Data and infrastructure

Common questions regarding our data procedures and infrastructure

As an online assessment software, TestInvite's systems store various types of data, which can be categorized into two main groups: data uploaded by our paying customers and data uploaded by the test-takers.

1. Data uploaded by our customers

This refers to the data uploaded by our paying customers into the TestInvite system, such as exam questions, tests, assessment settings, test-taker lists, and associated files, among others.

2. Data uploaded by the test-takers

These include all the data the test-taker uploads during the assessment process, such as forms submitted before or after exams, answers to questions, recordings, photos, screenshots, proctoring materials, logs of browser activity, IP addresses, navigation history, documents submitted before or after starting the exam, and exam scores generated automatically or evaluated by the test administrators.

Test takers' data is categorized into two groups: data that are part of the exam response and all other data recorded during the assessment process. These categories are treated differently as outlined in our privacy policy.

TestInvite is hosted within the Google Cloud ecosystem in the U.S.A. region. Both data-processing servers and storage are located in the U.S.A.

TestInvite typically gathers personal data on behalf of its customers to deliver exam-related services to their participants. In these instances, the customer acts as the "data controller" while TestInvite serves as the "data processor," as defined by relevant data and privacy regulations. As a data processor, TestInvite strictly processes personal data based on the applicable contract to provide exam-related services to its customers.

Testinvite operates on a cloud-based system employing a microservices architecture. It utilizes VueJS and custom components for the frontend, while relying on Google Cloud services such as Cloud Functions, Firestore, and Cloud Storage for the backend.

TestInvite acts as a data processor and utilizes FedRAMP compliant Google Cloud services.

FedRAMP stands for the Federal Risk and Authorization Management Program, which is a US government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP options refer to the different levels of security controls and assessments that a cloud service provider can choose to implement to comply with the FedRAMP requirements. There are three FedRAMP security impact levels (low, moderate, and high), and cloud service providers can choose to implement controls and assessments that correspond to their customers' security requirements.

Google Cloud is FedRAMP compliant. Google Cloud has multiple FedRAMP authorized services, including Google Compute Engine, Google Kubernetes Engine, and Google Cloud Storage. Additionally, Google Cloud Platform has obtained FedRAMP Moderate and High Authorizations for its government customers, ensuring that it meets the strict security requirements for federal agencies.

Yes, we do. Some of our service providers (such as Google Cloud, Mailgun Technologies Inc. Tawk.to Inc. and Google Analytics) and all the data that we collect is stored in the United States. Therefore, by selecting TestInvite as your partner, you consent to the transfer of personal data outside of your home country.

We confirm Google Cloud, Mailgun Technologies Inc. Tawk.to Inc. and Google Analytics are all certified EU – U.S. Privacy Shield organisations.

Following Shrems II decision of the European Union Court of Justice dated 16 July 2020, international data transfers we make within its scope are made within the framework of standard contractual clauses. These terms are available in the Data Processing Addendum.

TestInvite uses a simple email and password authentication system for user login. In addition, we support organizational structures where teammates can be added under an organization and assigned specific roles. Each role defines the permissions and actions available to that user within the system, allowing for controlled access based on assigned responsibilities.

To ensure confidentiality, we use JSON Web Encryption (JWE) tokens to secure data access. Additionally, we implement Firebase security rules that restrict access to data based on the presence of these tokens. Only requests containing the appropriate tokens with the necessary roles or permissions are granted access, ensuring that only authorized persons can view or interact with the data.

TestInvite is using HTTPS (Hypertext Transfer Protocol Secure) to transfer data over HTTP, which ensures encryption and security through SSL/TLS protocols.

Your data is kept confidential and secure, in compliance with GDPR regulations. It is stored on Google Cloud, a highly secure platform, and all communication between clients and backend services is encrypted for added security.

TestInvite maintains audit logs to track data modifications and system actions, providing insights into key events for better monitoring and issue identification.

We perform monthly full backups for Firestore and SQL databases, and we also conduct daily selective backups of critical Firestore data to an SQL database for enhanced security and accessibility.

TestInvite does not own any physical data storage locations. Our platform is fully hosted on Google Cloud, and we rely on Google's physical security measures to ensure the protection of our data storage infrastructure.

We categorize vulnerabilities into four severity levels—Critical, High, Medium, and Low—based on their potential impact on systems, data, and users. Remediation timeframes are prioritized according to risk, ranging from 24-48 hours for critical issues to 3-6 months for low-severity vulnerabilities, aligning with industry standards like NIST and OWASP.

When it comes to our procedures for handling and deleting data, there are three distinct types.

Data uploaded by our customers (Customer data)

This encompasses the data uploaded by our customers, such as exam questions, assessment instructions, documents, images, audio and video materials, and test-taker lists. As long as the account owner remains a customer, we retain this data. However, we provide tools for data deletion.

As long as the data under this category does not include any personal data, this data category falls outside the classification of "Personal Data" and is out of scope for data privacy rules and regulations. Data in this category is scheduled for deletion within five years; however, in practice, it is typically removed within one month after a customer's status changes to non-customer.

Please refer to our privacy policy for the rules around being deemed a customer.

Exam Response Data (Personal data category 1)

Exam Response Data comprises all information submitted by test-takers during exams, including answers to exam questions. This category is dedicated to capturing and storing responses provided by individuals as part of their assessment process.

This data is governed by the data processing addendum and/or privacy policy (as applicable) and is deleted within 5 years from the date the customer is no longer a customer.
Customers have the ability to independently delete their Category 1 data whenever they want using the TestInvite web application.

Please refer to our privacy policy for the comprehensive list of items within this data category and the rules around being deemed a customer.

Supplementary Test-Taker Data (Personal data category 2)

Supplementary Test-Taker Data includes personal information collected from or uploaded by test-takers, excluding their responses to exam questions. This category encompasses proctoring materials, pre-exam form submissions, and any extra data submitted by individuals during the assessment process that does not constitute part of the exam response.

This data is classified as personal data and is subject to TestInvite’s data processing addendum and/or privacy policy (as applicable). It is deleted within up to 1 year from the date of collection.

Please refer to our privacy policy for the comprehensive list of items within this data category.

All customers are required to comply with our privacy policy, data addendum, terms and conditions, and data handling procedures as declared on our website. However, enterprise customers with the necessary add-ons have the option to customize the timing of data deletion for added flexibility.

As a frequent service provider to entities and persons living within the European Union (EU), TestInvite regularly provides its services under the umbrella of GDPR.

No, TestInvite cannot be deployed on-premises because it is a cloud-native application hosted on Google Cloud. It utilizes services that cannot be replicated on simple servers. Being cloud-native allows TestInvite to be highly scalable, making it ideal for administering online assessments to thousands of concurrent test-takers while recording their actions, webcam, and screen recordings without delays or lags.

Talk to Sales!

Want to learn more about TestInvite

Schedule a demo
Go Back
Talk to a representative
Figure out if TestInvite is a good match for your organization