Last revised on January 2, 2024
EduSynch is a data controller when you have directly input Personal Information into a form on EduSynch’s website, or directly provide Personal Information through EduSynch's customer and/or product services.
Users can utilize EduSynch's Sites or Services without providing Personal Information.
EduSynch encrypts exam audio, video, and screen recordings and images with Zero-Knowledge Encryption. This means that once these images and recordings are encrypted, they can only be decrypted by Institution-approved representatives.
EduSynch may have access to some of this data (if the Institution chooses to collect it) when providing live technical support to an exam taker during the exam.
With E-Proctoring Services, EduSynch proctors are able to review exam sessions (including this data, if the Institution chooses to collect it) in real time. In such cases, the Institution gives authorized EduSynch staff members temporary access to review exam sessions (including this data, if the Institution chooses to collect it), typically within 24 - 48 hours after the exam session.
2. Collecting Personal Information
- EduSynch limits the Personal Information collected from end-users through their use of EduSynch’s Services.
- EduSynch only collects Personal Information as instructed by your Institution. This is dependent on the Services and settings selected by the relevant Institution-approved representatives.
- EduSynch pseudoanonymizes specific test-taker Personal Information.
- Audio, video, and screen recordings and images collected and stored by EduSynch are encrypted and can only be decrypted by Institution-approved representatives.
- If you voluntarily provide Personal Information through EduSynch’s Sites or Services, EduSynch may retain this Information.
EduSynch’s Institution Services: When an Institution purchases EduSynch’s Service(s), the type of Service and settings selected by the Institution determine what Personal Information an Institution may provide to EduSynch or what EduSynch can collect from the test taker. This is described in more detail below. Test-taker audio, video, and screen recordings and images received from Institutions and processed by EduSynch are end-to-end encrypted and can only be decrypted by Institution-approved representatives.
Only an Institution may request EduSynch to use E-Proctoring during the administration of an exam.
When using E-Proctoring, an exam administrator may instruct EduSynch to monitor test takers via a webcam, microphone, browser, and/or desktop in an effort to uphold the integrity of the assessment. This may include a scan of the test taker’s surroundings, screen, and computer display.
3.1 Video and audio recording
The Institution determines whether audio and/or video is used to monitor and/or record exam sessions and only the exam administrators have access to these audio and/or video recordings. If selected, the entire exam session is recorded.
The Institution also decides whether to record the test taker’s audio during the exam attempt. If selected, the test taker’s microphone is turned on during the session.
Audio, video, and image files are encrypted prior to being transferred to EduSynch's cloud service provider in the location specified by the Institution. The Institution designates certain individuals as appropriate individuals to access this encrypted information. Depending on the Institution’s location these audio and video files are stored on EduSynch's cloud service provider’s servers in the US, Europe, Canada, Japan, Australia, South Africa, Singapore, or Abu Dhabi. These files never leave the controlling location of the Institution.
Record Screen, Full Video, 360º Room Scan, and Random Room Scan are additional options that an exam administrator can select for an exam.
Verify Audio, Video, Desktop and Signature may also be selected by the exam administrator and the test taker is required to take those actions prior to the start of the exam.
As a result of these Institution-selected monitoring or verification options, EduSynch may collect Personal Information such as a test taker’s image and Personal Information that may be shared through the screen, desktop, webcam, web traffic or microphone of the test taker’s device.
3.2 Facial and gaze detection
If your Institution elects to use EduSynch's proctoring Services that enable video recording, EduSynch uses facial detection or gaze detection to flag potentially suspicious test activity to help Institution-approved representatives maintain assessment integrity. The Institution may choose to disable facial detection and gaze detection as a secondary setting of the video recording feature if It wishes to opt out of facial detection and gaze detection, but still record the exam session.
EduSynch does not use what is conventionally known as “biometrics” or “facial recognition” technology. Facial recognition uniquely identifies specific people by assessing whether the face in one image matches the face in another image. It requires a database of either images of people’s faces, or biometric representations of them, and technology that compares new images or biometric representations with entries in that database.
Instead, EduSynch uses “facial detection” or “gaze detection” technology. A fundamental difference between these technologies and biometrics or facial recognition technology is that facial or gaze detection technologies do not use geometry or landmarks as identifiers. Additionally this difference, can be illustrated by the questions they answer:
Facial Recognition: “Does the face in this picture match the face in this other picture?”
Facial Detection: “Is there a face in this picture?”
Gaze Detection: “Is the person looking away from the camera or the exam screen?”
Facial detection can identify that there is a human face present in an image or video recording, but it cannot identify that person – only that there is, indeed, a person in the image or recording.
Gaze detection can determine the direction that the individual is looking, but cannot identify who they are or what they are looking at.
If the exam administrator enables the use of video recording, EduSynch uses facial detection to flag video evidence that may indicate the number of individuals present within the immediate vicinity of the test taker, but EduSynch does not attempt to determine who those individuals are.
If a test taker is not able to pass the face detection process and/or the 360º Room Scan, they can enter into direct contact with an EduSynch Support Agent via a live chat to troubleshoot the issue. The Support Agent can request access to webcam images from the system, provide instructions that ensure clearly-captured images, and otherwise help the user overcome any technical issues they may be having. If the exam administrator enables the use of video recording, EduSynch can use gaze detection to flag evidence in the video and/or screenshots/webcam images that the individual was looking at something other than the device they were using to take the exam. This helps Institution-approved representatives prioritize where to review exam video recordings to determine if the test taker was consulting unauthorized materials or was receiving outside assistance during the exam attempt. However, the Institution may choose to disable facial detection and gaze detection as a secondary setting of the E-Proctoring feature if It wishes to opt out of facial detection and gaze detection, but still record the exam session.
3.3 Monitoring during an exam
When exam administrators use EduSynch’s E-Proctoring Services, EduSynch uses technology to automatically collect certain information about a test taker’s activities during the exam session for purposes of protecting exam integrity. The flagged behaviors may include facial and gaze detection (described above) to monitor if the test taker leaves the session, tracked head movement to monitor how frequently the test taker looks away, sound detection to monitor if other voices are in the room, question response time, dropped internet connections, and other activities that may indicate irregular testing activities. When using these services, EduSynch’s automated technology continually monitors the applications and processes that are running on the device during an exam session.
If an Institution has requested reporting, test-taker data may be aggregated, and then individual test-taker data may be compared to the aggregated data to look for patterns or anomalies, such as whether a test taker spent an unusually long time answering a question relative to other users.
EduSynch does not and has not established “normal“ profiles or compare test takers against any preserved or aggregated normal.
At the end of an exam session, the Institution-approved representative will have access to a summary report of these flagged activities, as well as the raw data the Service collects from each test-taker’s session. The Institution-approved representative then determines if any further action is warranted. Aggregated data can also be provided to the Institution-approved representative(s) (e.g. the average length of time users spent on an exam question, the average time spent on the entire assessment and the average date/time that users started the exam session).
Only an Institution determines whether to enable settings, which settings are enabled for flagging of irregular testing behaviors, and the Incident Levels (Low, Medium, High) assigned to certain activities of the test taker during an exam. Following the Institution-approved representative’s review, only they can determine what, if any, action to take related to a test taker.
EduSynch does not make any decisions related to the test taker from flagged activity.
4. ID Verification
Additionally, an Institution may select an option to verify the test taker’s identity before they start their exam. In this case, the Personal Information that is collected may include name, government ID number, and date of birth if the test taker chooses to utilize their government-issued ID or the Institution requires the test taker to use the government-issued ID to validate their identity. This ID image along with other test-taker audio, video, and screen recordings and images are stored with Zero-Knowledge Encryption by EduSynch. If this option is selected by the Institution,a photo of the Institution-accepted form of ID will be collected with the webcam and encrypted on EduSynch's servers. The image will only be accessible by an Institution-approved representative along with the exam results within the Institution’s assessment platform.
5. Browser Lock Setting
Depending on which features are selected by an Institution, the test taker’s browser may be locked down so that they cannot open additional tabs, pages, or device resources. This is done to help ensure test integrity.
When operating as part of the EduSynch Testing Platform or as a browser extension, EduSynch only has restricted access to a test taker’s computer system. This includes no access to any personal documents or files stored on the machine.
Immediately after an exam is submitted, all remote proctoring abilities are disabled automatically.
Although it is not necessary to do so, test takers can uninstall or disable the EduSynch E-Proctoring browser extension immediately after taking an exam, and re-install or enable it only when taking future EduSynch-proctored exams.
When operating as a browser extension, test takers can understand when EduSynch is running, through the exam entering process, when the EduSynch shield icon in the upper-right-hand corner of the browser blinks red. Lock Down settings include the following, and exam administrators can choose to implement some, all, or none of these during the exam.
6. Zero-Knowledge Encryption
When processing and securing test-taker Information from an Institution, EduSynch does not joke around. That’s why EduSynch utilizes an end to end encryption method called “Zero-Knowledge Encryption”.
“Zero-Knowledge Encryption” means that only Institution-approved representatives at Institutions can decrypt and review the encrypted exam recordings on EduSynch’s servers.
Only the Institution has the access that is needed to view Personal Information that they’ve provided to their test takers or test-taker Personal Information that has been provided to EduSynch. EduSynch utilizes PBKDF2-HMAC-SHA512 to generate the keys. Then AES-256 GCM encryption is used to encrypt the files and finally EduSynch uses TLSv1.2 and TLSv1.3 with perfect forward secrecy to transfer any and all data. EduSynch uses Zero-Knowledge Encryption for any audio, video, and screen recordings and images sent by a test taker. This means only Institution-approved representatives can decrypt, watch, and review the encrypted Information.
7. Test-taker records
All test-taker records that are “student” or “educational records” obtained by EduSynch from an educational Institution are the property of the Institution and are under the control of that Institution. Institutions or the respective test taker owns the data.
8. Information collected from Institution-approved representatives
The sections below describe Personal Information that may be collected from an Institution-approved representative.
To register an Institution to use EduSynch’s suite of services an administrator account must be created. To register an account for your institution, an Institution-approved representative must provide Personal Information, such as:
- Institution-approved representative’s name
- Phone number
- Institution name
- Campus email address
8.1 Request for demo
For Institution-approved representatives to request a demonstration of the EduSynch Services, you must provide Personal Information such as:
- Institution-approved representative’s name
- Phone number
- Institution name
- Campus email address
8.2 EduSynch E-Proctoring Admins
An Institution-approved representative can generally utilize EduSynch’s E-Proctoring Admin services to conduct exams. To do so, the Institution-approved representative does not have to provide their name or other Personal Information. Institution-approved representatives configure their exam settings to select whether to collect the following types of test-taker data:
- Audio Recordings
- Video Recordings
- Facial Detection
- Gaze Detection
- Information on test taker computer screen
- Images of test taker during exam
8.3 E-Proctoring Technical Support
To contact technical support, Personal Information such as:
- Institution-approved representative’s name
- Phone number
- Email address
may be collected from an Institution-approved representative to facilitate the troubleshooting process. Disclosure of such information by an exam administrator is voluntary and will NEVER be sold to third parties.
9. Surveys, contests, feedback
Additionally, EduSynch may invite Institution-approved representatives or test takers to participate in surveys, questionnaires, contests, or to contact EduSynch with questions, comments, or feedback. Participation is voluntary and only those that have opted in/ consented will be contacted.
Due to the nature of some of these activities, they may include the collection of Personal Information, such as your:
- Institution-approved representative’s name
- Institution details
10. Customer service
You may contact EduSynch about EduSynch's products and Services or with customer service inquiries. Depending on the method by which you contact EduSynch, certain Personal Information will be visible to EduSynch. This information is identified below. Other than this information that is inherently visible based on your selected communication platform and optionally if information is needed to verify your identity, EduSynch never requires that you disclose Personal Information.
Customer service emails
If you contact us by email, EduSynch will obtain and store your email address.
Customer service phone calls
If you contact us by phone call, EduSynch will obtain and store your phone number.
Customer service Live Chat
If you contact us through chat, EduSynch will obtain your IP Address and store only part of it.
11. Job applicants
- Job applicant name
- Postal address
- Government ID numbers
- Date of birth
- Employment history
- Academic history
EduSynch may also collect Personal Information from Institution representatives and other professionals, such as their name and email address, to send marketing communications about EduSynch's products and Services. These communications will only occur if they have consented to receiving this information. EduSynch does not sell, transfer or utilize your data for any purpose other than to provide EduSynch's Services.
EduSynch does NOT send marketing communications to test takers.
13. Automatically collected Information; log Information
When you access the Sites and Services via a browser, application, or other device, EduSynch's servers automatically record certain information. These server logs will include information such as:
- Your web request
- Your interaction with a Service
- IP address (only part of the IP address is stored)
- Browser type (high level only)
- Browser language
- The date and time of your request
EduSynch stores anonymized web server log files by keeping only part of the user’s IP address and generalizing the user agent.
EduSynch does not utilize any device fingerprinting in logs.
Some Institutions may require the test taker to pay for the Services. In those instances, EduSynch uses a third-party processor to process test-taker assessment payments. The information collected will only be used by EduSynch's third-party processor for the purpose of purchasing the Service. The information collected may include:
- Credit card number
- Credit card 3-4 digit security code
- IP address
- User agent
- Email address - to receive a digital receipt
15. Customer accounts and payments
EduSynch may also collect Personal Information from Institution-approved representatives using EduSynch's Services to verify business information, establish customer accounts, and to process payments. EduSynch may collect financial information from potential customers to process EduSynch's customer payments, such as:
- Business name or Business representative
- Business email
- Business phone number
- Business address
- Bank account information
- Tax ID numbers
Sometimes Institution-approved representatives may pay for the Services with a credit card. In those instances, EduSynch uses a third-party processor to process test-taker assessment payments. The information collected will only be used by EduSynch's third-party processor for the purpose of purchasing the service. The information collected may include:
- Credit card number
- Credit card 3-4 digit security code
- IP address
- User agent
- Email address - to receive a digital receipt
16. Using your Information
EduSynch's use of Personal Information depends on whether we are processing Information for an Institution or if an individual provides Personal Information to us directly or visits EduSynch's Sites.
17. As a data processor
When EduSynch is a processor for an Institution, EduSynch uses Personal Information as instructed by the respective Institution for the following Institution purposes. The services listed below are described in full in the “Collecting Personal Information” section.
Please remember an Institution decides which of EduSynch's products or Services to use:
- Custom Testing (with and without proctoring)
- Registering an Institution
- Administrative account creation
- Institution assessment platform use
- Administering E-Proctoring services
- Processing client payments and/or test taker payments
Please Note: The Institution decides which of EduSynch's products or Services to use and which settings and features to enable.
18. As a data controller
EduSynch uses Personal Information as follows when an individual contacts us directly, agrees to participate in certain activities, or when visiting EduSynch's Sites such as:
- Customer service
- Customer accounts and test-taker payments (EduSynch may collect customer Information to establish Institution accounts and process payments)
- Job applications
- Continuous improvement, product development, and research
- Site operations and security
19. Site operations and security
As a controller and operator of EduSynch's Site, EduSynch automatically collects information and log details to operate EduSynch's Sites.
- EduSynch tracks the total number of visitors to EduSynch's Site, the number of visitors to each page of EduSynch's Site, browser type, and IP addresses. However, EduSynch anonymizes the IP address by removing the last octet of the address, making EduSynch unable to identify you or your exact location.
- EduSynch may also analyze tracked data for trends and statistics in the aggregate. Such information will be maintained, used, and disclosed in aggregate form only and will not contain Personal Information.
- EduSynch also has in place website security tools and processes, including penetration testing and vulnerability scans, to better ensure Site security and protection of Information. In the event of a firewall event or other attempt that triggers a firewall rule, either active or passive, the offending IP address is recorded in its entirety and maintained in our data security tracking systems.
20. De-identified data/aggregate information
20.1 For Customer Billing and Usage
EduSynch uses de-identified information for billing and utilization analysis of EduSynch's Services.
21. Sharing your Information
- EduSynch doesn’t sell test-taker data to third parties.
- EduSynch doesn’t share test-taker data with third parties for any marketing purposes.
22. As a data processor
Data that enters EduSynch's system has been encrypted using an unshared key stored in an Institution’s assessment platform and can only be unlocked by the Institution-approved representative within the assessment platform. EduSynch utilizes the assessment platform to gain information about the user's role. This restricts information from being shared with users who are not labeled as an Institution-approved representative. The entire process is transparent to the end user.
23. As a data controller
In instances where EduSynch is the controller and EduSynch collects test-taker Personal Information, such as when a test taker contacts EduSynch's Customer Service or requests Service information, information about EduSynch's company, or other inquiries, EduSynch may disclose your Personal Information in the following limited circumstances:
23. 1 Law and harm
EduSynch may disclose test-taker Information if EduSynch believes that it is reasonably necessary to comply with a law, regulation, or legal request; to protect the safety of any person; to address fraud, security, or technical issues; or to protect EduSynch's rights or property.
23.2 Business transfers
EduSynch will never sell your data to a third party. Any transfer of your data to any third party will be as specifically stated in EduSynch’s Terms.
23.3 Identify verification
EduSynch may use third parties for identity verification with individual consent to successfully enter or submit a proctored exam using EduSynch's Services.
23.4 Payment processing
23.5 Third-party service providers
EduSynch uses third-party service providers to help provide EduSynch's Services, such as hosting EduSynch's blogs, Help Center, and knowledge bases, and to help EduSynch understand the use of EduSynch's Services. As EduSynch uses Zero-Knowledge Encryption for audio, video, and screen recordings and images, it is encrypted and not accessible by the third-party service provider. In all instances, third-party services providers can only use any data for EduSynch's business purposes as specified in EduSynch's written agreement with them and not their own purposes. These Services may collect information sent by your browser as part of a web page request, such as cookies or your IP request. The sub-processors that EduSynch uses are listed below but EduSynch may update this list periodically:
Purpose: Cloud service providerLocation: InternationalWebsite: https://aws.amazon.com/
Purpose: Cloud service providerLocation: InternationalWebsite: https://azure.microsoft.com/
Purpose: Cloud service providerLocation: InternationalWebsite: https://cloudflare.com/
Purpose: Payment processing providerLocation: USAWebsite: https://braintreegateway.com/
Purpose: Internal and external call routing providerLocation: USAWebsite: https://twilio.com/
Purpose: Helpdesk and supportLocation: USAWebsite: https://zendesk.com/
Purpose: Live chat and supportLocation: FranceWebsite: https://crisp.chat/en/
EduSynch will update this list as EduSynch may make changes to it.
To ensure you are aware of all updates, please periodically check for updates here.
EduSynch uses search engines (Bing and Google), paid social media (LinkedIn, Twitter, and Facebook), email marketing (current and future EduSynch blog), contests (CRM info), surveys, (anonymous and/or CRM), lead generation forms (Facebook and LinkedIn) to provide marketing to Institution representatives, who have opted in to receive marketing materials. EduSynch does not market to test takers.
23.7 Data transfers from EduSynch branches
Support tickets do not contain embedded Personal Information/ Personal Data unless specifically provided by the user in the text of the support request. EduSynch Support Representatives are located in the US, Brazil and India.
Support Representatives will have read-only access to the ID assigned to the user, along with any Personal Information/ Personal Data needed to verify identity or that is voluntarily given by the user. The Support Representatives are required to delete all Personal Information/Personal Data, required or voluntarily given, immediately after responding to and resolving the support request.
In addition, EduSynch may collect and transfer the following information when deemed necessary for operating of business or hired service(s):
- IP addresses
- User agent details
- Administrator account information
- Assessment platform functionality information
- Client billing information
This data is transferred depending on what is required by the Institution, its users, and what is deemed necessary for the operation of EduSynch's website(s), application(s), and/or Services.
23.8 Other disclosures
EduSynch may disclose test-taker Information to fulfill the purpose for which you provide it and to enforce or apply agreements with EduSynch.
24. What about student education records and FERPA?
EduSynch adheres to the Family Educational Rights and Privacy Act (FERPA) as applicable when it is providing Services to educational Institutions in the United States that are subject to FERPA.
24.1 What is FERPA?
FERPA is a federal law that affords students (or parents/guardians for students under 18 or not enrolled in a post-secondary Institution) certain rights with respect to their education records. In the United States, EduSynch has agreements with educational Institutions that are subject to FERPA and EduSynch acts as a third-party service provider of such educational Institutions and must make every effort to comply with FERPA generally as a “School Official.” This means EduSynch is providing EduSynch's Services on behalf of the educational Institution and only as authorized by them for legitimate educational purposes.
24.1.1 Why is FERPA important?
FERPA protects students from having their information disclosed to third parties without the eligible student (18+) or parent’s/guardian’s consent unless there is an applicable exception under FERPA, such as when a third-party service provider is authorized by an educational Institution by a written agreement to provide services as a “School Official.”
EduSynch complies with FERPA by only using student Personal Information as a School Official as authorized by an educational Institution in EduSynch's written agreements.
Remember audio, video, and screen recordings and images collected during the exam attempt, stored by EduSynch, and received from an Institution are encrypted using Zero-Knowledge Encryption. These recordings and images can only be decrypted and reviewed by Institution-approved representatives within the Institution’s assessment platform. EduSynch dictates who these authorized users are by utilizing the educational Institution’s assessment platform to gain information about the user's role. This restricts information from being shared with users who do not fall under the "School Official" role. The entire process is transparent to the end user. EduSynch securely delivers all content for the Services encrypted and EduSynch's servers make every effort to comply with industry security standards, including ISO 27001 and PCI-DSS.
For EduSynch's technical support channels, EduSynch's Support Representatives are trained on privacy and security and are instructed not to ask for information beyond what FERPA defines as "Directory Information". This information may include:
- Student full name
- Campus email address
- Institution name
To better ensure FERPA and privacy and security compliance, EduSynch's employees receive periodic privacy and security training. EduSynch has been ISO 27001 certified.
We only utilize Single Sign-On technology to authenticate end users. EduSynch does not use registration or a log-in system on any of EduSynch's Sites or Services. EduSynch manages sessions without using cookies (or HTML Web Storage) and runs cookie-free domains.
Third-party platforms or payment processors may utilize cookies on their own domains.
26. Do not track settings
EduSynch does not use any client-side tracking pixels such as those used for advertising, marketing, and targeting.
When a client uses the “Do Not Track” client setting, EduSynch will only log the action, but will not store the user agent or IP address.
27. Your Rights
Some countries and/or states have their own privacy and data security laws, EduSynch makes every effort to comply with each and every one of them via a customizable DPA (Data Processing Agreement) that can be tailored to the needs of any potential partner.
28. As a data processor
Parents, legal guardians, or eligible students should contact their Institution directly if they want to access, correct, delete, export, import, request a copy, exercise other rights they may have, or if they have questions about their Personal Information. EduSynch does not have the ability to edit, revise or delete any test-taker Personal Information contained in test-taker records. We will send all requests regarding test-taker Personal Information to the respective Institution.
When EduSynch is the controller, EduSynch will respond to your request regarding your Personal Information held by EduSynch as required by applicable laws and EduSynch's legitimate business purposes.
28. US K-12 Institutions and children's privacy rights
When EduSynch’s Services are used by an educational Institution in the classroom for an educational purpose, EduSynch is permitted by the Institution to process that student Information as a School Official and only for legitimate educational purposes authorized by the Institution. In these instances, the Institution (on behalf of the parent) provides the required consent for EduSynch to collect Personal Information of a child under 18 for this purpose as a “School Official.” Under FERPA, Institutions in the United States subject to this law must provide an annual notice to parents of third parties that are providing services under the FERPA “School Official” exception.
Other than as described above, EduSynch's Site and Services are not directed to children.
Except for EduSynch's specific services offered to K-12 Institutions, EduSynch's Services are directed towards adults who are of the legal age to access them in their respective jurisdictions.
If you are under the age of 13, please do not use EduSynch's Sites without explicit permission from your School Official, parent, and/or guardian.
By accessing and using EduSynch's Sites and Services, you represent and warrant that you are of the legal age to form a binding contract with EduSynch in your respective jurisdiction and that you meet the foregoing eligibility requirements. If you do not meet these requirements, you must not access or use EduSynch's Sites or Services. If EduSynch learns EduSynch has collected or received Personal Information from an individual who was ineligible to access or use the Sites or Services, EduSynch will take steps to remove such Information. If you believe EduSynch might have any Information from or about a user who is ineligible to use the Sites or Services, please contact firstname.lastname@example.org.
31. California privacy rights
EduSynch does not sell your Personal Information to any third parties for direct marketing purposes as defined in California Civil Code Section § 1798.83.
Please contact email@example.com for any questions regarding your Personal Information.
EduSynch does not sell Personal Information to third parties.
EduSynch does not market to test takers and does not permit any third-party marketing to them.
EduSynch uses Zero-Knowledge Encryption, so only Institution-approved representatives can decrypt and review encrypted exam recordings.
31.1. CCPA notice
31.2 Institution test takers
EduSynch provides Services to Institutions as a “School Official” under FERPA as described above. Under the CCPA, EduSynch collects, retains, uses, and discloses Personal Information, which may include student data under these Institution agreements only as a “service provider” to EduSynch's Institution customers. The respective Institution’s privacy policies apply to their test takers.
Please note that government agencies, including public Institutions, are not subject to CCPA.
If you have a question or would like to exercise your California consumer rights to knowledge, access, or deletion, please contact your Institution directly.
EduSynch does not sell Personal Information. EduSynch uses Personal Information to administer assessments, provide EduSynch's Services, and respond to individual inquiries.
If you are a resident of California, you have other rights under the CCPA as follows:
- Right to Correct, Update, or Delete: you can correct, update, or request deletion of your Personal Information by contacting EduSynch through one of the channels listed below. EduSynch can’t make changes to or delete your Information in some situations where it is necessary for EduSynch to maintain your Information, for example if EduSynch needs the Information to comply with applicable law or based on other exceptions as indicated in the CCPA.
- Right to Request Disclosure of Information Collected: please contact EduSynch as indicated below to request further information about the categories of Personal Information EduSynch has collected about you, where EduSynch collected your Personal Information, and for what purpose EduSynch uses your Personal Information.
- Right to Disclosure of Information Sold and Right to Opt-Out: you have the right to know what Information of yours EduSynch has sold and you have the right to opt-out of any sale of your Information. EduSynch does not sell your Personal Information.
- Right to Non-Discrimination: EduSynch does not and will not discriminate against you if you exercise your rights under the CCPA.
Only you, or someone legally authorized to act on your behalf and registered with the California Secretary of State, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- 1. Provide sufficient information that allows EduSynch to reasonably verify you are the person about whom EduSynch collected Personal Information or an authorized representative, which may include the user’s:
- 1. First name
- 2. Last name
- 3. Email address
- 2. Describe your request with sufficient detail that allows EduSynch to properly understand, evaluate, and respond to your request.
31.3. Verify requests
EduSynch cannot respond to your request or provide you with Personal Information if EduSynch cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. If EduSynch cannot verify your identity or authority, EduSynch will follow procedures to verify your identity and authority. EduSynch attempts to respond to a verifiable consumer request within forty-five (45) days of its receipt. If EduSynch requires more time (up to 45 days), EduSynch will inform you of the reason and extension period in writing.
If you have an account with EduSynch, EduSynch will deliver EduSynch's written response to that account. If you do not have an account with EduSynch, EduSynch will deliver EduSynch's written response by mail or electronically, at your option.
Any disclosures EduSynch provides will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response EduSynch provides will also explain the reasons EduSynch cannot comply with a request, if applicable. For data portability requests, EduSynch will select a format to provide your Personal Information that is readily usable and should allow you to transmit the Information from one entity to another entity.
EduSynch does not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If EduSynch determines that the request warrants a fee, EduSynch will tell you why EduSynch made that decision and provide you with a cost estimate before completing your request.
31.3.1 Changes to EduSynch's CCPA privacy notice
EduSynch reserves the right to amend this CCPA privacy notice at EduSynch's discretion and at any time. When EduSynch makes changes to this CCPA privacy notice, EduSynch will notify you by email or through a notice on EduSynch's website homepage.
31.3.2 Contact EduSynch
When you contact EduSynch regarding any of your rights under the CCPA, EduSynch will verify your identity before EduSynch provides any information. You may contact EduSynch via email: firstname.lastname@example.org or via the live chat available at https://edusynch.com
We do not discriminate against California residents who exercise their CCPA privacy rights.
32. Legal basis for processing your Information
32.1 When EduSynch is a data controller
When EduSynch is a controller, EduSynch will normally collect Personal Information from you only where EduSynch has your consent to do so for marketing purposes, to perform a contract, or where the processing is in EduSynch's legitimate business interests for Site and EduSynch's business operations purposes. Where legitimate interest is EduSynch's lawful basis for processing, EduSynch has conducted an assessment to balance the individual’s privacy rights against EduSynch's legitimate need to process the Personal Information. In some cases, EduSynch may also have a legal obligation to collect Personal Information from you.
Where EduSynch is the controller, if you have questions about or need further information concerning the legal basis on which EduSynch collects and uses your Personal Information, please contact us through one of EduSynch's channels.
33. Canadian User Rights - FIPPA
EduSynch makes every effort to cooperate with Institutions in the compliance with the Canadian Freedom of Information and Protection of Privacy Act ("FIPPA"), as well as all federal and provincial laws and regulations, including those related to privacy and anti-spam legislation.
FIPPA provides Canadian citizens with the right to access information under the control of institutions. The SaaS Agreement and the Terms of Service fully detail both EduSynch’s and the Institution’s obligations in relation to the confidentiality of data. FIPPA compliance is predicated on the Parties’ compliance to these provisions. These Confidentiality Obligations can be found in the Terms of Service.
34. EU-US and Swiss-US Privacy Shield frameworks
EduSynch fully complies with the EU General Data Protection Regulation ("GDPR").
Our EU Representative:Under Article 27 of the GDPR, we have appointed an EU Representative to act as our data protection agent. Our nominated EU Representative is: Instant EU GDPR Representative Ltd. Adam Brogden email@example.com Tel +35315549700 INSTANT EU GDPR REPRESENTATIVE LTD Office 2, 12A Lower Main Street, Lucan Co. Dublin K78 X5P8 Ireland
Our UK Representative:Under Article 27 of the UK Data Privacy Act, we have appointed a UK Representative to act as our data protection agent. Our nominated UK Representative is: GDPR Local Ltd. Adam Brogden firstname.lastname@example.org Tel +44 1772 217800 1st Floor Front Suite 27-29 North Street, Brighton England BN1 1EB
Please Note: Privacy Shield has been invalidated by the Court of Justice of the European Union. EduSynch is using Standard Contractual Clauses (“SCCs”) in addition to other mechanisms and implementing supplemental measures as applicable to better ensure that EU individuals’ Personal Data is subject to adequate protections.
EduSynch participates in and has certified its compliance with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework. Although this is no longer a valid data transfer mechanism in the EU, EduSynch will continue to self-certify under Privacy Shield as it provides additional protections. EduSynch is committed to subjecting all Personal Data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework's applicable principles. To learn more about the Privacy Shield Frameworks, and to view EduSynch's certification, visit the US Department of Commerce's Privacy Shield website.
With respect to Personal Data received or transferred pursuant to the Privacy Shield frameworks, EduSynch remains subject to the regulatory enforcement powers of the US Federal Trade Commission (for issues pertaining to Privacy Shield). In situations where public authorities make lawful requests for information, such as to meet national security or law enforcement requirements, EduSynch may be required to disclose Personal Data.
If you have an unresolved privacy or data use concern that EduSynch has not addressed satisfactorily, please contact EduSynch's US-based, third-party dispute resolution provider: Jams. This service is free of charge.
As more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
If you remain dissatisfied, then you have the right to apply directly to your local data protection authority. You can find the list at: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
35. European Economic Area (EEA) or Switzerland User Rights
When EduSynch is a processor, you must contact your Institution regarding your Information and exercising any of your rights.
35.1 When EduSynch is a data controller
If you wish to access your Personal Data that EduSynch collects, you can do so at any time through the Service or by contacting EduSynch using the contact details provided at the bottom of this page.
35.1.2 Correction, update, or deletion
You can correct, update, or request deletion of your Personal Data through the Service-interface, or by contacting EduSynch using the contact details provided at the bottom of this page.
35.1.3 Data protection authority
You have a right to raise questions or complaints with your local data protection authority at any time.
35.1.4 Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Data by EduSynch. If you have a right to object and you exercise this right, your Personal Data will no longer be processed for such purposes by EduSynch. You may exercise this right without incurring any costs.
35.1.5 Right to withdraw consent
You have the right to withdraw your consent for EduSynch to process your Personal Data when your consent is the lawful basis for processing.
31.1.6 Right to restriction
You may have the right to restrict EduSynch's processing of your Personal Data unless EduSynch's processing is otherwise authorized by applicable law.
31.1.7 Right to data portability
You may have the right to receive the Personal Data that you have given EduSynch, in a structured, commonly-used, and machine-readable format. You have the right to send that Personal Data to another controller if the processing is based on consent or on a contract and is carried out by automated means.
For Institution-approved representatives, you have the right to opt-out of marketing communications EduSynch sends you at any time. You can do this by clicking the "unsubscribe" link in the marketing email EduSynch sent you or by contacting EduSynch using one of the contact channels provided. If using the contact details please provide your:
- Full name
- Email address
36. Protecting your Information
For test-taker Information that EduSynch processes for an Institution, EduSynch implements Zero-Knowledge Encryption, which means only Institution-approved representatives can decrypt and review encrypted exam recordings.
EduSynch employs procedural and technical security measures that are reasonably designed to help protect EduSynch's test takers’ Personal Information from loss, unauthorized access, disclosure, alteration, or destruction, which includes encryption and other security measures to help prevent unauthorized access to a test taker’s Personal Information. The data a test taker transmits as part of their use of the Institution Services ("Storage Data") is encrypted and EduSynch does not have the decryption keys to decrypt or review test-taker Storage Data in its unencrypted form.
EduSynch is committed to maintaining the security and confidentiality of test-taker Information.
Towards this end, EduSynch takes the following actions: (a) EduSynch limits employee access to test-taker information to only those employees and contractors who need the information to fulfill their job responsibilities; (b) EduSynch conducts regular employee privacy and data security training and education; and (c) EduSynch protects your Information with technical, contractual, administrative, and physical security safeguards in order to protect against unauthorized access, release, or use.
Institutions or their designated representatives may review security testing results, subject to confidentiality requirements, or conduct their own security audit of EduSynch’s data security and storage practices, subject to mutual agreement. Written requests for inspection and testing can be made to email@example.com.
Test-taker audio, video, and screen recordings and images are secured and processed through three layers of encryption:
- 1. The Zero-Knowledge Encryption layer is used when information is stored and is secured using AES-GCM.
- 2. Transmission into the datacenter is over TLSv1.2 / TLSv1.3 and, if the client supports it, EduSynch uses Perfect Forward Secrecy (PFS).
- 3. All data centers are ISO 270001 certified, SOC 2 attested.
37.1 Security systems breach notification
37.1.1 As a data processor
EduSynch will notify the Institution. The Institution is responsible for notifying its test takers.
37.1.2 As a data controller
If EduSynch learns of a security systems breach, EduSynch may attempt to notify you electronically. EduSynch may post a notice on EduSynch's Sites and/or Services if a security breach occurs. EduSynch may also send an email at the email address provided. Depending on where you live, you may have a legal right to receive notice of a security breach in writing.
38. Data storage
EduSynch stores test-taker Personal Information, including all audio, video, and screen recordings and images, which EduSynch collects during the exam for the minimum amount of time required by the Institution or by applicable law.
The length and location of how and where data for operations is stored varies and is dependent on applicable law and the information itself.
Whether EduSynch is acting as the data controller or the data processor all Personal Information is encrypted in transmission and at rest.
39. As a data processor
EduSynch retains data as directed by an Institution related to the Services that EduSynch provides to them.
EduSynch retains test-taker De-Identified Data to track usage, allow EduSynch to process billing for Institutions that are EduSynch’s customers, and track global usage of EduSynch’s Services. "De-Identified Data" (or pseudonymized) includes:
- A pseudonymous hash of the User ID
- A pseudonymous hash of the Exam ID
- A pseudonymous hash of the Course ID (when applicable)
- Approximate location where the exam was taken
- Exam attempt number
- Length of exam
- Date of exam
- Anonymous telemetry events
40. As a data controller
In situations when EduSynch acts as a data controller, the Personal Information provided by an individual is dependent on the Services, Site(s), or third-party applications accessed by the individual.
50. Retention, location, data deletion, and destruction
When EduSynch is the data processor, EduSynch uses a third-party cloud provider for the storage of encrypted, collected data. Data is stored in data centers requested or chosen by the partnered Institution. Institutions can choose to store the data in a data center that is geographically relevant to their location or in another, potentially further away data center.
EduSynch retains data only as directed by an Institution related to the Services that EduSynch provides to them. EduSynch will store and maintain Institutional data for up to 30 days after the termination of an applicable agreement, unless otherwise specified by the Institution or as required by applicable law. EduSynch cannot and does not retain exam attempt recordings or chat transcripts for longer than required by the Institution or applicable law.
When EduSynch is a processor for an Institution, EduSynch will direct the test taker to contact their respective Institution with any requests related to their Personal Information.
When EduSynch is a data controller, this data is stored in locations and for time frames dependent on the Services used or Site(s) and/or third-party application(s) accessed by the individual.
EduSynch retains the previously described Information only for as long as needed for EduSynch’s legitimate business purposes and as required by applicable laws, investigations, or other security matters.
US Test-Taker Payment Processing: Data is stored within the US by a third-party subprocessor headquartered in the US.
US Client Payment Processing: Data is stored within the US by a third-party subprocessor headquartered in the US.
US User and Client Support: Data is stored by a third-party subprocessor headquartered in the US and Europe.
EU Test-Taker Payment Processing: Data is stored by a third-party subprocessor headquartered in Ireland.
EU Client Payment Processing: Data is stored within Germany by a third-party subprocessor headquartered in Germany.
EU User and Client Support: Data is stored by a third-party subprocessor headquartered in the US and Europe.
Institution Assessment Platform Monitoring: Data is stored in Europe by a third-party subprocessor based in Europe.
When EduSynch is the data controller, questions regarding data storage, recovery, and deletion should be directed through one of EduSynch’s contact channels.