servers for as little as 7 days.
Once it is accessed, how is it protected? Proctorio is differentiated by its usage of zero-knowledge encryption. This proprietary technology means no one outside of approved faculty or staff members at the institutions has access to the encrypted data on our own servers. This includes employees at Proctorio. (“Zero knowledge” means, literally, that we have zero access to any unencrypted data on our own servers.)
This unique design ensures that nothing leaves the computer of an administrator or learner until after it is encrypted. This means that if Proctorio were ever to be hacked, the attackers would get a bunch of meaningless gibberish.
On top of that, zero-knowledge encryption is merely one layer of encryption that Proctorio applies! Learner data (including all video, screen and audio recordings) is secured and processed through three layers of encryption:
- The zero-knowledge layer is secured using AES-GCM, using encryption keys never shared with Proctorio
- Transmission into the datacenter is only over TLS 1.2 or 1.3 and, if the client supports it, we use Perfect Forward Secrecy (PFS).
- Data at rest within the data center is encrypted using AES-256 and is FIPS 140-2 compliant. All data centers are ISO 27001 certified, SOC 2 attested.
Our platform goes through daily vulnerability and penetration tests to assess the strength of our systems against a potential attack.
Could a computer be attacked through the software that test takers need to install on their computers to use Proctorio? Proctorio requires no native software. It runs only as a browser extension, allowing test takers to easily install and uninstall Proctorio as they take online exams. We request very specific permissions to even further limit the information that the browser extension could capture; see our Privacy page for a breakdown.
How is Proctorio technology used in academic decision making? Proctorio does not use any technology that makes academic decisions (for example, grading, or, the consequences of a test taker being caught cheating) through an algorithm. If our face detection or gaze detection software finds something unusual, we flag it to the instructor, who will make all determinations and grading decisions. Proctorio flags behaviors; it does not make decisions.
What third-party organizations have vetted Proctorio’s safety standards? Proctorio’s privacy has been vetted by a number of third-party organizations to ensure we are upholding the highest data privacy standards.
Proctorio has been recognized by The Internet KeepSafe Coalition, who review and certify digital products for compliance with state and federal requirements for handling protected personal information, and has confirmed that Proctorio is both Family Education Rights and Privacy Act (FERPA) certified, Children’s Online Privacy Protection Act (COPPA) certified. Proctorio has also proudly signed the Student Privacy Pledge, supporting the privacy of K-12 students in the United States. Proctorio is GDPR compliant.
For institutions in Canada, Proctorio also is compliant with the Privacy Act (British Columbia), Personal Information Protection and Electronic Documents Act (PIPEDA), and Freedom of Information and Protection of Privacy Act (FIPPA). Exam-related data of Canadian test takers is stored locally and securely in Canada.
We also engaged a leading information security consulting company to perform a Security Assessment of our software and cloud environment. While we invite you to read the full audit (just type your email and you’ll get a link), here’s a summary of what they found:
- Proctorio appropriately implements Zero-Knowledge Encryption, and never possesses the encryption keys for the audio/video data they store.
- In addition to securing the encryption keys, the audit concluded that the cryptographic functionality was implemented appropriately using industry standard and vetted algorithms and their implementation libraries.
- The software was adequately hardened to resist tampering and intrusion.
- Video and audio for exams are stored in the proper geographical regions based on the institution in accordance with local privacy and security laws. The regions tested include USA, Canada, European Union, Middle East and Australia.
Trust and integrity is at the core of what we do at Proctorio. We are proud of the technologies and measures we have put in place to keep data safe, and to protect the test takers and administrators who trust us as partners.