Live/Human invigilation (no AI/no biometrics) and Record&Review (AI/no biometrics)

Service scope

Software add-on or extension: Yes
What software services is the service an extension to: Google Chrome add-on extension
Cloud deployment model: Hybrid cloud
Service constraints: Online invigilation solutions are not compatible with tablets and smartphones (only ID authentication).

We are platform agnostic and will integrate with all LMS / e-assessment systems, but we do not provide exam management software.
System requirements: Laptop or desktop camera

Built-in microphone

Desktop, laptop, or Chromebook

Google Chrome

Internet connectivity of 2Mbps upload / download

MacOS, Windows, ChromeOS

User support

Email or online ticketing support: Email or online ticketing
Support response times: We offer 24/7/365 support. All queries are managed and responded to within 24 hours. In case of emergencies, support requests can be addressed within the hour.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 24 hours, 7 days a week
Web chat support: Web chat
Web chat support availability: 24 hours, 7 days a week
Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
Web chat accessibility testing: We have delivered services to users with assistive technology. We are compatible with most assistive technologies in education.
Onsite support: Yes, at extra cost
Support levels: Standard support will include (at no extra cost):

- 24/7/365 phone, email and live chat support
- A dedicated account manager (incl. training)
- A dedicated project manager for successful platform integration
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Examity is dedicated to ensuring all users are comfortable with our software and processes. With this in mind, we look at training as an ongoing process for our clients at no additional cost. At the start of the engagement, we will offer complete training for all team member. Understanding that team members change, and programs may grow, we always offer additional training for your team.

As part of the onboarding process, administrators are given unlimited, live training sessions with a dedicated account manager. Group sessions last between one to one and a half hours and one-on-one trainings last between 15 and 30 minutes. As your programs grow, the Examity account manager will also provide one-on-one or group trainings to all future users. In addition, the Examity account manager is accessible for any questions that may arise once training is complete. At the conclusion of the training, administrators are provided everything user guides, video tutorials, and toolkits.
Service documentation: Yes
Documentation formats: PDF
End-of-contract data extraction: Client data is stored (including PII and ID images) for the duration of the contract. Examity will deliver data in pipe-delimited encrypted format. Following the handover, we follow standard data purge and destruction protocols and confirm in writing when completed.
End-of-contract process: Examity will deliver client data in pipe-delimited encrypted format for consumption upon the termination of contract/service with the client.

Examity will follow standard procedures to decommission the product tenant and all integrations.

There is no cost for the end of the contract.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Chrome
Application to install: Yes
Compatible operating systems: MacOS

Windows

Other
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: Mobile phones and tablets represent an assessment security risk and provide a weak vehicle for a robust service and invigilation delivery. Laptops are the best mobile devices organisations and exam candidates use for online invigilation.
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: - Test-takers have a dedicated dashboard
- Administrators or instructors have a dedicated dashboard
- During live invigilation, all test-takers are served by a live proctor
- During automated invigilation, all test-takers follow the process

There are 5 key stages in serving test-takers:

1. Setting up a test-taker profile and scheduling an assessment
2. Connecting to proctoring service on the scheduled date
3. ID authentication
4. Taking the exam or assessment
5. Submitting the assessment and ending the proctoring session
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: We are compatible with most assistive technologies in education and have delivered online invigilation services using these technologies since 2013.
API: Yes
What users can and can't do using the API: Our standard RestAPIs can:

- Help users schedule assessments
- Help users transfer test-taker data from their platform to their profile
- Help test-takers take their assessments from their dashboard into the the user's chosen platform

We also have the capability to create APIs to deliver a customisable service.
API documentation: Yes
API documentation formats: PDF
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: Upon request and depending on the value of the agreement:

- We can deliver a branded integration
- We can integrate with proprietary platforms
- We can customise to multiple languages
- We can customise the ID authentication process
- We can customise the use of our technology
- We can customise proctor training to meet local/global needs

Scaling

Independence of resources: We always plan for a scalable service delivery. Customers only pay for what they use on a monthly basis.

Analytics

Service usage metrics: Yes
Metrics types: - Candidate to proctor ratio (e.g. 1:1 or 2:1)
- 100% delivery of recorded videos
- 100% delivery of post-assessment human auditing
- Proctor waiting times
- Assessment launch times
- Blue, green, yellow and red flags (e.g. broken rules and violations)
- No shows, incomplete/ completed exams
- Scheduled or not scheduled assessments
Reporting types: API access

Real-time dashboards

Regular reports

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: European Economic Area (EEA)

Other locations
User control over data storage and processing locations: Yes
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation

Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: - Excel
- PDF
- Video
Data export formats: CSV

Other
Other data export formats: Excel

PDF

Video
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)

Legacy SSL and TLS (under version 1.2)
Data protection within supplier network: TLS (version 1.2 or above)

Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability: Our standard SLA: In the event of an unplanned outage of the Services of any duration, Examity shall notify the client within sixty minutes of the outage and update the client every four hours. Examity will credit the client commencing on the date and time of the opening of a “trouble ticket” or similar mechanism and ending at the close of the same by Examity's technical support as follows, provided however that no credit shall be given for an outage directly or indirectly resulting from: (i) the negligence of University; (ii) scripts, applications, equipment or services provided by University; (iii) outages initiated by Examity at the request or direction of the client for maintenance, back up or other purposes; or (iv) any force majeure event.

Outage
Credits per Outage - % of monthly charges for affected products
0-8 hours duration
No Credit
8-16 hours
2.5%
16-24 hours
5%
In excess of 24 hours
7.5%

Wait Time
Credits per average monthly Wait
Time - % of monthly charges for affected products
0-9 minutes and 59 seconds
No Credit
10 min-14 min and 59 sec
2.5%
14 min-19 min and 59 sec
5%
In excess of 20 minutes
7.5%
Approach to resilience: Our high-availability environment mitigates the risk of unplanned service disruptions through a combination of system processes, software, hardware, and infrastructure components, all backed by our dedicated 24/7/365 engineering support team. Our design eliminates single points of failure and decreases the impact of planned disruptions, such as upgrades or maintenance windows.

Examity maintains 99.99% up-time and has a robust configuration, patch, and change management process with full redundancy in place for performance and scalability. Examity maintains a 24-hour RPO and 72-hour RTO.

We manage redundancy to handle power outages by providing redundant datacenter power and onsite diesel generators. Our data centers deliver a zero-downtime network, and our servers receive continuous internet connectivity, providing an unparalleled experience for our customers and their end-users. Engineers are on-site 24/7/365 to ensure backups are always running and to conduct emergency restores if needed. Our provisioning system allows us to deliver faster operating system re-installs for our customers as needed. Our datacenter has dedicated personnel that maintains onsite part inventories and guarantee the replacement of failed hardware within a single hour.
Outage reporting: In the event of an unplanned outage of services, Examity will notify client contacts within 60 minutes of the outage and provide updates to client contacts every four hours that detail the corrective actions taken and the status of such actions.

Identity and authentication

User authentication needed: Yes
User authentication: Username or password
Access restrictions in management interfaces and support channels: Credentials for platform administrators are closely managed with a strict revocation process for any changes in staff or their roles.

Authentication of Exam administrators on the platform uses two-factor authentication.

Our Authorization model for administrators of the SaaS platform implements strict separation of duty, and principle of least privilege concepts. Access for system administrators is further restricted to VPN access into the datacenter(s), only from specific approved locations.
Access restriction testing frequency: At least once a year
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Username or password

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: No
Security governance approach: Our Security Governance begins with the Security Committee: CISO, CTO, COO, VP of Products and VP of Operations. We organize our Security Program using the NIST CSF and self-audit against the ISO/IEC 27001 standard. Our program includes best-practices and administrative, physical, and technical controls: e.g., firewalls, encryption, intrusion detection, and platform monitoring. We limit all access to any PII on a "need to know" basis.
Examity complies with international privacy regulations including FERPA, FIPPA, GDPR, COPPA and HIPPA.
The CISO and CTO of Examity are the contact points for GDPR-related information requests, assessment and discussions.
Information security policies and processes: The following are the core components of our overall Cyber Security Program:

• Cyber Security & Risk Management Committee: Examity has established an executive level Committee to oversee its corporate governance of Cyber Security. That team is led by the Examity CISO, CTO, VP of Products, VP of Center Operations, and Chief Administrative Officer.

• Cyber Security & Risk Management Governance: Examity has adopted the ISO/IEC 2700x and NIST Cyber Security “Frameworks” to organize and govern our overall Cyber Security efforts.

• Cyber Security & Risk Management Assessment: Company-wide security assessments are performed annually, using the NIST CSF and ISO/IEC 27001 standards as our benchmarks. Our SaaS platform security assessments are now performed continuously in our DevSecOps, and annually via 3rd party pen testing (e.g., Veracode in 2019). These inform more specific assessments such as PCI DSS, GDPR, CSA CAIQ, etc., for which Examity publishes attestations on an annual basis. Our CISO holds an ISACA "CISA" certification and has established a process for continuous improvement.

• Cyber Security & Risk Management Program: Examity has a corporate-wide CS/RM Program that includes a broad set of traditional administrative, technical, and physical controls applied to company-wide, and specifically to the Examity SaaS platform.

Operational security

Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach: Our process is in place to ensure the customer is given ample time for review, plan, assessment and adoption of new releases. We have a defined roadmap of upgrades and patches. This includes planned patch management, with minor releases and major annual upgrades with proper alignment. Patch management for application, infrastructure, network, OS and databases follow the same stringent protocols.

Dedicated staff are assigned to handle updates in the Examity infrastructure and systems as a result of platform and browser releases. We manage communications and rollback procedures to handle software updates, security patches to ensure no disruption to normal operations.
Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach: Examity employs a strict vulnerability/patch lifecycle management of all systems, basic patch/computer hygiene, etc.

Patching of all components of our production systems is well coordinated with operations, and any downtime is carefully scheduled with proper notification to affected stakeholders in advance.

We perform annual Penetration Testing on both our SaaS platform and the corporate network using top-tier vendors.

Our DevSecOps environment and processes continue to mature, incorporating DAST (blackbox), SAST (whitebox), and SCA (software component analysis) directly into the development, testing, and deployment stages of our SDLC.
Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach: We perform active 24x7 monitoring for security events, including but not limited to, regularly reviewing and analyzing audit logs, logging for ingress and egress communication, monitoring and login attempts and authentication failures, security monitoring and logging for access to critical system files, security monitoring and logging for suspicious activity (e.g. on the network, database, IDS, IPS), logging for access to personal or sensitive information, access to critical system files, account changes, configuration changes, and all web requests.
Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach: A dedicated communication and resolution team handles our Incident Response Plan (IRP) which is reviewed annually. The main phases of our IRP are based directly upon industry recognized best practices as described in the SANS Incident Management Handbook, the NIST Special Publication 800-61, ISO/IEC 27035 (Security Incident Management, 3 part series), and AICPA guidelines. These phases include: Preparation, Detection / Identification, Containment, Forensics, Eradication, Notification, Recover, Restoration, and Continuous Improvement.
Client-dedicated managers handle all communications through the life cycle of an incident, including root cause and resolution documentation.

Secure development

Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks: No

Fighting climate change: Fighting climate change

Online invigilation and digital assessments considerably reduce carbon footprint because:

- Test takers or exam candidates don't need to travel repeatedly in order to take an exam (e.g. the exam can be taken at home or in the office)
- Assessors don't need to fly around the country or around the world in order to set exam parameters, collect exams or invigilate exams
- Exam logistics no longer require postal services if assessment is 100% online and quality assured by online proctoring / invigilation
Covid-19 recovery: Covid-19 recovery

Examity can help organisations move to online assessment in severe cases such as Covid-19 or other natural disasters.
Equal opportunity: Equal opportunity

Examity is an equal opportunity employer but also believes in equal opportunities for fair and valid online assessments for all, regardless of backgrounds or beliefs or learning needs. To this aim, Examity can configure its online invigilation requirements to meet the needs of specific cultures, national policies and / or learners with specific accessibility requirements.

Pricing

Price: £4 to £23.50 an instance
Discount for educational organisations: Yes
Free trial available: Yes
Description of free trial: Depending on business volume, we can provide:

a. a demo environment which allows customers to navigate the administrator and/or test-taker dashboard without taking an exam (smaller clients) OR

b. 500 - 1,000 live or automated proctored exams for free (larger clients with 10,000 - 50,000+ exams per year)

Live/Human invigilation (no AI/no biometrics) and Record&Review (AI/no biometrics)

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Live/Human invigilation (no AI/no biometrics) and Record&Review (AI/no biometrics)

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents