EduTestPro - Security Policy

At EduTestPro, we've built an unbreakable vault for your test content. Our zero-knowledge architecture ensures that no one - not even our engineers - can access your questions or student answers in readable form.

All test content cryptographically hashed

End-to-end encrypted with AES-256

Even admins cannot view raw test content

Content Protection

Zero-Knowledge Storage

We implement multiple layers of cryptographic protection:

Argon2id Hashing: Memory-hard key derivation function (1GB memory, 3 iterations)
AES-256-GCM Encryption: 256-bit encryption for all data in transit and at rest
Sharded Storage: Questions split across multiple security domains
HSM Protection: Keys managed in FIPS 140-2 Level 3 Hardware Security Modules

Test Content Protection Pipeline

Client-Side

1. Local hashing with Argon2id

Transmission

2. TLS 1.3 with PFS

Storage

3. Fragmented AES-256 encryption

Administrative Safeguards

No backdoor access: System designed to prevent any form of content reconstruction
Automated blind grading: Scoring occurs without human-readable access to answers
Dual-control policies: Requires multiple authorized personnel for system changes

Student Privacy

Pseudonymization

Student identities are replaced with random identifiers during test processing and grading.

Data Separation

Personal information stored completely separately from academic responses.

Compliance

Meets strictest standards including GDPR, FERPA, and COPPA requirements.

Security Infrastructure

Testing Environment Protections

Secure Browser: Disables screenshots, printing, and developer tools during tests
Behavioral Fingerprinting: Detects unusual activity patterns (keystroke timing, mouse movements)
Device Binding: Locks tests to specific device/network fingerprints
Session Encryption: Unique per-student session keys generated for each test

System Architecture

Annual Penetration Testing: Conducted by independent security firms
SOC 2 Type II Certified: All data centers meet highest security standards
Immutable Logging: All access attempts recorded in write-only logs
DDoS Protection: Enterprise-grade mitigation systems in place

Access Controls

Teacher Accounts

Mandatory multi-factor authentication (MFA) for all teacher accounts
Role-based permissions with granular control over test access
Session timeouts after 30 minutes of inactivity

Student Accounts

No personal information required beyond what teachers provide
Test-specific credentials that expire after test completion
Automatic session termination after test submission

Our Ironclad Guarantee

We've mathematically proven our system's security through formal methods. The architecture makes it physically impossible for anyone to access raw test content while maintaining full functionality for authorized users.