Privacy Policy

1. Introduction

Integrity Layer ("we," "our," or "us") is committed to protecting the privacy of students, instructors, and educational institutions. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our exam lockdown browser service.

We are FERPA-compliant and operate as a service provider to educational institutions under the "school official" exception.

2. Information We Collect

2.1 Hardware Fingerprints

To maintain exam security and detect unauthorized device usage, we collect hardware information that is immediately hashed using SHA-256 before storage:

• System manufacturer, model, UUID, SKU
• BIOS vendor, version, release date
• CPU manufacturer, brand, cores, speed
• Graphics controllers
• Memory size, type, clock speed
• Display resolution and scale factor
• Audio devices
• Operating system platform, distribution, architecture

Important: We store only the SHA-256 hash of this combined data, not the raw hardware information. This prevents identification of specific devices while allowing us to detect device changes.

2.2 Session Data

• Session start and end times
• Exam URL accessed
• Session token (randomly generated identifier)
• Hardware fingerprint hash
• Threat score and security events
• GeoIP location (country/region only, derived from IP address)

2.3 Security Events

During exam sessions, we log security-relevant events including:

• Blocked keyboard shortcuts and their timestamps
• Window focus changes
• Process monitoring results (running applications detected)
• VM detection results (virtual machine indicators)
• Automation tool detection (keyboard/mouse pattern analysis)
• Network anomalies (VPN/proxy detection)
• Display configuration changes (second monitor connections)

2.4 Information We Do NOT Collect

• Student names or personally identifiable information (PII)
• Student ID numbers
• Email addresses
• Exam answers or assessment content
• Screenshots or screen recordings
• Webcam or microphone data
• Browsing history outside of exam sessions
• File system contents

3. How We Use Information

We use collected information solely for the following purposes:

• Exam Security: Detect and prevent academic integrity violations during online assessments
• Threat Scoring: Calculate risk scores to help proctors identify suspicious behavior patterns
• Device Authentication: Verify that students are using approved devices for assessments
• Real-Time Monitoring: Provide administrators with live security event feeds
• Service Improvement: Analyze aggregate (de-identified) data to improve detection algorithms
• Compliance: Maintain audit logs as required by educational institutions

4. FERPA Compliance

Integrity Layer complies with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g.

4.1 School Official Exception

We operate under the "school official" exception, which allows us to access education records for legitimate educational purposes on behalf of the institution.

4.2 Data Ownership

All session data and security events belong to the educational institution, not to Integrity Layer. Institutions control data retention, access, and deletion policies.

4.3 Third-Party Disclosure

We do not disclose any education records or student data to third parties without explicit consent from the educational institution, except as required by law.

5. Data Security

We implement industry-standard security measures to protect data:

• Encryption in Transit: All data transmission uses TLS 1.3 encryption
• Encryption at Rest: Database storage uses AES-256 encryption
• Access Controls: Role-based access control (RBAC) limits data access to authorized personnel
• Hashing: Hardware fingerprints stored as irreversible SHA-256 hashes
• Rate Limiting: API endpoints protected against brute force attacks
• Session Security: Cryptographically secure session tokens (64-character random hex)
• Regular Audits: Quarterly security audits and penetration testing

6. Data Retention

Data retention is controlled by each educational institution based on their policies and legal requirements.

Default Retention:

• Active sessions: Retained until exam ends or administrator manually archives
• Ended sessions: Retained for 2 academic years unless institution specifies otherwise
• Event logs: Retained for 1 academic year
• Hardware fingerprints: Retained as long as associated sessions exist

Institutions may request earlier deletion or longer retention based on their policies.

7. Student Rights

Students have the following rights regarding their data:

• Right to Know: Be informed when monitoring software is in use during assessments
• Right of Access: Request access to their session data through their institution
• Right to Explanation: Receive explanations for threat scores and security events
• Right to Appeal: Challenge academic integrity determinations made using Service data
• Right to Deletion: Request deletion of data after institutional retention periods

To exercise these rights, students should contact their educational institution's registrar or IT department.

8. Cookies and Tracking

The Integrity Layer application does not use cookies or third-party tracking scripts.

Our website (this site) uses minimal analytics cookies to understand traffic patterns. These do not track individual users or collect personal information.

9. Children's Privacy

Our Service is intended for use by students aged 13 and older. We comply with the Children's Online Privacy Protection Act (COPPA).

For students under 13, parental consent must be obtained by the educational institution before use. We do not knowingly collect personal information from children under 13 without verifiable parental consent.

10. International Data Transfers

Our servers are located in the United States. If you are accessing the Service from outside the US, please be aware that your information will be transferred to, stored, and processed in the United States.

We use standard contractual clauses for international data transfers when required by applicable law.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to institutional administrators at least 30 days in advance.

The "Last Updated" date at the top of this page indicates when the policy was last revised.

12. Data Breach Notification

In the event of a data breach affecting education records, we will notify affected institutions within 72 hours of discovery, as required by applicable laws and regulations.