Privacy Policy

Hi there. Welcome to Proctorio's Privacy Policy. Privacy policies can be messy and complicated. But, at Proctorio, your privacy is important to us, which is why we have tried to unscramble the legal jargon to provide one comprehensive spot to provide information to you about our privacy practices.

Before you dive in

Proctorio would like to start by defining two terms you'll see used throughout Proctorio’s Privacy Policy: data processor and data controller.

Proctorio is a data processor when Proctorio proctors an exam, verify identities, protect content, or verify originality of an assignment. In these instances, your Institution controls your information, not Proctorio. Please see your Institution's privacy policy and contact them for inquiries regarding your Personal Information.

Proctorio is a data controller when you have directly input Personal Information into a form on Proctorio’s website, or directly provide Personal Information through Proctorio's customer and/or product services.

Users can utilize Proctorio's Sites or Services without providing Personal Information.

A person sitting in front of their laptop, an image of a padlock securing a folder overhead

Proctorio encrypts exam audio, video, and screen recordings and images with Zero-Knowledge Encryption. This means that once these images and recordings are encrypted, they can only be decrypted by Institution-approved representatives.

Proctorio may have access to some of this data (if the Institution chooses to collect it) when providing live technical support to an exam taker during the exam.

With the Live Proctoring Services, Proctorio proctors are able to review exam sessions (including this data, if the Institution chooses to collect it) in real time.

With Professional Review Services, the Institution gives authorized Proctorio staff members temporary access to review exam sessions (including this data, if the Institution chooses to collect it), typically within 48 hours after the exam session.

Learn more about this and other useful information by clicking the links below:

Last modified October 29, 2021.

Read our Privacy Policy

To read the Policy, choose one of the options below:

Customized Policy

You can customize the Policy to only see the portions that apply to you. Just choose from the options below:

Where is your institution located?

What kind of user are you?

Privacy Notice

Last modified October 27, 2023.

  • General
  • "Personal Information" means information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household, such as your name, mailing and email addresses, phone number, and other information that permits us to contact you at a physical location, online, or by electronic communication, including telephone or email.
  • Capitalized terms not defined herein shall have the meaning given to them in SaaS Agreement and Terms of Service. The SaaS Agreement and the Terms of Service fully detail both Proctorio's and the Institution's obligations in relation to the confidentiality of data.
  • Proctorio limits the Personal Information collected from end-users through their use of Proctorio's Services.
  • Proctorio only collects Personal Information as instructed by your Institution. This is dependent on the Services and settings selected by the relevant Institution-approved representatives.
  • Proctorio pseudoanonymizes specific test-taker Personal Information.
  • Audio, video, and screen recordings and images collected and stored by Proctorio are encrypted and can only be decrypted by Institution-approved representatives. For the avoidance of doubt, Proctorio cannot decrypt the audio, video, screen recordings and images collected and stored by Proctorio.
  • If you voluntarily provide Personal Information through Proctorio's Sites or Services, Proctorio may retain this Information.
  • If you voluntarily provide Personal Information through Proctorio's Sites or Services, Proctorio may retain this Information.

Proctorio's Institution Services When an Institution purchases Proctorio's Services, the type of Service and settings selected by the Institution determine what Personal Information an Institution may provide to Proctorio or what Proctorio can collect from the test taker. This is described in more detail below.

Test-taker audio, video, and screen recordings and images received from Institutions and processed by Proctorio are end-to-end encrypted and can only be decrypted by Institution-approved representatives.

Proctoring

Only an Institution may request Proctorio to use Automated or Live Proctoring during the administration of an exam.

With either Automated or Live Proctoring, an exam administrator may instruct Proctorio to monitor test takers via a webcam, microphone, browser, and/or desktop in an effort to uphold the integrity of the assessment. This may include a scan of the test taker's surroundings, screen, and computer display. This monitoring will either be automated and/or conducted by a live proctor. The test taker will be notified, before the beginning of an exam, whether Automated or Live Proctoring is being used.

Video and audio recording

Only your Institution maintains and controls the decryption keys necessary to decrypt test-taker audio and video recordings and images. As previously stated, Proctorio cannot decrypt the audio, video, and screen recordings and images collected and stored by Proctorio.

The Institution determines whether audio and/or video is used to monitor and/or record exam sessions and only the exam administrators have access to these audio and/or video recordings. If selected, the entire exam session may be recorded.

The Institution also decides whether to record the test taker's audio during the exam attempt. If selected, the test taker's microphone may be turned on during the session.

Audio, video, and image files are encrypted prior to being transferred to Proctorio's cloud service provider in the location specified by the Institution. The Institution maintains and controls decryption keys, and only the Institution may assign these keys to individuals who the Institution designates as appropriate.

Depending on the Institution's location, these audio and video files are stored on Proctorio's cloud service provider's servers in the US, Europe, Canada, Japan, Australia, South Africa, Singapore, or Abu Dhabi. These files never leave the controlling location of the Institution.

Record Screen, Record Web Traffic, and Record Room/ Periodic Desk Scan are additional options that an exam administrator can select for an exam.

Verify Audio, Video, Desktop and Signature may also be selected by the exam administrator and the test taker is required to take those actions prior to the start of the exam.

As a result of these Institution-selected monitoring or verification options, Proctorio may collect Personal Information such as a test taker's image and Personal Information that may be shared through the screen, desktop, webcam, web traffic or microphone of the test taker's device.

Facial and gaze detection

If your Institution elects to use Proctorio's proctoring Services that enable video recording, Proctorio uses facial detection or gaze detection to flag potentially suspicious test activity to help Institution-approved representatives maintain assessment integrity. The Institution may choose to disable facial detection and gaze detection as a secondary setting of the video recording feature if it wishes to opt out of facial detection and gaze detection, but still record the exam session.

Proctorio does not use what is conventionally known as "biometrics" or "facial recognition" technology. Facial recognition uniquely identifies specific people by assessing whether the face in one image matches the face in another image. It requires a database of either images of people's faces, or biometric representations of them, and technology that compares new images or biometric representations with entries in that database.

Instead, Proctorio uses "facial detection" or "gaze detection" technology. A fundamental difference between these technologies and biometrics or facial recognition technology is that facial or gaze detection technologies do not use geometry or landmarks as identifiers. Additionally, this difference can be illustrated by the questions they answer:

Facial Recognition: "Does the face in this picture match the face in this other picture?"

Facial Detection: "Is there a face in this picture?"

Gaze Detection: "Is the person looking away from the camera or the exam screen?"

Facial detection can identify that there is a human face present in an image or video recording, but it cannot identify that person - only that there is, indeed, a person in the image or recording.

Gaze detection can determine the direction that the individual is looking, but cannot identify who they are or what they are looking at.

If the exam administrator enables the use of video recording, Proctorio uses facial detection to flag video evidence that may indicate the number of individuals present within the immediate vicinity of the test taker, but Proctorio does not attempt to determine who those individuals are.

If a test taker is not able to pass the face detection process and enter an exam within three attempts, a Proctorio Support Agent initiates a live chat to troubleshoot the issue. The Support Agent can request access to webcam images from the system, provide instructions that ensure clearly-captured images, and override the system if needed to expedite exam entry.

If the exam administrator enables the use of video recording, Proctorio can use gaze detection to flag video evidence that the individual was looking at something other than the device they were using to take the exam. This helps Institution-approved representatives prioritize where to review exam video recordings to determine if the test taker was consulting unauthorized materials or was receiving outside assistance during the exam attempt. However, the Institution may choose to disable facial detection and gaze detection as a secondary setting of the video recording feature if it wishes to opt out of facial detection and gaze detection, but still record the exam session.

Monitoring during an exam

When exam administrators select Automated or Live Proctoring Services, Proctorio uses technology to automatically collect certain information about a test taker's activities during the exam session for purposes of protecting exam integrity. The flagged behaviors may include facial and gaze detection (described above) to monitor if the test taker leaves the session, tracked head movement to monitor how frequently the test taker looks away, sound detection to monitor if other voices are in the room, question response time, dropped internet connections, and other activities that may indicate irregular testing activities. When using these services, Proctorio's automated technology continually monitors the applications and processes that are running on the device during an exam session and during exam review.

If an Institution has requested reporting, test-taker data may be aggregated, and then individual test-taker data may be compared to the aggregated data to look for patterns or anomalies, such as whether a test taker spent an unusually long time answering a question relative to other users.

Proctorio does not and has not established "normal" profiles or compare test takers against any preserved or aggregated normal.

At the end of an exam session, the Institution-approved representative will have access to a summary report of these flagged activities, as well as the raw data the Service collects from each test-taker's session. The Institution-approved representative then determines if any further action is warranted. Aggregated data is also provided to the Institution-approved representative (e.g. the average length of time users spent on an exam question, the average time spent on the entire assessment and the average date/time that users started the exam session).

Only an Institution determines whether to enable settings, which settings are enabled for flagging of irregular testing behaviors, and the indication levels (green, yellow, red) assigned to certain activities of the test taker during an exam. Following the Institution-approved representative's review, only they can determine what, if any, action to take related to a test taker.

Proctorio does not make any decisions related to the test taker from flagged activity.

ID Verification

Additionally, an Institution may select an option to verify the test taker's identity before they start their exam. The Institution can choose the Live ID Verification or the Automated ID Verification option. In both options, the Personal Information that is collected may include name, government ID number, and date of birth if the test taker chooses to utilize their government-issued ID or the Institution requires the test taker to use the government-issued ID to validate their identity.

This ID image along with other test-taker audio, video, and screen recordings and images are stored with Zero-Knowledge Encryption by Proctorio as described below.

Live ID

If this option is selected by the Institution, a photo of the Institution-accepted form of ID will be collected with the webcam and encrypted on Proctorio's servers. The image will be accessible by an Institution-approved representative along with the exam results within the Institution's assessment platform. Additionally, during the pre-checks a Proctorio proctor will request to see the Institution-accepted form of ID and will record this information. A proctor cannot personally store or use this information other than to verify the test taker's identity.

The file is transmitted directly from the test taker to the proctor. After the transmission and the identity is verified, the file is immediately deleted.

Automated ID

If this option is selected by the Institution, a photo of the Institution-accepted form of ID will be collected with the webcam and encrypted on Proctorio's servers. The image will only be accessible by an Institution-approved representative along with the exam results within the Institution's assessment platform.

Originality Verification

If an Institution selects Proctorio's Originality Verification tool, the End User may voluntarily submit an assignment that has content or data with Personal Information included.

Lock Down Settings

If these settings are selected by an Institution and enabled on an assessment that uses Proctorio's Services, these features can be used instead of or alongside the monitoring features described above.

Depending on which features are selected by an Institution, the test taker's device will be locked down so that they cannot access websites, files, or other online or device resources. The test takers will be prevented from downloading materials or entering information that doesn't relate to the exam only during the exam session. This is done to help ensure test integrity.

When operating as a browser extension, Proctorio only has restricted access to a test taker's computer system. This includes no access to any personal documents or files stored on the machine.

Users have the ability to disable the Proctorio extension immediately after an exam is submitted.

Although it is not necessary to do so, test takers can uninstall or disable Proctorio immediately after taking an exam, and re-install or enable it only when taking future Proctorio-proctored exams.

Test takers are alerted when Proctorio is recording, through the exam process, by the Proctorio shield icon in the upper-right-hand corner of the browser turns green, and during exam review.

This green icon indicates that the extension is running during the exam.

Lock Down settings include the following, and exam administrators can choose to implement some, all, or none of these during the exam:

Read and change data on the websites you visit

This allows Proctorio to run on each and every website required by your exam administrator or Institution without requiring additional permissions.

Display notifications

Proctorio may display a pop-up notification while you are in the exam if you navigate away from the exam. This notification states that you are required to return to the exam window.

Modify your copy and paste functionality

The Proctorio platform's functionality does not include the ability to read or collect the contents in the test taker's clipboard. Instead, during the exam, Proctorio replaces the clipboard text with Proctorio's own content to prevent exam content distribution.

Capture content from your screen

This recording setting only runs during the exam and exam review. This ensures that test takers are remaining within the exam and showing their work with authorized tools and resources.

Manage your downloads

Downloads by a test taker will be prevented only during the course of the exam. This ensures that exam content is not shared externally.

Identify storage devices

Test-taker storage devices are detected and identified during the exam. Proctorio does not eject storage devices.

Manage your apps, extensions, and themes

Proctorio does not manage the themes of a test taker's device. But Proctorio does manage extensions and applications that may hinder Proctorio from operating properly.

Change your privacy-related settings

Proctorio uses this to temporarily block the test taker's browser "password" fill option during the course of the exam.

Zero-Knowledge Encryption

When processing and securing test-taker Information from an Institution, Proctorio does not mess around. That's why Proctorio utilizes an end to end encryption method called "Zero-KnowledgeEncryption."

"Zero-Knowledge Encryption" means that only Institution-approved representatives at Institutions can decrypt and review the encrypted exam recordings on Proctorio's servers.

Only the Institution has the "key" that is needed to access Personal Information that they've provided to their test takers or test-taker Personal Information that has been provided to Proctorio. Proctorio utilizes PBKDF2-HMAC-SHA512 to generate the keys. Then AES-256 GCM encryption is used to encrypt the files and finally Proctorio uses TLSv1.2 and TLSv1.3 with perfect forward secrecy to transfer any and all data.

Proctorio uses Zero-Knowledge Encryption for any audio, video, and screen recordings and images sent by a test taker. This means only Institution-approved representatives can decrypt, watch, and review the encrypted Information.

Test-taker records

All test-taker records that are "student" or "educational records" obtained by Proctorio from an Institution are the property of the Institution and are under the control of that Institution. Institutions or the respective test taker owns the data.

Proctorio will follow the instructions provided by the Institution and make every effort to comply with applicable law. In these instances, Proctorio is a processor for the Institution and the Institution is the controller. The Institution's Privacy Notice controls the use of test-taker Information.

If you are looking for information regarding your test-taker records please reach out to your Institution.

Information collected from Institution-approved representatives

The sections below describe Personal Information that may be collected from an Institution-approved representative.

Secure Exam Proctor administration - Institution registrations

To register an Institution to use the Proctorio's suite of Services, an administrator account must be created. To register an account for your Institution, an Institution-approved representative must provide Personal Information, such as:

  • Institution-approved representative's name
  • Phone number
  • Institution name
  • Campus email address

Request for demo

For Institution-approved representatives to request a demonstration of the Proctorio Services, you must provide Personal Information such as:

  • Institution-approved representative's name
  • Phone number
  • Institution name
  • Campus email address

Secure Exam Proctor exam enabling

An Institution-approved representative can generally utilize Secure Exam Proctor to conduct exams. To do so, the Institution-approved representative does not have to provide their name or other Personal Information. They only have to provide the single sign-on data managed through the Institution exam platform. Institution-approved representatives configure their exam settings to select whether to collect the following types of test-taker data:

  • Audio Recordings
  • Video Recordings
  • Facial Detection
  • Gaze Detection
  • Information on test taker computer screen
  • Websites visited during the exam session

Secure Exam Proctor Technical Support

To contact technical support, Personal Information such as:

  • Institution-approved representative's name
  • Phone number
  • Email address

may be collected from an Institution-approved representative to facilitate the troubleshooting process.

Disclosure of such information by an exam administrator is voluntary and will not be sold to third parties.

Surveys, contests, feedback

Additionally, Proctorio may invite Institution-approved representatives or test takers to participate in surveys, questionnaires, contests, or to contact Proctorio with questions, comments, or feedback.

Participation is voluntary and only those that have opted in/consented will be contacted.

Due to the nature of some of these activities, they may include the collection of Personal Information, such as your:

  • Institution-approved representative's name
  • Email
  • Institution details
  • Location

Customer service

You may contact Proctorio about Proctorio's products and Services or with customer service inquiries. Depending on the method by which you contact Proctorio, certain Personal Information will be visible to Proctorio. This information is identified below. Other than this information that is inherently visible based on your selected communication platform and optionally if information is needed to verify your identity, Proctorio never requires that you disclose Personal Information.

Customer service emails

If you contact us by email, Proctorio will obtain and store your email address.

Customer service phone calls

If you contact us by phone call, Proctorio will obtain and store your phone number.

Customer service Live Chat

If you contact us through chat, Proctorio will obtain your IP Address and store only part of it.

Job applicants

Proctorio may also collect Personal Information from job applicants needed for the employment applications, such as:

  • Job applicant name
  • Email
  • Postal address
  • Government ID numbers
  • Date of birth
  • Employment history
  • Academic history

Marketing

Proctorio may also collect Personal Information from Institution representatives and other professionals, such as their name and email address, to send marketing communications about Proctorio's products and Services. These communications will only occur if they have consented to receiving this information. Proctorio does not sell, transfer or utilize your data for any purpose other than to provide Proctorio's Services.

Proctorio does NOT send marketing communications to test takers.

Automatically collected Information; log Information

When you access the Sites and Services via a browser, application, or other device, Proctorio's servers automatically record certain information. These server logs will include information such as:

  • Your web request
  • Your interaction with a Service
  • IP address (only part of the IP address is stored)
  • Browser type (high level only)
  • Browser language
  • The date and time of your request

Proctorio stores anonymized web server log files by keeping only part of the user's IP address and generalizing the user agent.

Proctorio does not utilize any device fingerprinting in logs.

Test-taker payments

Some Institutions may require the test taker to pay for the Services. In those instances, Proctorio uses a third-party processor to process test-taker assessment payments. The information collected will only be used by Proctorio's third-party processor for the purpose of purchasing the Service. The information collected may include:

  • Credit card number
  • Credit card 3-4 digit security code
  • IP address
  • User agent
  • Email address - to receive a digital receipt

Customer accounts and payments

Proctorio may also collect Personal Information from Institution-approved representatives using Proctorio's Services to verify business information, establish customer accounts, and to process payments. Proctorio may collect financial information from potential customers to process Proctorio's customer payments, such as:

  • Business name or Business representative
  • Business email
  • Business phone number
  • Business address
  • Bank account information
  • Tax ID numbers

Sometimes Institution-approved representatives may pay for the Services with a credit card. In those instances, Proctorio uses a third-party processor to process test-taker assessment payments. The information collected will only be used by Proctorio's third-party processor for the purpose of purchasing the service. The information collected may include:

  • Credit card number
  • Credit card 3-4 digit security code
  • IP address
  • User agent
  • Email address - to receive a digital receipt

Using your Information

  • Proctorio's use of Personal Information depends on whether we are processing Information for an Institution or if an individual provides Personal Information to us directly or visits Proctorio's Sites.

As a data processor

When Proctorio is a processor for an Institution, Proctorio uses Personal Information as instructed by the respective Institution for the following Institution purposes. The services listed below are described in full in the "Collecting Personal Information" section

Please remember an Institution decides which of Proctorio's products or Services to use:

  • Automated Proctoring
  • Live Proctoring
  • Automated ID Verification
  • Live ID Verification
  • Originality Verification
  • Registering an Institution
  • Administrative account creation
  • Institution assessment platform use
  • Administering the Secure Exam Proctor environment
  • Processing client payments and/or test taker payments

Please Note: The Institution decides which of Proctorio's products or Services to use and which settings and features to enable.

De-identified data/aggregate information

For Customer Billing and Usage

Proctorio uses de-identified information for billing and utilization analysis of Proctorio's Services.

Sharing your Information

  • Proctorio doesn't sell test-taker data to third parties.
  • Proctorio doesn't share test-taker data with third parties for any marketing purposes.

As a data processor:

Data that enters Proctorio's system has been encrypted using an unshared key stored in an Institution's assessment platform and can only be unlocked by the Institution-approved representative within the assessment platform. Proctorio utilizes the assessment platform to gain information about the user's role. This restricts information from being shared with users who are not labeled as an Institution-approved representative. The entire process is transparent to the end user.

As a data controller:

In instances where Proctorio is the controller and Proctorio collects test-taker Personal Information, such as when a test taker contacts Proctorio's Customer Service or requests Service information, or when an individual contacts us directly, agrees to participate in certain activities, or when visiting Proctorio's Sites such as:

  • Surveys
  • Contests
  • Feedback
  • Customer service
  • Customer accounts and test-taker payments (Proctorio may collect customer Information to establish Institution accounts and process payments)
  • Job applications
  • Marketing
  • Continuous improvement, product development, and research

Proctorio may disclose your Personal Information in the following limited circumstances:

Law and harm

Proctorio may disclose test-taker Information if Proctorio believes that it is reasonably necessary to comply with a law, regulation, or legal request; to protect the safety of any person; to address fraud, security, or technical issues; or to protect Proctorio's rights or property.

Business transfers

Test-taker Personal Information maintained in the Institution's exam platform is the property of the Institution. Test-taker audio, video, and screen recordings and images stored within the Proctorio servers are pseudoanonymized and encrypted and will not be sold or transferred to a third party if Proctorio is involved in an acquisition, merger or other corporate reorganization transaction. In such instances, and consistent with and limited to data protection laws and privacy commitments, marketing analytics data, CRM data, customer lists, and other pseudoanonymized data may be disclosed or transferred as part of a corporate reorganization transaction; provided that the acquirer commits to using the information in a manner consistent with applicable law and this Privacy Notice.

Proctorio does not and will not sell or otherwise transfer your data to any third party except as specifically stated in Proctorio's Terms.

Identify verification

Proctorio may use third parties for identity verification with individual consent to successfully enter or submit a proctored exam using Proctorio's Services.

Payment processing

Proctorio uses a third-party payment processor to process payments. Proctorio does not directly collect payment information and is not a money-services business. To the extent such functionality is made available in the Services, it is provided by an unaffiliated third party, and like any other third-party service, is subject to their terms of use.

Third-party service providers

Proctorio uses third-party service providers to help provide Proctorio's Services, such as hosting Proctorio's various blogs, Help Center, and knowledge bases, and to help Institutions understand the use of Proctorio's Services. Since Proctorio uses Zero-Knowledge Encryption for audio, video, screen recordings and images, it is encrypted and not accessible by the third-party service provider. In all instances, third-party services providers can only use any data for Proctorio's business purposes as specified in Proctorio's written agreement with them and not their own purposes. These Services may collect information sent by your browser as part of a web page request, such as cookies or your IP request. Proctorio remains liable under the DPF Principles if the third-party service providers process any Personal Information in a manner inconsistent with the DPF Principles.

The sub-processors that Proctorio uses are listed below but Proctorio may update this list periodically.

Required sub-processors for all services:

Amazon Web Services

Purpose: DNS Services

Location: International

Website:https://aws.amazon.com/

Azure

Purpose: Cloud Service Provider

Location: International

Website: https://azure.microsoft.com/

Backblaze

Purpose: Cloud Service Provider

Location: USA and Europe

Website: https://www.backblaze.com/

Cloudflare

Purpose: Cloud Service Provider

Location: International

Website: https://cloudflare.com/

Constellix

Purpose: DNS Services

Location: International

Website:https://constellix.com/

Optional sub-processors for additional services:

ClassCalc

Purpose: Calculator Application

Location: USA

Website: https://classcalc.com/

Optional sub-processors for support services:

Google, Inc. (Workspace)

Purpose: Email support provider

Location: USA and Europe

Website: https://workspace.google.com/

Olark

Purpose: Chat support provider

Location: USA

Website: https://olark.com/

Postmark

Purpose: Transactional email support provider

Location: USA

Website: https://postmarkapp.com/

Proctorio d.o.o

Purpose: Support Services

Location: Serbia

Website: https://proctorio.com

Twilio

Purpose: Call routing and SMS provider

Location: USA

Website: https://twilio.com/

Zendesk

Purpose: Helpdesk and support

Location: USA

Website: https://zendesk.com/

Proctorio reserves the right to update this list as needed.

To ensure you are aware of all updates, please periodically check for updates here. You can also subscribe to receive update notifications at github.com/proctorio/policies.

Optional sub-processors for payment services:

Stripe

Purpose: Payment processing provider

Location: USA and Europe

Website: https://stripe.com/

Marketing

Proctorio uses search engines (Bing and Google), paid social media (LinkedIn, Twitter, and Facebook), email marketing (current and future Proctorio blog), contests (CRM info), surveys, (anonymous and/or CRM), and lead generation forms (Facebook, G2 and LinkedIn) to provide marketing to Institution representatives, who have opted in to receive marketing materials.

Proctorio does not market to test takers.

Data transfers from Proctorio branches

Support Tickets are assigned an anonymous ID so that no support inquiry is personally identifiable. Additionally support tickets do not contain embedded Personal Information unless specifically provided by the user in the text of the support request. Proctorio Support Representatives are located in the US, Germany, and Serbia.

Support Representatives will have read-only access to the ID assigned to the user, along with any Personal Information needed to verify identity or that is voluntarily given by the user. The Support Representatives are required to delete all Personal Information, required or voluntarily given, immediately after responding to and resolving the support request.

In addition, Proctorio may collect and transfer the following information to Germany, Serbia and/or the US when deemed necessary for operating of business or hired service(s):

  • IP address
  • User agent details
  • Administrator account information
  • Assessment platform functionality information
  • Client billing information

This data is transferred depending on what is required by the Institution, its users, and what is deemed necessary for the operation of Proctorio's website(s), application(s), and/or Services.

Other disclosures

Proctorio may disclose test-taker Information to fulfill the purpose for which you provide it and to enforce or apply agreements with Proctorio.

What about student education records and FERPA?

Proctorio adheres to the Family Educational Rights and Privacy Act (FERPA), as applicable, when it is providing Services to educational Institutions in the United States that are subject to FERPA.

Proctorio works with Institutions to ensure compliance with FERPA and applicable privacy laws. One of the most important ways in which we strive to adhere to FERPA and restrict disclosure is to encrypt test-taker audio, video, and screen recordings and images. As described in this Privacy Notice, Proctorio uses Zero-Knowledge Encryption to do this when an Institution has an agreement to utilize Proctorio's Services.

What is FERPA?

FERPA is a federal law that affords students (or parents/guardians for students under 18 or not enrolled in a post-secondary Institution) certain rights with respect to their education records.

In the United States, Proctorio has agreements with educational Institutions that are subject to FERPA and Proctorio acts as a third-party service provider of such educational Institutions and must make every effort to comply with FERPA generally as a "School Official." This means Proctorio is providing Proctorio's Services on behalf of the educational Institution and only as authorized by them for legitimate educational purposes.

Why is FERPA important?

FERPA protects students from having their information disclosed to third parties without the eligible student (18+) or parent's/guardian's consent, unless there is an applicable exception under FERPA, such as when a third-party service provider is authorized by an educational Institution by a written agreement to provide services as a "School Official."

Proctorio complies with FERPA by only using student Personal Information as a School Official as authorized by an educational Institution in Proctorio's written agreements.

Proctorio certified as FERPA compliant by the iKeep Safe Coalition which signifies Proctorio's compliance with relevant laws and regulations. Proctorio is also a signatory of the Student Privacy Pledge, where Proctorio pledges responsible stewardship and appropriate use of student Personal Information according to the commitments in the Pledge and in an effort to adhere to all laws applicable to Proctorio as a school service provider.

Audio, video, and screen recordings and images collected during the exam attempt, stored by Proctorio, and received from an Institution are encrypted using Zero-Knowledge Encryption. These recordings and images can only be decrypted and reviewed by Institution-approved representatives within the Institution's assessment platform. Proctorio dictates who these authorized users are by utilizing the educational Institution's assessment platform to gain information about the user's role. This restricts information from being shared with users who do not fall under the "School Official" role. The entire process is transparent to the end user. Proctorio securely delivers all content for the Services encrypted and Proctorio's servers make every effort to comply with industry security standards, including SOC 2, ISO 27001, ISO 27018 and PCI-DSS.

For Proctorio's technical support channels, Proctorio's Support Representatives are trained on privacy and security and are instructed not to ask for information beyond what FERPA defines as "Directory Information". This information may include:

  • Student full name
  • Campus email address
  • Institution name

To better ensure FERPA and privacy and security compliance, Proctorio's employees receive periodic privacy and security training. Proctorio has been SOC 2, ISO 27001 and ISO 27018 certified.

Cookies

Proctorio only utilizes Single Sign-On technology to authenticate end users. Proctorio does not use registration or a log-in system on any of Proctorio's Sites or Services. Proctorio manages sessions without using cookies (or HTML Web Storage) and runs cookie-free domains.

Third-party platforms or payment processors may utilize cookies on their own domains.

Do not track settings

Proctorio does not use any client-side tracking pixels such as those used for advertising, marketing, and targeting.

Your Rights

  • * Some countries and/or states have their own privacy and data security laws, Proctorio makes every effort to comply with each and every one of them.

As a data processor

Parents, legal guardians, or eligible students should contact their Institution directly if they want to access, correct, delete, export, import, request a copy, exercise other rights they may have, or if they have questions about their Personal Information. Proctorio does not have the ability to edit, revise or delete any test-taker Personal Information contained in test-taker records. Proctorio will send all requests regarding test-taker Personal Information to the respective Institution.

California residents should read the CCPA Notice below for more information about their rights.

When Proctorio is the controller, Proctorio will respond to your request regarding your Personal Information held by Proctorio as required by applicable laws and Proctorio's legitimate business purposes.

US K-12 Institutions and children's privacy rights

When Proctorio's Services are used by an educational Institution in the classroom for an educational purpose, Proctorio is permitted by the Institution to process that student Information as a School Official and only for legitimate educational purposes authorized by the Institution. In these instances, the Institution (on behalf of the parent) provides the required consent for Proctorio to collect Personal Information of a child under 18 for this purpose as a "School Official." Under FERPA, Institutions in the United States subject to this law must provide an annual notice to parents of third parties that are providing services under the FERPA "School Official" exception.

Other than as described above, Proctorio's Site and Services are not directed to children.

COPPA

Except for Proctorio's specific Services offered to K-12 Institutions, Proctorio's Services are directed towards adults who are of the legal age to access them in their respective jurisdictions.

If you are under the age of 13, please do not use Proctorio's Sites without explicit permission from your School Official, parent, and/or guardian.

By accessing and using Proctorio's Sites and Services, you represent and warrant that you are of the legal age to form a binding contract with Proctorio in your respective jurisdiction and that you meet the foregoing eligibility requirements. If you do not meet these requirements, you must not access or use Proctorio's Sites or Services. If Proctorio learns it has collected or received Personal Information from an individual who was ineligible to access or use the Sites or Services, Proctorio will take steps to remove such Information. If you believe Proctorio might have any Information from or about a user who is ineligible to use the Sites or Services, please contact privacy@proctorio.com.

California Consumer Privacy Act/California Privacy Rights Act ("CCPA"/"CPRA"), Colorado Privacy Act ("CPA"), Nevada Privacy of Information Collected On The Internet From Consumers Act ("NPICICA"), Virginia Consumer Data Protection Act ("VCDPA"), Utah Consumer Privacy Act ("UCPA") and Connecticut Data Privacy Act ("CTDPA")

Categories of Personal Information Collected

Under the CCPA, as amended by the CPRA, you have the right to know what Personal Information we have collected about you, including the categories of Personal Information, the categories of sources from which the personal information is collected, the business or commercial purposes for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of Personal Information we have collected about you.

Proctorio collects the following categories of information from Institution test-takers:

Proctorio provides Services to Institutions as a "School Official" under FERPA as described above. Under the CCPA, Proctorio collects, retains, uses, and discloses Personal Information, which may include student data under these Institution agreements only as a "service provider" to Proctorio's Institution customers. The respective Institution's privacy policies apply to their test-takers.

Please note that government agencies, including public Institutions, are not subject to CCPA. If you have a question or would like to exercise your California consumer rights to knowledge, access, or deletion, please contact your Institution directly.

Proctorio uses this information for one or more legitimate business purposes, including to improve our Sites and Services, offer information about our Sites and Services to you and allow you to purchase our Services. Also, Proctorio uses Personal Information to administer assessments, provide Proctorio's Services, and respond to individual inquiries.

Proctorio will not collect additional categories of Personal Information or use the Personal Information Proctorio collected for materially different, unrelated, or incompatible purposes without providing you notice.

Proctorio does not sell your Personal Information to any third parties for any purpose including direct marketing purposes. Proctorio does not share your Personal Information, except through the use of Zero-Knowledge Encryption, so only Institution-approved representatives can decrypt and review encrypted exam recordings.

Further, Proctorio has not sold any of your Personal Information with third parties in the past 12 months. Proctorio shares your Personal Information with your consent or to complete any transaction or provide any product you have requested or authorized. We also share data with Proctorio-controlled affiliates and subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our products; and to protect the rights and property of Proctorio and its users.

Third parties receiving Personal Information are only permitted to process that Personal Information as described in Proctorio's Privacy Notice and Proctorio's written agreements and are not permitted to sell Personal Information or market to any test-taker.

Rights of California, Colorado, Nevada, Virginia, Utah, and Connecticut Residents

If you are a resident of California, Colorado, Nevada, Virginia, Utah, or Connecticut you have other rights under your respective states' consumer privacy statutes:

  • Right of Access: You can access your collected Personal Information by contacting us at dataprivacy@proctorio.com.
  • Right to Correct, Update, or Delete: You can correct, update or request deletion of your Personal Information by contacting the Institution. Proctorio can't make changes to or delete your information in some situations where it is necessary for us to maintain your information, for example if Proctorio needs the Information to comply with applicable law or based on other exceptions as indicated in the CCPA.
  • Right to Request Disclosure of Information Collected: Please contact us at dataprivacy@proctorio.com to request further information about the categories of Personal Information we have collected about you, where we collected your Personal Information, and for what purpose Proctorio uses your Personal Information.
  • Right to Disclosure of Information Sold or Shared and Right to Opt-Out of the Sale or Sharing of your Personal Information: You have the right to know what information of yours we have sold, the categories of Personal Information shared, and you have the right to opt-out of any sale or sharing of your information. Proctorio does not sell or share any of your information. If you have any questions about these rights, please contact us at dataprivacy@proctorio.com.
  • Rights to Disclosure of Sensitive Information (California): If you are a resident of California, you have a right to know how we collect, process, and disclose "Sensitive Personal Information" (SPI). SPI includes highly sensitive data such as: social security number; driver's license; passport number; financial account information and log-in credentials; precise geolocation data; genetic data; and ethnic origin. Proctorio collects and processes the following types of SPI: financial account information and log-in credentials for certain users. Proctorio uses the SPI to provide the Services and to be able to process payment. If you have any questions about the disclosure of SPI, please contact us at dataprivacy@proctorio.com.
  • Right to Retention Details (California): If you are a resident of California, you have a right to know the length of time we retain each category of Personal Information or if that is not feasible, the criteria we will use to determine that retention period. Proctorio shall store Customer Content for the Retention Period.
  • The "Retention Period" shall be the period indicated on the Order Form. If no period is indicated on the Order Form, then the Retention Period shall equal six (6) months. You may request from Proctorio a modification to the Retention Period, which Proctorio may accept or reject in its sole and absolute discretion. If Company accepts a modification request to the Retention Period, then such modification shall be only for future exams. In no event shall the Retention Period be modified for any reason for exams that have already been administered. Institutions shall inform test-takers of the Retention Period and of any modifications thereto. If you have any questions about this right, please contact us at dataprivacy@proctorio.com.
  • Right to Disclosure of Targeted Advertising and Right to Opt-Out (Colorado, Virginia, Utah, and Connecticut): If you are a resident of Colorado or Virginia, you have the right to know what information of yours we have processed for targeted advertising. Proctorio does not engage in targeted advertising. If you have any questions about these rights, please contact us at dataprivacy@proctorio.com.
  • Right to Disclosure of Profiling (Colorado, Virginia, Utah, and Connecticut): If you are a resident of Colorado Virginia, Utah, or Connecticut, you have the right to know what information of yours we have processed for the purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. If you have any questions about these rights or wish to opt-out of any processing of your Personal Information as it relates to profiling, please contact us at dataprivacy@proctorio.com.
  • Right to Non-Discrimination: Proctorio does not and will not discriminate against you if you exercise your rights under the CCPA, CPA, NPICICA, VCDPA, UCPA, and CTDPA. Proctorio does not sell your Personal Information.

When you contact us regarding any of your rights under the CCPA, CPRA, CPA, NPICICA, VCDPA, UCPA, and CTDPA we will verify your identity before we provide any information.

To exercise the rights described in this Privacy Notice, please submit a verifiable consumer request to us:
via phone: Toll Free +1 866 948 9087
via email: dataprivacy@proctorio.com

Only you, or someone legally authorized to act on your behalf (if in California, the person legally authorized to act on your behalf must be registered with the California Secretary of State), may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must provide sufficient information that allows Proctorio to reasonably verify you are the person about whom Proctorio collected Personal Information or an authorized representative, which may include the users:

  1. * First name
  2. * Last name
  3. * Email address

Describe your request with sufficient detail that allows Proctorio to properly understand, evaluate, and respond to your request.

Verify requests

Proctorio cannot respond to your request or provide you with Personal Information if Proctorio cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. If Proctorio cannot verify your identity or authority, Proctorio will follow procedures to verify your identity and authority. Proctorio attempts to respond to a verifiable consumer request within forty-five (45) days of its receipt. If Proctorio requires more time (up to 45 days), Proctorio will inform you of the reason and extension period in writing.

If you have an account with Proctorio, Proctorio will deliver Proctorio's written response to that account. If you do not have an account with Proctorio, Proctorio will deliver Proctorio's written response by mail or electronically, at your option.

Any disclosures Proctorio provides will only cover the 12-month period preceding the verifiable consumer request's receipt. The response Proctorio provides will also explain the reasons Proctorio cannot comply with a request, if applicable. For data portability requests, Proctorio will select a format to provide your Personal Information that is readily usable and should allow you to transmit the Information from one entity to another entity.

Proctorio does not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If Proctorio determines that the request warrants a fee, Proctorio will tell you why Proctorio made that decision and provide you with a cost estimate before completing your request.

AB 1584 is a California law that defines student and educational agencies' rights regarding student records. Proctorio complies with AB 1584 as described in this Privacy Notice and as applicable in Proctorio's agreements with California Institution(s).

If you have any questions or comments about your rights under the CCPA, CPRA, CPA, NPICICA, VCDPA, and CTDPA please contact us at dataprivacy@proctorio.com.

Canadian User Rights - FIPPA and PIPEDA

Proctorio makes every effort to cooperate with Institutions in compliance with the Canadian Freedom of Information and Protection of Privacy Act ("FIPPA"), Personal Information Protection and Electronic Documents Act ("PIPEDA"), and all federal and provincial laws and regulations, including those related to privacy and anti-spam legislation.

FIPPA provides Canadian citizens with the right to access information under the control of Institutions, while PIPEDA aims to protect the privacy rights of individuals by regulating how organizations handle their personal information and fostering transparency, accountability, and consent in the collection and use of personal data.

This document, the SaaS Agreement, and the Terms of Service all detail Proctorio's and the Institution's obligations in regard to confidentiality, transparency, accountability, and consent in the collection and use of data. FIPPA and PIPEDA compliance are predicated on all Parties' compliance with these provisions.

Further, with regard to PIPEDA's ten "Fair Information Principles" forming the framework for how Personal Information should be collected and disclosed, the Privacy Notice complies with that as well. The goal of the Fair Information Principles is to examine any collection and use of Personal Information, and ensure that it only be used in such a way that a reasonable person would consider appropriate in the circumstances. Proctorio, throughout this document, complies with that ask by being fully transparent and open with regard to all of its policies, and approaching them in not only a fully reasonable manner, but also in a cautious manner looking toward protecting all Personal Information.

GDPR and EU-US and Swiss-US Data Privacy Framework

Proctorio complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Proctorio has certified to the U.S. Department of Commerce that it adheres to the EU-U.S.

Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Proctorio has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Proctorio commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Proctorio at: dataprivacy@proctorio.com.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Proctorio commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework. The services of JAMS are provided at no cost to you.

If you as an EU, UK, or Swiss individual believe that Proctorio has violated its obligations under the DPF Principles, there are certain conditions in which you may invoke binding arbitration for complaints regarding DPF Principles that were not resolved through the Company or through JAMS. Please see Annex I for additional information.

The Federal Trade Commission has jurisdiction over Proctorio’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Proctorio also complies with the EU General Data Protection Regulation ("GDPR"). Proctorio is committed to subjecting all Personal Information received from European Union (EU) member countries and Switzerland to GDPR standards. In situations where public authorities make lawful requests for information, such as to meet national security or law enforcement requirements, Proctorio may be required to disclose Personal Information.

European Economic Area (EEA) or Switzerland User Rights

Legal basis for processing your Information: If you are a Proctorio user or are visiting Proctorio's Site(s) and are located in the European Economic Area ("EEA"), Proctorio's legal basis for collecting and using the Personal Information described above will depend on the Personal Information concerned and the specific context in which Proctorio collects it. When Proctorio is a processor for an Institution, their Privacy Notice controls the processing of your Personal Information. Proctorio encourages you to read your Institution's Privacy Notice for a legal understanding of how, when, and why your Personal Information may be collected and how it is used.

When Proctorio is a data controller: If you are based in the EEA or Switzerland, you acknowledge that Proctorio may transfer your Information (including Personal Information) to Proctorio and Proctorio's facilities in the United States or elsewhere, including those of third parties as described in the "Business transfers" and "Third-party service providers" sections of this Privacy Notice. Proctorio remains liable under the DPF Principles if the third parties process Personal Information in a manner inconsistent with the DPF Principles. Please review Proctorio's Terms of Service for more information regarding any other applicable data protections.

When Proctorio is a controller with respect to your Personal Information, such as for customer support, service, and other inquiries, and you are based in the EEA or Switzerland, you may have other rights as provided below:

Access: If you wish to access your Personal Information that Proctorio collects, you can do so at any time through the Service or by contacting Proctorio using the contact details provided at the bottom of this page.

Correction, update, or deletion: You can correct, update or request deletion of your Personal Information by contacting us at privacy@proctorio.com. Proctorio can't make changes to or delete your information in some situations where it is necessary for us to maintain your information, for example if Proctorio needs the Information to comply with applicable law or based on other exceptions as indicated by law.

Data protection authority: You have a right to raise questions or complaints with your local data protection authority at any time.

Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Information by Proctorio. If you exercise this right, your Personal Information will no longer be processed for such purposes by Proctorio. You may exercise this right without incurring any costs.

Right to withdraw consent: You have the right to withdraw your consent for Proctorio to process your Personal Information when your consent is the lawful basis for processing.

Right to restriction: You may have the right to restrict Proctorio's processing of your Personal Information unless Proctorio's processing is otherwise authorized by applicable law.

Right to data portability: You may have the right to receive the Personal Information that you have given Proctorio, in a structured, commonly-used, and machine-readable format.

Data portability refers to the ability of individuals to easily and securely transfer their data from one organization or platform to another. The purpose of data portability is to empower individuals with greater control and flexibility regarding their Personal Information.

Institutions have the ability to export data stored by Proctorio. Test-takers must contact their Institution and since test-taker records are under the control of that Institution.

Marketing: For Institution-approved representatives, you have the right to opt-out of marketing communications Proctorio sends you at any time. You can do this by clicking the "unsubscribe" link in the marketing email Proctorio sent you or by contacting Proctorio using one of the contact channels provided.

If using the contact details please provide your:

  • Full name
  • Email address
  • Any other relevant information that may be required to address your request

Please note that such marketing opt-out does not impact any transaction or operation notices that Proctorio may need to send you. Note that Proctorio does not market to test takers.

Protecting your Information

  • For test-taker Information that Proctorio processes for an Institution, Proctorio implements Zero-Knowledge Encryption, which means only Institution-approved representatives can decrypt and review encrypted exam recordings.

Security

Proctorio employs procedural and technical security measures that are reasonably designed to help protect Proctorio's test takers' Personal Information from loss, unauthorized access, disclosure, alteration, or destruction, which includes encryption and other security measures to help prevent unauthorized access to a test taker's Personal Information. The data a test taker transmits as part of their use of the Institution Services ("Storage Data") is encrypted and Proctorio does not have the decryption keys to decrypt or review test-taker Storage Data in its unencrypted form.

Proctorio is committed to maintaining the security and confidentiality of test-taker Information.

Towards this end, Proctorio takes the following actions:

(a) Proctorio limits employee access to test-taker information to only those employees and contractors who need the information to fulfill their job responsibilities;

(b) Proctorio conducts regular employee privacy and data security training and education; and

(c) Proctorio protects your Information with technical, contractual, administrative, and physical security safeguards in order to protect against unauthorized access, release, or use.

Proctorio is SOC 2, ISO 27001, and ISO 27018 certified and conducts regular security audits including penetration testing and vulnerability assessments. Institutions or their designated representatives may review security testing results, subject to confidentiality requirements, or conduct their own security audit of Proctorio's data security and storage practices, subject to mutual agreement. Written requests for inspection and testing can be made to security@proctorio.com.

Test-taker audio, video, and screen recordings and images are secured and processed through three layers of encryption:

  1. The Zero-Knowledge Encryption layer is used when information is stored and is secured using AES-GCM.
  2. Transmission into the datacenter is over TLSv1.2 / TLSv1.3 and, if the client supports it, Proctorio uses Perfect Forward Secrecy (PFS).
  3. Proctorio is SOC 2, ISO 27001, and ISO 27018 certified.

Security systems breach notification

As a data processor

Proctorio will notify the Institution. The Institution is responsible for notifying its test takers.

As a data controller

If Proctorio learns of a security systems breach, Proctorio may attempt to notify you electronically. Proctorio may post a notice on Proctorio's Sites and/or Services if a security breach occurs. Proctorio may also send an email at the email address provided. Depending on where you live, you may have a legal right to receive notice of a security breach in writing.

Live proctors

Live proctors are used for Live Proctoring and Live ID Verification Services only when selected by an Institution.

All Proctorio proctors sign a confidentiality agreement restricting them from using and disclosing any of the test taker's Personal Information for any purpose other than providing the testing services.

All Proctorio proctors are full-time Proctorio employees and are required to go through an extensive background check and fingerprinting process. All Proctorio proctors can view, note, and record exam attempts. Proctorio proctors go through a five-week training process with Proctorio's Proctorio Training Specialists and must complete Privacy & Security Training. The proctors are the only employees who have access to the tools required for Live Proctoring and only company-owned and controlled devices can access this information. This is further restricted using IP address restrictions to ensure these devices are being accessed in appropriate locations. Proctorio proctors are then uniquely identified at sign-on by using two-factor authentication and the device is restricted based on the user's group, department, and access level. Device compliance testing is run regularly and devices out of compliance are blocked from accessing any restricted resources until compliance is restored.

Data storage

  • Proctorio stores test-taker Personal Information, including all audio, video, and screen recordings and images, which Proctorio collects during the exam for the minimum amount of time required by the Institution or by applicable law.
  • The length and location of how and where data for operations is stored varies and is dependent on applicable law and the information itself.
  • Whether Proctorio is acting as the data controller or the data processor all Personal Information is encrypted in transmission and at rest.

As a data processor

Proctorio retains data as directed by an Institution related to the Services that Proctorio provides to them.

Proctorio retains test-taker De-Identified Data to track usage, allow Proctorio to process billing for Institutions that are Proctorio's customers, and track global usage of Proctorio's Services. "De-Identified Data" (or pseudonymized) includes:

  • A pseudonymous hash of the User ID
  • A pseudonymous hash of the Exam ID
  • A pseudonymous hash of the Course ID (when applicable)
  • Approximate location where the exam was taken
  • Exam attempt number
  • Length of exam
  • Date of exam
  • Anonymous telemetry events

As a data controller 

In situations when Proctorio acts as a data controller, the Personal Information provided by an individual is dependent on the Services, Site(s), or third-party applications accessed by the individual.

Retention, location, data deletion, and destruction

When Proctorio is the data processor, Proctorio uses a third-party cloud provider for the storage of encrypted, collected data. Data is stored in data centers requested or chosen by the partnered Institution. Institutions can choose to store the data in a data center that is geographically relevant to their location or in another, potentially further away data center.

Proctorio retains data only as directed by an Institution related to the Services that Proctorio provides to them. Proctorio will store and maintain Institutional data for up to 30 days after the termination of an applicable agreement, unless otherwise specified by the Institution or as required by applicable law.

Proctorio cannot and does not retain exam attempt recordings or chat transcripts for longer than required by the Institution or applicable law.

When Proctorio is a processor for an Institution, Proctorio will direct the test taker to contact their respective Institution with any requests related to their Personal Information.

When Proctorio is a data controller, this data is stored in locations and for time frames dependent on the Services used or Site(s) and/or third-party application(s) accessed by the individual.

Proctorio retains the previously described Information only for as long as needed for Proctorio's legitimate business purposes and as required by applicable laws, investigations, or other security matters.

US Test-Taker Payment Processing: Data is stored within the US by a third-party subprocessor headquartered in the US.

US Client Payment Processing: Data is stored within the US by a third-party subprocessor headquartered in the US.

US User and Client Support: Data is stored by a third-party subprocessor headquartered in the US and Europe.

EU Test-Taker Payment Processing: Data is stored by a third-party subprocessor headquartered in Ireland.

EU Client Payment Processing: Data is stored within Germany by a third-party subprocessor headquartered in Germany.

EU User and Client Support: Data is stored by a third-party subprocessor headquartered in the US and Europe.

Institution Assessment Platform Monitoring: Data is stored in Europe by a third-party subprocessor based in Europe.

When Proctorio is the data controller, questions regarding data storage, recovery, and deletion should be directed through one of Proctorio's contact channels.

Data Portability

Test-takers may be able to export some of their data through the Site. Institutions have the ability to export test-taker data. Test-takers may contact their Institution to export data since test-taker records are under the control of that Institution. Proctorio will not accept data portability requests directly from test-takers.

Changes to Proctorio's Privacy Notice

Proctorio reserves the right to amend this Privacy Notice at Proctorio's discretion and at any time. When Proctorio makes changes to this Privacy Notice, Proctorio will notify you by email or through a notice on Proctorio's website homepage.

Data Processor vs. Data Controller

Proctorio as a data processor

Proctorio acts as a data processor for “Institutions” (organizations and customers utilizing Proctorio Services) and only processes Personal Information (or Personal Data) based on instructions from Institutions. Personal Information is information that identifies an individual and is defined more fully under applicable law. In these instances, test-taker Personal Information is encrypted.

Proctorio utilizes end-to-end encryption to encrypt test-taker exam recordings that Proctorio receives from an Institution. This means that no one but approved “Institution representatives” (including instructors, faculty, administrators, and other authorized staff of an Institution) can access test-taker Personal Information. Proctorio does not have the cryptographic key so it cannot access Personal Information and cannot disclose test-taker Personal Information in these instances.

Institutions Control Test-Taker Personal Information. As the data processor, Proctorio only follows the instructions provided by the Institution (a “processor”). The Institution is the data controller (“controller”) and their privacy policy controls the processing of their test-taker and Institution-representative Information. The information provided in Proctorio’s Privacy Policy below is provided to test takers and Institution representatives for a general understanding of Proctorio’s privacy practices, but they should also review their respective Institution’s controlling privacy policies.

Proctorio as a data controller

It is important to note that this Privacy Policy is incorporated into and subject to the Proctorio Terms of Service for Proctorio's Sites, when Proctorio is the controller. Any terms not defined here can be found in Proctorio's Sites' Terms of Service.

What does this Privacy Policy apply to?

This Privacy Policy applies to all of Proctorio’s Product and Services Users (test takers and Institution representatives), Partnered Institutions and their representatives, and those who are visiting Proctorio’s websites, including potential clients and interested parties.

This Privacy Policy applies to Personal Information that Proctorio collects when it is a data controller from any of Proctorio’s websites (Proctorio’s “Sites”), pruefungendaheim.de, proctorio.com, getproctorio.com, proctoriostatus.com, Proctorio’s mobile apps, customer service, partner relationships, and when someone contacts Proctorio directly. In those instances, individuals may be providing Personal Information to Proctorio. When Proctorio operates as a processor for an Institution, the Institution’s privacy policies are in control. See the section above for a description of when we operate as a processor.

Institution uses

Institutions determine which of Proctorio’s services to use and this, in turn, determines the Information that Proctorio processes. Institution products and services include, but are not limited to: Automated Proctoring, Live Proctoring, Live ID Verification, Automated ID Verification, Lock Down, WebSweep, WebFreeze, Professional Review, and Originality Verification (collectively the “Services”).

You can find more information about Proctorio's Services on the Products page.

Got questions? Let's hear 'em!

By email:

privacy@proctorio.com

By mail:

7340 E Main St, Suite 203 Scottsdale, AZ 85251

Looking for Proctorio's other policies like the Terms of Service, Service Level Agreement, and Acceptable Use Policy?

Check out Proctorio's Policies center by clicking below:

Policies Center

Updates

Proctorio is constantly improving and expanding, so we may need to update this Privacy Policy from time to time.

If so, Proctorio will post its updated Privacy Policy on Proctorio’s Site located at proctorio.com, include a notice on the homepage of proctorio.com, and include updates on Github. You do not have to be registered users of GitHub to view these updates. Please visit Github to see Proctorio's page regarding updates.

Proctorio encourages you to review this Privacy Policy regularly for any changes. Your continued use of the Services and/or continued provision of Personal Information to Proctorio will be subject to the terms of the then-current Privacy Policy.