1. Overview
The General Data Protection Regulation (GDPR) sets a high standard for data protection. The Exam
Factory is fully committed to compliance and helping our customers (Schools) comply with their
obligations.
2. Data Roles
In the context of the GDPR:
- Data Controller: The School is the Data Controller. You decide what student
data is uploaded and how it is used.
- Data Processor: The Exam Factory is the Data Processor. We process the data
solely on your behalf to provide the exam management service.
3. Data Processing Agreement (DPA)
By using our service, you agree to our standard processing terms which include:
- Processing data only on documented instructions from the controller.
- Ensuring persons authorized to process data have committed to confidentiality.
- Implementing appropriate technical and organizational measures to ensure security.
4. Sub-processors
We engage the following third-party sub-processors to support our service:
- Google Firebase (Google Cloud Platform): For secure cloud hosting, database
storage, and authentication. Data is stored in data centers with high-level security
certifications (ISO 27001, SOC 2).
5. Data Subject Rights
We provide tools to help you fulfill data subject requests:
- Right of Access: You can view all data for a student within their profile.
- Right to Rectification: You can edit any student or exam record directly.
- Right to Erasure: You can delete student records or entire exam sessions
permanently.
- Right to Portability: You can export your full dataset as a JSON file at any
time.
6. Security Measures
We implement robust security measures to protect data:
- Encryption of data in transit (HTTPS) and at rest.
- Role-based access controls.
- Regular security reviews of our codebase and infrastructure.
7. Contact DPO
For data protection inquiries, please contact our Data Protection Officer at:
- Email: info@theexamfactory.com