Cloud Security Statement
Inspera Assessment is a cloud-based Software as a Service (SaaS) solution for educational assessments hosted entirely on Amazon Web Services (AWS). Amazon, which is ISO27001 certified, is responsible for the security of its physical data centres and the AWS cloud. Inspera is responsible for monitoring, managing, and securing the Inspera Assessment Cloud. More information about how Amazon secure AWS can be found here.
AWS manages secure data centres that host the Inspera Assessment Cloud. Further information on security can be found here.
All Inspera Assessment Cloud data is hosted within the European Union for technical, security, and privacy reasons.
Inspera is certified as Cyber Essentials Plus according to the UK National Cyber Security Centre (NCSC) certification scheme.
AWS is responsible for managing the security of the cloud service provided. AWS is certified by third-party organisations and operates a number of compliance programmes to comply with applicable laws and regulations. A list of such certifications and compliance statements can be found here.
AWS has a public SOC 3 report on Security, Availability & Confidentiality (pdf) as well as an ISO 27001 certification (PDF).
People and Access
Within Inspera, only a few trusted members of our DevOps Team have access to the production environment for the purposes of maintaining our cloud services and assisting our customers. Additionally, we audit and monitor all access to the Inspera Assessment cloud.
Customers are responsible for maintaining the security of their own login information and permissions.
Data Storage and Retention
Data at rest in the Inspera Assessment cloud is encrypted following the industry standards. Additionally, all communications with the Inspera Assessment cloud are protected with HTTPS using TLS and within the cloud through AWS VPC. Backend services are only available through SSH connections from pre-approved locations through a bastion server.
Inspera Assessment has a multi-tenant model where some components, services, and codebases are shared between customers. Each customer’s data is logically separated from all other customers’ data. This means that each customer can only access their own data.
Inspera does not transfer data outside the AWS cloud.
Inspera Assessment cloud services are tested regularly by external parties, such as third parties conducting penetration tests and regular audits.
Backup and Disaster Recovery
Assessment data is backed up (at least) once a day and is encrypted following industry standards. Backup lifetime is 7 days and is only used for disaster recovery.
The Inspera DevOps team has a disaster recovery process in place which is tested on a regular basis.
Inspera understands the importance of privacy and is committed to protecting your personally identifiable information. The Inspera Assessment is built from the ground up on privacy by design with extensive use of encryption, access control, audit logging and especially pseudonymisation of identities. If an external authentication provider is configured and Single-Sign-On (SSO) is used, Inspera Assessment can be used completely without Inspera knowing the actual identity of test taker.
For more information, please see our privacy notice.