Effective Date: May 15, 2020
As provided below, ExamSoft complies with the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield regarding the collection, use, and retention of personal data from European Union member countries, Switzerland and the United Kingdom.
ExamSoft also complies with U.S. laws, including the Family Educational Rights and Privacy Act (“FERPA”), where applicable, which provide privacy protections for personal data. ExamSoft is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Collection of information
ExamSoft may collect, store, and use the following personal data:
- Information that you provide in the process of registering a user account with ExamSoft, subscribing to ExamSoft’s websites’ services and/or email notifications, or using ExamSoft’s software to take an exam.
More specifically, when you take an examination, you enter certain data into the ExamSoft software including your name, student or registrant identification number, phone number, email address, answers, and other assessment content.
- Information that we collect automatically while administering examinations. We automatically collect information relating to exam takers as part of our contractual obligation to administer examinations and ensure examination integrity; such information typically includes: makes and models of computers used by exam takers, device identification numbers, types and versions of software used by exam takers, and security and software performance related information, such as keystroke data.
- Information about any transactions carried out between you and ExamSoft on or in relation to ExamSoft’s websites, including information relating to any purchases you make of ExamSoft’s goods or services. We may also collect information from website visitors such as IP address, geographical location, operating system, browser type, referral source, length of visit, and number of page views.
For specific services, ExamSoft may also collect, store, use and retain “biometric identifiers” and “biometric information.” “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. These types of information are also considered “biometric data” under the EU General Data Protection Regulation. ExamSoft uses this information in the course of providing certain of its services to its clients. Before ExamSoft collects biometric information or biometric identifiers, it will notify you, and you will have the right to consent or refuse to provide this information or identifiers. ExamSoft will retain, and it requires its vendors to retain, this information only for so long as required to provide the service, but in any event only for so long as required by the institution that is using the applicable ExamSoft product, or failing instruction from the client, so long as the client account is maintained.
Access to System Files
Certain products in our solution require that, prior to an assessment, each exam taker’s device must be secured. Therefore, in order to secure the exam taker’s device, ExamSoft must access and, in some instances, modify device system files. By using our products, you understand and consent to this action.
ExamSoft generally collects personal data on behalf of its customers for purposes of providing exam-related services to those customers. As a result, if you are a resident of the EU, Switzerland or the United Kingdom, for much of the personal data we process our customer will be the “data controller” of the applicable personal data, and ExamSoft is the “data processor,” as those terms are used in applicable data and privacy laws. In its role as a data processor, ExamSoft only processes personal data in accordance with the applicable contract for purposes of providing its exam-related services to its customers. Please check with the individual educational or examination provider about the policies they have in place regarding the collection and use of your personal data.
Use and sharing of personal data
- to process any inquiries submitted by you and other communications initiated by you in relation to your dealings with ExamSoft;
- to notify its users and customers of any issues affecting ExamSoft’s services and software, and the resolution thereof, including by email or text message;
- to improve your browsing experience by personalizing the websites;
- when permitted by a customer, to send it marketing communications;
- to comply with statutory and regulatory requirements;
- in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; and
- to provide and improve its exam-related services pursuant to its agreements with its users and its customers (e.g., educational institutions), and to develop new services for our customers.
ExamSoft will never sell any exam taker data. ExamSoft does not sell personal data, and except for disclosures reasonably necessary for the purposes identified above and as set forth below, ExamSoft will not otherwise disclose personal data with third parties. ExamSoft may disclose personal data:
- with our customers for the purpose of exam administration;
- with our marketing partners, where our customers have opted-in to sharing for marketing purposes;
- to the extent required or permitted by law such as sharing with law enforcement where requested pursuant to an investigation;
- in connection with any legal proceedings or prospective legal proceedings;
- in order to establish or exercise ExamSoft’s legal rights or defend against claims, for example, as sharing may be necessary in order to assert a legal claim or defense, such as to enforce our Exam Taker End User License Agreement;
- in connection with a sale, merger, acquisition, or other transaction affecting the associated business; and
- to third party service providers and partners, such as consultants helping us provide technical or customer support, but only to the extent such service providers and partners require such personal data to provide such services to ExamSoft and its users and customers.
ExamSoft may use technology to track the patterns of behavior of visitors to these websites. This can include using a “cookie,” a text file sent by a Web server to a Web browser and stored by the browser for record keeping purposes. As a result, it is possible to speed up your future activities at these websites and allow ExamSoft to provide you with a personalized browsing experience.
You can choose to accept or decline cookies by modifying your browser settings to accept or reject cookies. If you choose to decline cookies, this may prevent you from taking full advantage of the websites’ features. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences or visit http://www.allaboutcookies.org for more information.
ExamSoft’s websites only take action in response to “do not track” signals if it is browser enabled.
Choices and Rights
Depending on your location and the data protection laws that apply to you, you may have certain rights with regard to personal data that ExamSoft processes about you.
In many cases you should contact the university or test administrator directly to exercise applicable privacy rights. If you contact us directly, we may remove or update your information within a reasonable time and after providing notice to and obtaining approval from the relevant university or test administrator. However, in certain cases where we are not the “controller” or “business” of your personal data (such as when the personal data was collected on behalf of an educational institution as part of our exam-related services), we may be required to refer you or your request to the applicable controller or business.
For EU, Swiss and UK residents. If you are located in the EU, Switzerland or the UK, the following rights will apply to you.
If our processing is based on your consent, you have the right to withdraw consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
In some cases, you may be able to object to the processing of our data or restrict its use, for example, if your data is wrongfully withheld or we no longer have a legitimate interest in processing the data. You may be able to request that we delete or erase some of your data, such as when it is no longer needed for exam administration, or request portability of your data.
For California residents. Under the California Consumer Privacy Act (CCPA), California residents have the right to request that a business disclose certain information about the collection and use of their personal information over the past 12 months. A California resident also has the right to ask such businesses to delete the personal information they have collected, and if the business sells personal information they have a right to opt-out of that sale. Finally, a business cannot discriminate against a California resident for exercising any of their rights under the CCPA.
When providing its services to its customers, ExamSoft acts as a “service provider” under the CCPA and our collection and use of consumer personal information is performed solely on behalf of our customers (as CCPA businesses). If you are a California resident wishing to exercise any of your rights under the CCPA, and we collected your personal information in the context of our services, please direct your request to the individual educational or examination provider.
In addition, California residents who provide personal information in obtaining products or services for personal, family, or household use are entitled to request and obtain from us, once a calendar year, information about the customer information we shared, if any, with other businesses for their own direct marketing use. If applicable, this information would include the categories of customer information and the names and addresses of those businesses with which we shared customer information for the immediately prior calendar year.
For everyone. To opt-out from receiving future email marketing or other promotional communications from us, please click the “unsubscribe” or “opt-out” link at the bottom of such emails, or contact us directly as set forth in the Contact Us section provided below.
Security of your personal data
ExamSoft takes reasonable precautions to protect your personal data from loss, misuse and unauthorized access, disclosure, alteration, and destruction. No method of transmission over the Internet, or method of electronic storage is 100% secure, however. Therefore, ExamSoft cannot guarantee its absolute security.
Legal bases for processing of personal data
If you reside in the European Union, Switzerland or the United Kingdom, the legal basis on which ExamSoft processes personal data will depend on the data concerned and the context in which the data is collected. However, ExamSoft normally processes personal data on the following legal bases: (i) performance of ExamSoft’s contractual obligations to which you are a party, (ii) your consent; (iii) ExamSoft’s legitimate interest; and (iv) to comply with a legal obligation to which ExamSoft is subject. If we collect and use your personal information in reliance on our legitimate interests (or those of any third party), this interest will normally be to operate our platform and communicate with you as necessary to provide our services to you and for our legitimate commercial interest; for instance, when responding to your queries, improving our platform, or undertaking marketing. We may have other legitimate interests and, if appropriate, we will make clear to you at the relevant time what those legitimate interests are.
ExamSoft retains personal data so long as we have an ongoing legitimate business need to retain it (for example, to provide services to its customers or to comply with applicable legal, tax or accounting requirements).
When ExamSoft has no ongoing legitimate business need to process personal data, we will either delete or anonymize/de-identify it or, if this is not possible (for example, because the data has been stored in backup archives), then ExamSoft will securely store the personal data and isolate it from any further processing until deletion is possible.
Links to other websites
EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield
Privacy Complaints by European Union, Swiss and UK Residents
Attn: General Counsel
ExamSoft Worldwide, Inc.
5001 LBJ Freeway, Suite 700
Dallas, Texas 75244 USA
ExamSoft has further committed to refer unresolved Privacy Shield the EU data protection authorities (DPAs) for issues concerning both human resource and non-human resource data, and to comply with the advice given by such authorities with regard to such data transferred from the EU to the US.
If you are a resident of the European Union, Switzerland or the United Kingdom, you also have the right to complain to a data protection authority about our collection and use of your personal data. Contact details for data protection authorities in the European Economic Area are available here.
Children’s Online Privacy
ExamSoft and these websites are not directed toward individuals under the age of 13, and ExamSoft requests that such individuals do not provide personal data or personally identifying information through ExamSoft websites. Additionally, we do not knowingly collect or maintain any personal data or personally identifiable information from children under thirteen (13) through the websites. Please contact us as provided below in the Contact Information section if you believe we may have collected such information.