Policies for the Surpass Platform and related services
These policies may apply to users of the Surpass Platform or related services, including Scheduler or the Test Delivery Services Portal.
Privacy Policy for Surpass Services
Last reviewed 20 March 2026.
This privacy notice explains how Surpass Assessment processes personal data when providing services. It is primarily relevant to:
- Test takers and learners taking exams using Surpass.
- Employees, contractors, or consultants of Surpass customers.
- Employees, contractors, or consultants of Surpass test centre suppliers.
When providing services, Surpass Assessment acts as a data processor, processing personal data on behalf of its customers, who act as data controllers.
Who we are
We are Surpass Assessment. This privacy policy applies to Surpass Assessment companies, namely Surpass Assessment Inc of 2 W Market Street, West Chester, PA, 19382, USA and BTL Group Limited (trading as Surpass Assessment) of Salts Mill, Victoria Road, Saltaire, West Yorkshire, BD18 3LF, United Kingdom. We have created this privacy policy in order to demonstrate our commitment to customer privacy and the protection of personal data.
Legal basis
We process personal data under the following grounds:
- Consent – when you explicitly provide permission to our customer who is the data controller;
- Contractual Obligation – when data processing is necessary to deliver a service under a contract;
- Legal Compliance – when required by applicable law or regulation; and
- Legitimate Interest – examples include (but are not limited to) processing personal data for internal administrative purposes and to ensure the security of our network and systems.
What personal data we process and how long we keep it
We collect and process the personal data described below in the course of our business and providing our services.
Surpass Platform
| Category | Description |
| Service | Surpass Platform |
| Data subjects | Test Takers; customer administrators |
| Categories of personal data | User Data inputted by customer: first name; last name; user name; email address; job title (optional); default language (optional); system access and interaction logging.
Test taker data inputted by the Customer: first name; middle name (optional); last name; gender (optional); dob; email address (optional); telephone number (optional); reasonable adjustments (optional). Candidate data inputted by the Test Taker: Exam question responses. Candidate data automatically collected or calculated by the Surpass system: IP address; computer specification details; exam interaction tracking; exam name; exam scores/results.
|
| Purpose of processing | To deliver computerbased exams and assessments; manage candidate accounts; record assessment results and examiner feedback; provide customer support; and delete data in accordance with customer instructions. |
| Retention | Personal data is retained in accordance with customerdefined retention periods and deletion instructions. |
Online Proctoring
Test takers may be monitored during an exam session using technologies such as webcam and microphone monitoring and session recording.
| Category | Description |
| Service | Online Proctoring |
| Data subjects | Test Takers |
| Categories of personal data | Identity and exam session data: name and email address (as provided by the customer), exam details, awarding organisation or test sponsor information. Monitoring and verification data: facial image (photo) and, where required by the customer, images of identity documents (e.g. governmentissued ID). Exam session recordings and evidence: audio and video recordings or streams from the exam session (for example, webcam and microphone), and screenshots or screen captures taken during the session. Device and technical data: IP address, browser and operating system identifiers, and technical session data relating to device and connection performance. |
| Purpose of processing | To support identity verification, remote observation and invigilation, exam integrity and security, incident review and resolution, and fraud prevention, in accordance with customer instructions. |
| Retention | Personal data is retained in accordance with customerdefined retention periods and deletion instructions. |
Scheduler
| Category | Description |
| Service | Scheduler |
| Data subjects | Test Takers; customer administrators; test centre administrators |
| Categories of personal data | Test Takers: first name, surname, candidate reference number, email address, date of birth, gender (optional).
Booking queries: name, email address, exam name, candidate reference number, test location, description of booking issue. Administrators: first name, surname, email address. |
| Purpose of processing | To identify Test Takers correctly; enable exam scheduling and venue booking; manage booking queries; and allocate access rights to administrators.
Customer admin process to book or cancel candidate bookings |
| Retention | Bookingquery personal data is deleted on a rolling 90day cycle. Other data is retained in line with customer instructions.
Candidate emails received into the dedicated Scheduler inbox deleted annually at a minimum. |
Test Delivery Services Portal
| Category | Description |
| Service | Test Delivery Services Portal (TDS Portal) |
| Data subjects | Test Takers; customer administrators; test centre staff / invigilators |
| Categories of personal data | Test Takers: candidate reference number, initials, exam name, exam date; attendance registers containing names and dates of birth.
Administrators / invigilators: first name, surname, work email address. |
| Purpose of processing | To support exam delivery operations; enable test centre coordination and invigilation; and support exam management activities. |
| Retention | Personal data is retained on a rolling 30-day cycle.
Other data is retained in accordance with customer instructions. |
Who we share your personal data with
Surpass Assessment does not share personal data processed through its services with third parties, except in the limited circumstances described below. We do not sell personal data to third parties.
Subprocessors
We use thirdparty service providers (including Surpass Assessment group companies) to help us operate and support the Surpass services. These providers act as subprocessors and process personal data only on our instructions and for the purpose of providing services to us.
Read our list of our current subprocessors here.
We require all subprocessors to protect personal data appropriately and to use it only to provide services to Surpass Assessment.
Legal Disclosures
We may disclose personal data where required or permitted by law, including:
- in response to a court order, subpoena or other legal process;
- to our customer (such as the relevant awarding organisation or test sponsor), at the customer’s request;
- to a child’s school or school district, where required by applicable laws (for example, FERPA).
Cookies
We use analytics tools (such as Google Analytics and Google Tag Manager) to understand how our website and services are used. These tools receive usage data. Read more information in our Cookie Policy here.
We do not share candidate exam content or identifiable candidate personal data from the Surpass Platform with these analytics tools.
International transfers
Our services are available worldwide. In the course of providing our services, we will likely need to transfer personal data to locations outside the jurisdiction in which you provide it. Regardless of the location of our processing, we will impose the same data protection safeguards and implement appropriate measures to ensure that your personal data is protected in accordance with applicable data protection laws. Where a third party service provider processes personal data on our behalf, we will ensure that appropriate measures are in place to ensure an adequate level of protection for the personal data.
You can request more information about these safeguards by contacting us at privacy@surpass.com.
Security measures
Surpass Assessment maintains appropriate technical and organisational measures designed to protect personal data, including access controls, encryption in transit, and security monitoring. Surpass Assessment is ISO 27001 certified.
Your rights
Your access to your personal data
Test takers and admin users have, or if you are a child your parent/guardian has, the right to access, correct, edit, or delete any of your personal data processed by Surpass Assessment. For any such requests, please work directly with your awarding organisation/test sponsor (our customer), or you can contact us at privacy@surpass.com.
Your rights
Depending on your circumstances and applicable law, you may have the right to:
- Access your personal data (also known as the “right to know”)
- Rectify inaccurate personal data
- Erase personal data (in certain cases)
- Restrict processing (in certain cases)
- Object to processing (in certain cases)
- Data portability (in certain cases)
- Not be subject to automated decision making – we do not carry out automated decisionmaking or profiling that produces legal effects or similarly significant effects
- Lodge a complaint with the relevant supervisory authority and/or with us directly
You may exercise these rights by contacting your awarding organisation/test sponsor (our customer), or you can contact us at privacy@surpass.com.
Children
Surpass Assessment may process personal data relating to children where our customers (such as schools, awarding organisations or other education bodies) use the Surpass Platform to deliver exams or assessments. Children’s personal data is processed only on the customer’s documented instructions. The customer is responsible for providing appropriate privacy information and obtaining any required parental or guardian consent under applicable laws.
Parents or guardians who wish to exercise rights or raise questions about the processing of a child’s personal data should contact the relevant school or awarding organisation in the first instance.
Where applicable, personal data processed in the Surpass Platform may include education records subject to the United States Family Educational Rights and Privacy Act (FERPA). In those circumstances, our customers may designate Surpass Assessment as a “school official” under FERPA, acting under the direct control of the school with respect to the use and maintenance of those records.
EU representative
Surpass Assessment’s EU Appointed Representative for GDPR and NIS Directive
Fieldfisher
1079 LK Amsterdam
Netherlands
Telephone: +31 20 2252200
Changes to this notice
We may update this notice from time to time. The ‘last updated’ date at the top of this page indicates when it was most recently revised.
Surpass Platform Cookie Policy
Last updated 6 June 2025.
We are Surpass Assessment. Depending on where you are, your Surpass Assessment company contact is Surpass Assessment Inc of 2 W Market Street, West Chester, PA, 19382, USA, or BTL Group Limited (trading as Surpass Assessment) of Salts Mill, Victoria Road, Saltaire, West Yorkshire, BD18 3LF, United Kingdom. This cookie policy describes the cookies that are used by and contained in the Surpass Service.
Surpass Assessment reserves the right to change this policy from time to time (including without limit details of the cookies used). Where Surpass Assessment chooses to include more or different cookies in the future, Surpass Assessment will ask Surpass Platform users to click on an updated cookies consent box that refers to updated information in this cookies policy.
Information about our use of cookies
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer.
Cookies help us to provide you with a good experience when you browse the Surpass Platform and also allow us to improve the features and functions of the Surpass Platform.
By clicking on the cookie consent box in the Surpass Platform, you are agreeing to our use of cookies and this cookie policy.
Types of cookies
We may use the following types of cookies:
- Session cookies. These are cookies that allow the Surpass Platform to link user actions during a browser session. We may use these for a variety of purposes such as remembering usernames and passwords to move between different functional sections of the Surpass Platform. Session cookies expire after a browser session and are not stored long term.
- Persistent cookies. These are cookies that are stored on a user’s device between browser sessions and which remember the preferences or actions of the user across different sections of the Surpass Platform. These may be used to remember usernames and passwords.
- Strictly necessary/essential cookies. These are cookies that are required for the operation of the Surpass Platform. They include, for example, cookies that enable you to log in to secure areas of the Surpass Platform.
- Analytical/performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around the Surpass Platform when they are using it. This helps us to improve the features and functions within the Surpass Platform, for example, by ensuring that users are finding what they are looking for easily or that features and functions are designed to be intuitive. All information that these cookies collect is aggregated and therefore anonymous.
- Functionality cookies. These are used to recognise you when you return to the Surpass Platform. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region) and therefore provide enhanced, more personal features.
First party and third party cookie use
The further information section below identifies first party cookies (cookies used by Surpass Assessment) and third party cookies (that is, other organisation’s cookies) used in connection with the Surpass Service.
Disabling cookies
Generally cookies will make your browsing experience better.
However, you may prefer to disable cookies. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers.
If you block all cookies (including essential cookies) in your browser settings you may not be able to use all of the features and functions of the Surpass Platform, or access certain sections of the Surpass Platform.
Further information
You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
| Cookie | Description and Purpose | Session or Persistent | First/Third Party |
|---|---|---|---|
| *.bs.table.* | Remember sort and filter options for data management tables. | Cleared when the user logs out of the application | Third Party |
| .AspNetCore.Antiforgery | Security to prevent against common web app attacks. | Cleared when the user logs out of the application. | Third Party |
| .ASPXAUTH | ASP.NET cookie to identify if the user is authenticated. | 60 Minutes | First Party |
| .ASPXAUTH_ItemAuthoring | ASP.NET cookie to identify if the user is authenticated. | 60 Minutes | First Party |
| __RequestVerificationToken | ASP.NET AntiForgeryToken. | Session | First Party |
| administration_SessionExpires | If this cookie is expired the Surpass Platform shows Login popup. | 60 minute timeout | First Party |
| ApplicationGatewayAffinity | Cookie added by Azure application gateway to maintain session affinity | Duration of a browser session | Third Party |
| ApplicationGatewayAffinityCORS | Cookie added by Azure application gateway to maintain session affinity | Duration of a browser session | Third Party |
| ASP.NET_ItemAuthoring_SessionId | ASP.NET cookie which is used to identify the users session on the server. | Session | First Party |
| ASP.NET_SessionId | ASP.NET cookie which is used to identify the users session on the server. | Session | First Party |
| authoring_SessionExpires | If this cookie is expired the Surpass Platform shows Login popup. | 60 minute timeout | First Party |
| ckCsrfToken | Cookie to store Ckeditor Token | Cleared when the user logs out of the application. | Third Party |
| dontShowAgainConfirm_{confirmation_dialog_name} | This cookie allows the user to stop being informed of a new feature. | 100 years | First Party |
| dontShowAgainConfirm_{popup_name} | Don’t show this popup again checkbox. | 100 years | First Party |
| dontShowRefWarning_{warning_name} | Don’t show this warning again checkbox. | 100 years | First Party |
| download_timetable_config | Remember configuration preferences for downloading timetables. | Cleared when the user logs out of the application. | Third Party |
| filedownload | to indicate if a file download has occured | Session Cookie | Third Party |
| Google Analytics (_utma, _utmb,_utmc, _utmz, _ga,_gat,_gid) |
These cookies are used to collect information about how visitors use the Surpass Platform. We use the information to compile reports about the use of the Surpass Platform, and to help us improve the service. The cookies collect information in an anonymous form, including the number of visitors to the administrative areas of the Surpass Platform and the interactions that visitors have with the features and functions of the Surpass Platform. |
Persistent For Surpass Service this is persistent for up to 2 years |
Third Party |
| hideScheduleAlert | Remember if the auto-scheduler alert has been hidden (opt never to show again). | Cleared when the user logs out of the application. | Third Party |
| homeTools | Remember if the scheduling tools panel is opened or closed when reloading the timetables page. | Cleared when the user logs out of the application. | Third Party |
| ItemAuthoring_IntegrationMode | This cookie is used to denote that the application is running as part of the Surpass Service. | Session | First Party |
| jstree_load | Used by JSTree plugin | Session | Third Party |
| jstree_open | Used by JSTree plugin | Session | Third Party |
| jstree_select | Used by JSTree plugin | Session | Third Party |
| MFAUserCookie_* | Use to store user info for MFA | 30 days | First Party |
| NewlyCreatedLanguageVariant | If new language varient is created | 1 day | First Party |
| osc_auth | Handle authentication across all Optime products. | Cleared when the user logs out of the application. | Third Party |
| pinnedSidePanel | Remember if side panel is pinned. | Cleared when the user logs out of the application | First Party |
| RedirectSSOURL | Redirect URL for SingleSignOn | Session | Third Party |
| schedulerConfig | Remember auto-scheduler configuration preferences. | Cleared when the user logs out of the application. | Third Party |
| SurpassUserLanguage | Cookie to store user language | 365 days | First Party |
| userInfo | Use to store user info for MFA | 10 mins | First Party |
| uvts and another cookies from UserVoice | This cookie stores the UserVoice session. | Session and persistent for up to 2 years | Third Party |
For more information, and if you need to access any previous versions of these terms and policies, please contact legal@surpass.com.
