Introduction

You have visited an Isograd brand website or registration page. Isograd and its affiliates and subsidiaries are committed to protecting and respecting your privacy. This Privacy Policy explains how Isograd collects, uses, and discloses information from or about you when you use our websites, services, applications, software, and other digital services that link to this policy

The Policy applies to the Services we provide throughout the world. The data controller of your information is the legal entity that registered you to use the Services, Isograd being designated as the data processor. In regard to our websites and in some instances where users are directly registered by Isograd to use the Services, Isograd plays the role of controller.

Please note that some of our Services are provided to legal entities that have entered into a customer agreement with us to provide our Services to their end users. In such circumstances, Isograd is the data processor, and the Customer is the data controller. Isograd processes Customer’s End User information under the instructions of the Customer, as described in the applicable customer agreement or as otherwise required by applicable law. In the event of a conflict between this Policy and the relevant customer agreement, the customer agreement will govern. If you are a Customer End User and you have questions about how your information is collected and processed through the Services, please contact the Customer with whom you are affiliated for more information.

You can find contact information for each of our brands and entities in the Contact Us section.

Definitions

The following definitions help clarify the terms used in this privacy policy, ensuring that users understand their rights and the roles of different entities in data processing.

Data Controller: A data controller is the entity that determines the purposes and means of processing personal data. In this context, the Customer who uses Isograd’s services to manage end users' information is typically the data controller.

Data Processor: A data processor is the entity that processes data on behalf of the data controller. Isograd acts as a data processor when it processes Customer User and End User information under the instructions of the Customer.

Services: Services refer to the testing platform and related applications and software provided by Isograd that link to this privacy policy.

Consent: Consent refers to the permission given by a data subject (the individual whose data is being collected) for the processing of their personal data. Consent must be freely given, specific, informed, and unambiguous.

Personal Data: Personal data refers to any information relating to an identified or identifiable individual.

Customer: Customer refers to the legal entities that enter into an agreement with Isograd to provide services to their end users. In such cases, the Customer acts as the data controller.

End User: End user refers to the individuals who use Isograd's services as candidates taking tests.

User: A user refers to an administrator of the Services managing the processes of End-Users taking tests on behalf of organizations. Users provide personal data through their interaction with the services offered by Isograd.

Candidate: A candidate is an individual who takes tests on Isograd’s platform. This term generally refers to End Users who are using the services to complete assessments, exams or certifications.

Administrator: An administrator is a User who manages and oversees the use of the Isograd platform within an organization. Administrators are responsible for managing User accounts, organizing tests, and ensuring the smooth operation of the services provided by Isograd.

Visitor: A visitor is any individual who visits Isograd's websites and/or social accounts. Visitors may browse the site, learn about the services offered, and interact with certain features without necessarily creating an account or using the full suite of services.

Right to Erasure: The right to erasure, also known as the right to be forgotten, allows individuals to request the deletion of their personal data from the data controller and processor's systems. This principle is adopted from the GDPR (General Data Protection Regulation).

Legitimate Interests: Legitimate interests refer to a legal basis for processing personal data under GDPR, where the processing is necessary for the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the rights and freedoms of the data subject.

Third-Party Services: Third-party services refer to external services used by Isograd to facilitate, operate, and manage its websites. Third-Party Services use cookies and other tracking technologies, subject to user consent.

Service Provider Service providers are vendors and partners who perform tasks on behalf of Isograd. These tasks include sending emails, database hosting, management services, remote proctoring, technical support, and security.

Collecting And Processing Your Personal Information

Our legal basis for collecting and using your personal information, as described in this Privacy Policy, depends on the information we collect and the specific context in which we collect it.

We may process your personal information because:

• We need to perform a contract with you
• You have given us permission to do so
• The processing is in our legitimate interests, and it's not overridden by your rights
• For payment processing purposes
• To comply with the law

We may also collect personal information that you give us during your communication with us regarding our services, such as technical support threads. In addition to the above, we may need to use your personal information for audits and compliance with our legal obligations under applicable law.

For your rights regarding your personal information, please see Your Rights as The Owner of The Personal Data section below.

The Type of Data We Collect

The information we collect about you depends on the Services you use, how you use them, and the information you provide to us. We collect information in three ways: information you provide directly to us; information we collect automatically through technology when you use the Services; data that we collect through third-party services.

Information You Provide Directly to Us

When you visit our websites and/or use our Services we might ask you to provide personal data to us. For example, you may provide us with information when you register to use the Services and create an account, subscribe to a newsletter, place an order or make a purchase from us, join us on social media, take part in training and onboarding sessions, contact us with questions or request support by email, phone, via the platform or the website. The categories of information we may collect directly from you include:

• Contact and account identifiers, such as name, address, telephone number, email address, and login credentials.
• Financial information, payment method information, purchase and transaction history. Your payment method information (credit card, PayPal account data, etc.) is collected by our third-party payment processors on our behalf in connection with your purchase.
• Identification information, photo and photo ID document, to verify your identity when taking an exam or certification through our remote proctoring service. Your identification information is collected and processed by our third-party remote proctoring solution provider Integrity Advocate in strict compliance with the Policy.

Information collected for creating a Customer Account:

• Institution or Business Name
• Address
• Email
• Phone Number
• Phone Number
• Primary language
• Email

Information collected for creating a User/End-User Account (candidate or administrator):

• First Name
• Last Name
• Email
• Primary language

Information We Collect Through Technology When You Take a Test

When you take a test on our platform, we may automatically collect certain information through technology. To the extent permitted by applicable law, we may use such information to make automated decisions in order to provide or optimize the Services, for security or analytics purposes, and for any other lawful purpose.

The categories of data that we collect and process automatically for test delivery include:

Category Of Data	Data Collected
Application Technology Meta Data	IP Addresses of users, Use of cookies, browser version and internet bandwidth
Application Use Statistics	Meta data on user interaction with application
Assessment	Standardized test scores, observation data, incidents and breaches in test policy or proctoring requirements
User Identifiers	Application-assigned User ID number, User app passwords encrypted for SSO
User In-App Performance	Program/application performance (e.g. typing program- User types 60 wpm, Microsoft Excel- User can input a formula to calculate a sum)
User Survey Responses	User responses to surveys or questionnaires
User work	User generated content: writing, pictures, test item responses

Data That We Collect Through Third-Party Services

We use third-party tools to facilitate, operate and manage our websites for analytics and advertising purposes. These tools use cookies and other tracking technologies. The third-party tools we use on our website will only insert cookies and other tracking technologies if consented by you. We track your consent once you click ‘Accept’ on our Privacy center. You can manage your permissions by clicking our Trust Badge.

We use third party service providers such as Google Ads, Pardot, Google Analytics, or LinkedIn. All such service providers are contractually bound to keep your personal information secure and confidential and to use it only for the above-mentioned purposes, consistent with this Privacy Policy.
We take all steps necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and that no transfer of your Personal Data to third party organization or country will take place unless there are adequate controls in place for the security of your personal information.

Cookies

Isograd’s websites use cookies. Cookies are small text files stored on your device (computer, tablet, smartphone, or another device) to enhance your experience on the website. Websites use cookies for many different purposes, including but not limited to:

• Get information about the traffic on our website
• Provide you with essential functionalities of our website
• Track your browsing behavior
• Track your engagement with social services

• Collect information about how users use our website
• Remember your preferences for our website
• Personalize content and advertisements

We use cookies according to applicable laws. This section provides information about the types of cookies we use, and why we use them. We are committed to full transparency regarding your privacy while using our website.
We use the following types of cookies:

• Essential
• Analytics
• Advertising

Essential

Essential cookies allow us to provide you with the essential features of our website, such as website navigation or logging in the secured areas. Using them is in your best interest, hence all the applicable personal data protection laws allow us to use them freely. We use the following essential cookies:

• The PHP Group

We use other types of cookies only with your prior explicit consent. If you give us consent to store them on your computer, we do so. If you don’t consent to their use, we don’t use them. It’s that simple.

The other types of cookies we use are:

Analytics

Analytics cookies provide us with information about the traffic and visitors’ behavior on our websites. This includes the number of visitors, number of clicks to pages, and others. Most often, the data these cookies collect is anonymous. However, in some cases, the data may be related to a pseudonymous identifier that may be related to your device. That may possibly make you identifiable and that is why we ask you for consent before using analytics cookies. The analytics services we use are:

• Google Analytics
• LinkedIn
• Hotjar

Advertising

Advertising cookies track your browsing behavior to enable us to show you personalized content and advertisements that are likely to be of interest to you. Depending on your information and with your permission only, these cookies may group you with other visitors with similar interests and show you relevant ads and content. The advertising cookies we use are:

• YouTube
• Facebook
• Google Ads
• Pardot

Please note that these cookies are used in our websites only. They are not utilized in the services we provide to the candidates and administrators of our testing platform. The related ads are context-based and may only be shown if you interact with the links listed above, meaning that you will not see these advertisements unless you choose to engage with the specific links or applications. The ads do not target end-users, particularly students or children.

Deleting Or Disabling Cookies

You may delete or disable cookies through your browser settings. However, you should keep in mind that deleting or disabling cookies may lead to inconvenience while using our websites that would not have happened if you consented to the use of cookies.
On the following links, you’ll find information about how to delete or disable cookies from your browser settings:

• Google
• Firefox
• Safari (iOS)
• Opera
• Edge

Service Providers

Isograd works with vendors, service providers, and similar partners (the Service Providers) to provide the services to you by performing tasks on our behalf. We may share or provide information, including personal information, to the Service Providers, which include sending emails on our behalf, database hosting and management services, remote proctoring, technical support, and security. The Service Providers do not have the right to use the personal information we share with them beyond what is necessary to deliver the services. Additionally, the Service Providers must adhere to confidentiality, security, and legal obligations in a way that is consistent with this policy and any applicable law.
We engage the following Service Providers to provide our services to you: Amazon Web Services and Integrity Advocate. If you have any questions about our Service Providers or their privacy policies, please contact us at support@isograd.com.

Advertising

ISOGRAD DOES NOT SELL DATA, and we do not use end-users’ personally identifiable information for commercial purposes or for advertising by Isograd or by a third party. The data collected from end-users for delivering the services will be shared with the following recipients only: the customer who registered the end-users (the controller), and Isograd (the processor).
We will use the personal information of the end-user database only for the purposes necessary to carry out the services provided on behalf of the controller according to the controller’s treatment purposes only. Isograd will consider as strictly confidential any personal information in the end-user database transmitted by the controller.
Unless the controller has given it prior permission, Isograd prohibits the information collected from being disseminated or marketed to third parties during the duration of the contract and after its end.

Retention and Disposal of Data

The data is kept for 5 years; however, the controller may adjust the retention period at their discretion. When Isograd plays the role of controller (when candidates are directly registered by Isograd) for treatment, the retention period is 4 years.

We will dispose of the data upon written request within sixty (60) days of the date of the request, and according to a schedule and procedure agreed between the customer and Isograd where applicable. The disposition of data is complete and extends to all categories of data. The disposition of the data is performed by deletion.

Your Rights as The Owner of The Personal Data

• The right to access your data
• The right to update or correct your data
• The right to object to the use of your data
• The right to restrict the use of your data
• The right to transfer your data to another data controller
• The right to the erasure of your data
• The right to withdraw consent
• The right to non-discrimination related to the exercising of your rights under the GDPR and CCPA
• The right to obtain information about the personal data we have collected from you and sold or disclosed to other subjects, if you are a California resident
• The right to opt-out from sales of your personal information to third parties
• In addition, if you are a California resident, you have the right to request from us to disclose to you the following:
• The categories of personal information we have collected about you
• The categories of sources from which the personal information is collected
• The business or commercial purpose for collecting or selling your personal information
• The categories of third parties with whom we share personal information
• The specific pieces of personal information we have collected about you

You may submit your requests to exercise your right under the GDPR and CCPA by:

• Email: support@isograd.com
• Website: www.tosa.org

Please note that we may ask you to verify your identity before responding to such requests. You have the right to complain to a Data Protection Authority about our collection and use of your personal information. For more information, please contact your local data protection authority.

Students And Children’s Data

We do not knowingly collect personally identifiable information directly from anyone under the age of 18 without parental consent. If you are a parent or guardian and you are aware that your Children have provided us with personal data, please contact us. If we become aware that we have collected personal data from children without verification of parental consent, we will take steps to remove that information from our servers.

We do provide services to educational institutions that enter into agreements with us for their educational purposes, and which might be used by students, including children under 13. In such circumstances, we collect, use, process, and share student data only in accordance with COPPA, FERPA, and any other applicable law. We rely on customers to provide consent for collection of that data on behalf of the parents or legal guardians, as agreed to in advance by Customers, and as permitted by law. We limit the use of student data collected pursuant to the terms of the applicable Customer services agreement and secure such student data as required by law. We do not use student data for any commercial purpose, targeted advertising, profiling, or onward disclosure.

How We Protect Your Personal Information

Technical Infrastructure & Hosting

Isograd’s testing platform, test, items and users’ data are hosted with Amazon Web Services (AWS). The IT infrastructure that AWS provides to its customers is designed and managed in accordance with security best practices and multiple IT security standards.
Here is a non-exhaustive list of standards to which AWS complies:

• SOC 1/ISAE 3402, SOC 2, SOC 3
• FISMA, DIACAP, and FedRAMP
• PCI DSS Level 1
• ISO 9001, ISO 27001, ISO 27017, ISO 27018

Isograd’s platform relies on the following components:

• Multiple front-end servers that deliver web pages.
• Multiple in-application servers on which candidates take in-application questions
• Multiple Thinfinity servers that enable the candidates’ browsers to connect to the in-application servers.
• AWS massively redundant CloudFront Content Delivery Network for static assets and items’ multimedia resources (images, videos, audio files).
• A redundant database hosted by AWS on RDS service.

Isograd’s platform can only be accessed through an encrypted (https) connection.
The database is protected by a Firewall ensuring that only servers located within AWS relevant security groups can access it. The web administration console of the database is hosted on one of Isograd’s servers. Access to the login page of this administration console is filtered by IP addresses, meaning that only requests from a specific list of IPs can access the secured page.
The front-end server is behind a firewall and only a specific list of IP addresses can login into the server. Login is performed using an SSL public/private key system and is not based on passwords.
The AWS administration console is accessed through a password/login console but requires a two steps authentication with a hardware device.
The database is backed up daily. Backups are encrypted and kept for 2 years. Log files (system operations, logs specific to candidate tests) are transferred daily to redundant storage space and are kept for one year

Data Anonymization

Isograd has defined a process for anonymizing identifiable personal data. There are two ways for anonymizing a candidate's data:

• Automatic procedure: after 5 years, the data is automatically anonymized in the database and the candidates' names/first names/emails are replaced by anonymous identifiers. The period of time after which the data is anonymized can be defined by the customers from their accounts.
• Manual procedure: the customer account contains a functionality in the candidate registration menu which allows the anonymization of a candidate’s data who has requested it.

Security Measures

Isograd ensures that all necessary precautions are taken to preserve the security of the personal data transmitted, and to prevent them from being distorted, damaged, or communicated to unauthorized persons.

Those measures include:

Passwords and Employee Access: Isograd secures usernames, passwords, and any other means of gaining access to the services or to data by using multi-factor authentication (MFA). Isograd only provides access to data to employees that are performing the services.

Security Protocols: Isograd maintains security protocols that meet industry best practices in the transfer or transmission of any data. Isograd maintains all data in a secure computer environment and does not copy, reproduce, or transmit data obtained except as necessary to provide the service.

Employee Training: Isograd provides periodic security training to the employees who operate or have access to the system.

Security Technology: Secure Socket Layer (“SSL”) or equivalent technology is utilized to protect data from unauthorized access. The service security measures include server authentication and data encryption. Isograd hosts data in an environment using a firewall that is periodically updated according to industry standards.

Security Coordinator: Isograd’s Data Protection Officer (DPO) can be contacted for any questions concerning the protection of data by email: dpo@isograd.com

Sub processors Bound: Isograd has written agreements with its sub processors that commit to secure and protect data in a manner consistent with Isograd’s practices and industry standards.

Periodic Risk Assessment: Isograd conducts periodic risk assessments and remediates any identified security and privacy vulnerabilities in a timely manner.

Backups: Isograd maintains backup copies of data in case of system failure or any other unforeseen event resulting in loss of data.

The security of your personal information also depends on your protection of your user account. Please use a unique and strong password and keep your login credentials secret. Also, be sure to log out after having used our services from a shared computer.

Changes To This Privacy Policy

From time to time, we may update this Privacy Policy. If we make material changes to this policy, including the addition of new third parties with whom we may share your personal data with, we will notify you on our website, by a blog post, by email, or by any method we determine. Your continued use of this website or our service and/or continued provision of information to us will be subject to the terms of the then-current Privacy Policy.