Understanding General Data Protection Regulation

Last Updated: May 28, 2025

At Proctor360, protecting the privacy and personal data of test-takers, clients, and partners is a top priority. As a provider of remote proctoring services to educational institutions, certification bodies, and employers around the world, we understand the importance of transparency and compliance with data protection laws—especially the General Data Protection Regulation (GDPR).

The GDPR is a European Union regulation that governs how organizations collect, use, and protect the personal data of individuals located in the EU. Even though Proctor360 is based in the United States, we are fully committed to complying with GDPR requirements whenever we process the personal data of EU data subjects. This includes implementing appropriate technical and organizational safeguards, upholding individuals’ privacy rights, and working closely with our clients—who are often the Data Controllers—to ensure lawful and secure data processing.

This page outlines how Proctor360 processes personal data in accordance with GDPR, including what data we collect, the legal basis for processing, how long we retain data, and the rights of individuals whose data we process.

We are committed to maintaining high standards of privacy and data security to support academic integrity while respecting the rights and freedoms of every test-taker we serve.

Who is Proctor360 and what's our role?

Proctor360, Inc. is a U.S.-based technology company that provides remote proctoring solutions for online exams. Our platform is used by colleges, universities, certification providers, and employers to help ensure exam integrity through secure monitoring environments. Our services include both live human proctoring and AI-assisted monitoring of test-takers during online assessments.

In the context of the General Data Protection Regulation (GDPR), Proctor360 typically acts as a Data Processor on behalf of our clients—the organizations that administer exams and determine the purpose and means of processing personal data. These clients are usually the Data Controllers, responsible for defining the lawful basis for data collection and overseeing compliance with privacy obligations.

In limited cases, such as when Proctor360 directly contracts with test-takers (e.g., for self-scheduled certification exams), we may act as a Joint Controller or Independent Controller depending on the nature of the relationship and services provided.

Regardless of our role, we treat all personal data with the same level of diligence, privacy, and security. We also ensure that our processing activities are governed by legally binding agreements that define our responsibilities under applicable data protection laws, including GDPR.

Categories of personal data

As part of delivering our secure remote proctoring services, Proctor360 processes certain personal data related to test-takers, proctors, and institutional clients. This data is collected to ensure the integrity of online exams, support identity verification, monitor test sessions, and fulfill contractual obligations with the organizations we serve.

The types of personal data we process may include information related to identity, contact details, technical system data, and exam session recordings.

The exact categories of data we collect can vary based on the service configuration selected by each client. For a detailed overview of the specific data collected during proctored sessions, please refer to our Privacy Explained page.

Our approach is guided by the principle of data minimization—we only collect what is necessary to deliver our services securely and in accordance with our contractual and legal obligations. All data is handled in alignment with GDPR standards for fairness, transparency, and accountability.

Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), every processing activity must be supported by a valid legal basis. Proctor360 processes personal data only when there is a clear and lawful reason to do so. Our legal basis for processing depends on the specific context in which data is collected and the role we play (typically as a Data Processor acting on behalf of an exam sponsor).

The primary legal bases we rely on include:

1. Contractual Necessity

We process personal data to fulfill our contractual obligations to our clients, such as administering secure online proctoring during exams. This includes processing data required for identity verification, session monitoring, and reporting of potential testing anomalies.

2. Legitimate Interests

We may process certain technical and operational data based on our legitimate interest in maintaining system security, preventing fraud, and improving our services—provided these interests do not override the rights and freedoms of the individuals whose data is involved.

3. Legal Obligations

In some cases, we may be required to retain or disclose personal data to comply with applicable laws, court orders, or regulatory requirements, particularly those that apply to educational institutions or professional certification bodies.

4. Consent

When required by law or applicable data protection principles, we rely on explicit consent—particularly for the processing of sensitive data such as audio/video recordings or biometric identifiers. In such cases, consent is obtained either directly from the test-taker or through our client’s user agreement process.

We work closely with our clients to ensure that the appropriate legal basis is established before any data is collected, and we provide the necessary tools and transparency to support their compliance responsibilities under GDPR.

How we use personal data collected during proctoring

Proctor360 uses personal data solely for purposes that support secure, fair, and effective online exam proctoring. Our processing activities are limited to what is necessary to fulfill our contractual obligations to the organizations we serve and to ensure the integrity of the testing process.

Common uses of personal data include:

  • Verifying test-taker identity before and during the exam
  • Monitoring the exam session through video, audio, screen activity, or biometric signals
  • Detecting and flagging behaviors that may indicate academic dishonesty
  • Logging technical activity for support, audit, and system performance analysis
  • Generating session reports and incident documentation for review by the exam sponsor

All data is processed in accordance with the principles of data minimization, purpose limitation, and lawful processing under GDPR. We do not use personal data for profiling, marketing, or any unrelated commercial purposes.

The specific ways we use personal data may vary depending on the service configuration chosen by the exam sponsor. For a more detailed breakdown of how individual data elements are used, please visit our Privacy Explained page.

Data Sharing and Subprocessors

Proctor360 does not sell personal data to third parties. However, in order to provide our services effectively and securely, we may share personal data with trusted third-party service providers—known as subprocessors—who assist us in operating our platform and delivering remote proctoring services.

These subprocessors may provide infrastructure hosting, customer support tools, identity verification, or analytics services. Each subprocessor is carefully vetted for their data protection practices, and we enter into Data Processing Agreements (DPAs) that require them to handle all personal data in compliance with GDPR and other applicable regulations.

Additionally, personal data is shared with our clients—the exam sponsors who contract with us to administer exams. These organizations are typically the Data Controllers and receive session data, proctoring logs, and any incident reports necessary for evaluating the integrity of the exam.

Key Points:

  • We maintain a list of current subprocessors and update it as needed to ensure transparency.
  • All subprocessors are contractually obligated to implement appropriate technical and organizational measures to safeguard personal data.
  • Data shared with clients is limited to what is necessary to support their exam administration responsibilities.
  • We do not allow our subprocessors to use personal data for their own purposes.

Data Retention

Proctor360 retains personal data only for as long as it is necessary to fulfill the purposes for which it was collected—including to meet our contractual obligations to clients, support audit and review processes, and comply with applicable legal or regulatory requirements.

The length of time we retain different types of data depends on several factors:

  • Client Configuration: Each client (exam sponsor) may define their own data retention preferences based on institutional policies or regulatory guidelines.
  • Purpose of Processing: Certain data (e.g., video recordings, session logs) may be retained longer for academic integrity reviews or legal defense if needed.
  • Legal Obligations: We may be required to retain some data for a fixed period due to applicable laws or accreditation requirements.

Once data is no longer required, it is securely deleted or anonymized in accordance with GDPR principles and our internal data lifecycle management policies.

We apply strict controls to ensure that:

  • Retention periods are honored as defined in Data Processing Agreements (DPAs)
  • Data is not kept longer than necessary
  • Test-taker data is permanently removed upon expiration of the retention period

Data Security

Proctor360 is committed to protecting the confidentiality, integrity, and availability of all personal data we process. We implement a comprehensive set of technical and organizational security measures to guard against unauthorized access, accidental loss, misuse, or disclosure of sensitive information—before, during, and after exam sessions.

Our security framework is built on industry best practices and includes:

  • Encryption of personal data both in transit (via HTTPS/TLS) and at rest
  • Access controls and authentication mechanisms to restrict data access to authorized personnel only
  • Continuous monitoring of infrastructure and systems for potential threats or anomalies
  • Regular security assessments and vulnerability scans
  • Audit logging to ensure accountability and traceability of data access and actions
  • Redundancy and disaster recovery protocols to ensure service continuity

Proctor360 is SOC 2 compliant, demonstrating that we meet rigorous standards for security, availability, processing integrity, confidentiality, and privacy. Our SOC 2 compliance is independently audited on an annual basis, and it reflects our commitment to maintaining a secure and trustworthy environment for all users.

We also ensure that our subprocessors and hosting providers meet comparable security standards and are contractually obligated to implement robust safeguards in accordance with GDPR.  Additionally, Proctor360 utilizes a third-party platform to monitor our SOC2 and GDPR controls, policies, and processes on a continuous basis to ensure we stay in compliance.

International Data Transfers

Proctor360 is headquartered in the United States, and some of the personal data we process may be transferred from the European Union (EU), European Economic Area (EEA), or other jurisdictions to the U.S. as part of delivering our remote proctoring services.

To ensure that international data transfers are lawful and adequately protected under the General Data Protection Regulation (GDPR), we implement appropriate safeguards in accordance with EU standards.

Participation in the Data Privacy Framework

Proctor360 is an active participant in the EU-U.S. Data Privacy Framework (DPF), administered by the U.S. Department of Commerce. Our participation in this program confirms that we have committed to complying with the DPF Principles for all personal data received from the EU, UK, and Switzerland in reliance on the Framework.

This certification provides a valid legal mechanism for data transfers from the EU to the U.S. and ensures that EU individuals receive adequate protection of their personal data in line with GDPR expectations.

You can verify our participation in the Data Privacy Framework by visiting the official Data Privacy Framework List.

Additional Safeguards

In cases where the DPF does not apply or where clients require additional assurances, we are prepared to implement Standard Contractual Clauses (SCCs) or similar mechanisms approved by the European Commission to protect personal data during cross-border transfers.

We are committed to maintaining transparency in how and where data is stored and processed. All clients and test-takers can be confident that international transfers are conducted securely and in full compliance with applicable data protection laws.

Data Subject Rights

Under the General Data Protection Regulation (GDPR), individuals in the European Union have specific rights regarding the personal data that organizations collect and process about them. At Proctor360, we fully support these rights and have established processes to respond to requests in a timely and lawful manner.

If you are a test-taker or user whose data has been processed through our services, you have the right to:

  • Access the personal data we hold about you
  • Rectify any inaccuracies or incomplete information
  • Request deletion of your personal data ("right to be forgotten"), where applicable
  • Restrict or object to certain types of data processing
  • Withdraw consent, if consent was the legal basis for processing
  • Receive a copy of your data in a structured, portable format (data portability)

Proctor360 typically processes data on behalf of our clients—such as universities, testing providers, or employers—who act as the Data Controllers. In such cases, we work closely with these organizations to support their compliance with GDPR and facilitate the handling of any data subject requests they receive.

Submitting a Request

You may submit a request related to your personal data—including access, correction, or deletion—directly through our secure support portal at:
https://support.proctor360.com/help/2342859582

All inquiries are reviewed and processed in accordance with GDPR requirements, and we may request additional information to verify your identity before fulfilling certain requests.

Contacting Our Data Protection Officer

If you have concerns about how your data is being processed, or would like to escalate a privacy-related issue, you may contact our Data Protection Officer (DPO):

Calvin Reims
Data Protection Officer
Proctor360, Inc.
gdpr@proctor360.com

We are committed to ensuring your rights are respected and your personal data is handled responsibly and transparently.

Responsibilities of Our Clients (Data Controllers)

While Proctor360 plays a critical role in the secure delivery of remote proctoring services, our clients—such as universities, certification bodies, and training providers—are typically the Data Controllers under the General Data Protection Regulation (GDPR). This means they determine the purpose and legal basis for collecting and processing personal data during the exam process.

As the Data Processor, Proctor360 acts on our clients’ documented instructions and provides the technical infrastructure, monitoring tools, and support systems necessary to deliver secure, compliant exam sessions. However, it is ultimately the responsibility of the Data Controller to:

  • Inform test-takers about how their personal data will be used
  • Establish a lawful basis for data collection and processing under GDPR
  • Obtain consent where applicable (e.g., for video or biometric data)
  • Ensure transparency through privacy notices and exam policies
  • Respond to data subject requests (e.g., access or deletion requests), with support from Proctor360 as needed
  • Define appropriate data retention periods in coordination with Proctor360
  • Ensure their own compliance with applicable data protection obligations, including conducting any required data protection impact assessments (DPIAs)

Proctor360 supports our clients in meeting these responsibilities by providing:

  • GDPR-compliant Data Processing Agreements (DPAs)
  • Secure infrastructure and technical safeguards
  • Audit logs and session reports to assist with compliance
  • Tools to facilitate privacy rights requests
  • Ongoing privacy and security documentation, including details of our SOC 2 certification and participation in the Data Privacy Framework

We are committed to being a trusted partner in our clients’ privacy and compliance efforts, and we work closely with each organization to tailor our services to their specific legal and institutional requirements.

Proctor360 is committed to maintaining open, transparent communication regarding how we collect, use, and protect personal data. If you have questions about our GDPR compliance, need assistance with a data subject rights request, or would like more information about our privacy practices, we encourage you to contact us.

General Inquiries and Support

For general questions about data protection, our services, or to submit a request related to your personal data, please visit our secure support portal:
https://support.proctor360.com/help/2342859582

Data Protection Officer (DPO)

If you have specific concerns about the handling of your personal data or wish to escalate a privacy-related issue, you may contact our Data Protection Officer directly:

Calvin Reims
Data Protection Officer
Proctor360, Inc.
📧 gdpr@proctor360.com

Policy Updates

Proctor360 is committed to keeping our privacy and data protection practices transparent and up to date with evolving legal, regulatory, and operational requirements. We may update this GDPR Information Page from time to time to reflect:

  • Changes in our services or processing activities
  • Updates to applicable data protection laws (e.g., GDPR, Data Privacy Framework)
  • Modifications to our subprocessors or data handling procedures
  • Enhancements to our security or compliance programs (e.g., new certifications)

When we make material changes that affect how we process personal data or your rights under GDPR, we will provide clear notice—either through our website, through our client institutions, or via direct communication where appropriate.

We encourage you to review this page periodically to stay informed about how we are protecting your personal data.


Proctor360 is a proud member of organizations dedicated to online learning and testing excellence.