5min read

Rosalyn’s Commitment to Trust

We take security and privacy matters seriously and have taken measures to protect our customers' data at all times. Our commitment to  data protection and care for privacy is reflected in how we design our products, how we implement operational security practices and the technology choices we make.

Security of cloud datacenters

For cloud infrastructure controls implementation and verification we leverage a host of AWS security services. AWS SOC Compliance information can be found here . In addition to SOC, AWS ISO and CSA STAR certifications can be reference here:

Security for computing

Rosalyn's security model is based on the NIST Cybersecurity Framework (CSF) and SOC 2 Criteria of Security and Confidentiality, with additional controls for compliance with international privacy laws and regulations (EU GDPR, California CCPA, Illinois BIPA, etc.). For the higher education market, Rosalyn specifically targets the HECVAT standard. Rosalyn intends to implement an SOC2 Type 2 audit in 2023

For cloud infrastructure controls implementation and verification we leverage a host of AWS security services. 

The target security standards used to track progress are

  • Center for Internet Security (CIS) AWS Foundations Benchmark standard
  • AWS Foundational Security Best Practices

For penetration testing of components deployed into production, Rosalyn works with penetration testing specialist vendors.

Risk Assessments are carried out inside Rosalyn and implementation of mitigations are planned as part of sprints.

Data Security

All data in production systems inside Rosalyn are also encrypted in flight and at rest using industry standard algorithms such as AES-256 or protocols such as HTTPS, TLS and SSH. All access to production data is logged. For all cloud resources Rosalyn leverages identity and access management for defining user access and policies for fine-grained user and systems access control across all of our hosting systems. All hosting systems are separated by account level access barriers for further layers of security.  Rosalyn also provides additional controls and governance capabilities, to further protect our customers' users and data.

Special consideration is given to Personally Identifiable Information (PII). All PII data flows are mapped out throughout development of our systems and clearly documented and understood throughout the organization. Lifecycles for all data, including PII is defined and maintained through established processes in order to comply with applicable regulations including GDPR.

Endpoint Security

Corporate desktops and laptops are managed by enterprise device management and endpoint protection software.

Business Continuity and Disaster Recovery

All of Rosalyn's software services are available 24 / 7.

All data stores inside Rosalyn are backed up on a continuous basis. Our main database offers global deployment over multiple regions and disaster recovery from region-wide outages. It uses storage-based replication with typical latency of less than 1 second, using dedicated infrastructure that leaves our database fully available to serve application workloads. In the event of a regional degradation or outage, one of the secondary regions can be promoted to read and write capabilities in less than 1 minute.

We currently target a Recovery Time Objective and Recovery Point Objective of under two hours with the goal of reducing this further in Q3 2022.

In accordance with Rosalyn's Business Continuity Policy, the Business Continuity Plan, testing, and procedures are updated and performed annually.

Security Software Development Lifecycle Standard

Through our platform's planning, development, and release processes, security practices are incorporated into the Rosalyn’s Software Development Lifecycle.

Vulnerability Prevention

Our Security Development Lifecycle follows OWASP guidelines.We contract with industry-leading penetration testing providers to examine our production architecture annually.

SSO

In order to provide SSO by any number of Identity Providers (IdPs), Rosalyn supports federated access via SAML 2.0.

Personnel Security

Rosalyn's security begins with its employees. Rosalyn implements security controls for its employees and contractors before, during, and after their tenure. Controls include security and privacy training and automated deprovisioning of logical and physical access to Rosalyn resources. Select Rosalyn staff also continuously receive advanced Cybersecurity Awareness Training in collaboration with select training partners.

Data Privacy

Our customers' privacy is important to us, and we take it very seriously. We do not sell, share, or export your data to third parties we gather from the use of our platform. As stated in your customer agreement, we only provide data to our sub-processors for use in processing your data. We do not process biometric information, and are compliant with GDPR, and BIPA regulations

Data Recovery

We regularly back up your data and target a RTO and RPO of 2 hours.

Data Deletion

Users, videos, and other data can be deleted directly from our Compliance Request service. Within X days of terminating a relationship with Rosalyn, all customer data will be removed from our systems.

Data Retention

Rosalyn video and audio recordings are retained according to company policies, with flexible configurations based on how long recordings should be kept before being deleted.

EU Datacenter

Rosalyn supports customers with organizational requirements around data residency, requiring EU citizen data to reside in the EU.

Third-party audits attest and certify Rosalyn's security, data privacy, and compliance controls to help meet customers' legal, regulatory, and organizational policy requirements. Biometric information is not processed by us

See also:

Learn how four students rate their online exam experience using the most popular proctoring platforms.

Read More

As educators and certifying organizations increase their reliance on remote testing, students’ voicing of concerns about privacy and the intrusiveness of the technology is reaching a crescendo. Ultimately, the issue is about much more than protecting the privacy of test-takers’ confidential information.

Read More

Educational institutions developing their online administration guidance spend a lot of time listening to technologists and test company vendors. There is one more class of stakeholders they should listen to: students.

Read More