Policies for the Surpass Platform and related services

Privacy Policy for the Surpass Platform and related services

Last updated 14 December 2023.

We are Surpass Assessment. This privacy policy applies to Surpass Assessment companies, namely Surpass Assessment Inc of 224 Valley Creek Boulevard, Suite 210, Exton, PA, 19341, USA and BTL Group Limited (trading as Surpass Assessment) of Salts Mill, Victoria Road, Saltaire, West Yorkshire, BD18 3LF, United Kingdom. We have created this privacy policy in order to demonstrate our commitment to customer privacy and the protection of personal data.

The definitions of “controller”, “processor”, “data subject”, “personal data”, “processing” and “process” used in this policy have the meanings given to them in Regulation 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation).

Surpass Assessment is both a controller and processor of personal data in different circumstances. Where we are a controller or a processor, we keep records of our processing as required by Article 30 of the General Data Protection Regulation.

This policy is about personal data that is held in the Surpass Platform, our e-assessment service, in relation to which we are a data processor on behalf of our Surpass Platform customers. Our customer (with whom our customer contract is with), or the relevant organization in the customer’s supply chain, determines the purpose and means of the processing and is the data controller. The contract with our customer sets out the instructions to process your (candidate’s and customer admin staffs’) personal data. Our customers comprise of awarding organisations, test publishers, institutions and national government bodies.

The legal basis of our processing of personal data as part of our Surpass service depends on our customers’ (as data controllers’) legal basis of processing and may be any one of the following:

• the data subject has given consent to the processing of his/her personal data for one or more specific purposes (and our customer relying on this basis receives this consent) (e.g. Article 6(a) of the General Data Protection Regulation); or
• processing is necessary for the performance of a contract to which the data subject is subject (and our customer relying on this basis has a contract between it and the data subject) (e.g. Article 6(b) of the General Data Protection Regulation); or
• processing is necessary for compliance with a legal obligation to which the controller is subject (and our customer relying on this basis has a legal obligation which justifies the processing of the data) (e.g. Article 6(c) of the General Data Protection Regulation).

The purposes of Surpass Assessment’s processing, in relation to the provision of its Surpass service, are:

• providing software that Surpass Platform customers populate with details of candidates who are taking a test or examination authored, scheduled and marked by the Surpass Platform customer
• providing a software system which candidates can use to take a test or examination
• providing support services related to Surpass software and investigating failures/trouble shooting related to Surpass software
• storage of candidate personal data, results, examination scripts and examiner feedback (populated and controlled by the Surpass Platform customer)
• deletion (on customer request and in accordance with customer communicated data retention dates) of candidate personal data, results, examination scripts and examination feedback.

To carry out its Surpass service, Surpass Assessment processes the following categories of personal data of the following data subjects:

• Surpass Platform release 11 – name, date of birth, customer reference number, gender, ethnic origin, address, email, telephone number, expiry date (a date setting to queue the candidate for possible deletion) and reasonable adjustments (a yes/no tick box) (all in relation to test or examination candidates)
• Surpass Platform release 12 – name, date of birth, customer reference number, gender, email, telephone number, date created (a setting to understand when the candidate entry is first entered), expiry date and “retired” functionality (date settings to queue the candidate for possible deletion), reasonable adjustments (a yes/no tick box) and a free text box to populate any other information that a customer wishes to insert (all in relation to test or examination candidates)
• Surpass Platform – all releases – anonymous information that we collect through our user interface is what country a candidate is in when he/she takes a test or examination, and what customer instance of Surpass the candidate is using when he/she takes a test or examination
• Customer administrators (who are typically employees, contractors or consultants of our Surpass Platform customers) – name and email address. Surpass Platform customers nominate and populate in Surpass the names and email addresses of their administrators.

Surpass Platform customers populate all of the above data categories, such that the personal data held by Surpass Assessment through the Surpass service is different for each of our customers depending on the data categories a customer chooses to populate. The collection and use of candidate personal data and its transmission to Surpass Assessment are subject to a customer’s own privacy policy. Customers decide solely what candidate personal data they ask for and collect. Students and candidates taking examinations and parents of pupils cannot create a Surpass Platform account by themselves; our customers create those for you. We require all of our customers to comply with all privacy and data protection laws applicable to the personal data being processed, including where applicable the General Data Protection Regulation (Regulation (EU 2016/6 79)(“GDPR”), when using Surpass Assessment’s services. The collection, use and further disclosure of candidate’s personal data by our customers is subject to our customers’ own privacy policies, for which Surpass Assessment is not responsible and which may be different from this privacy policy. Customers decide solely what candidate personal data they ask for and collect and populate in the Surpass Platform. Candidates (including pupils and parents of pupils) should raise any questions about this with our customer (which is your certification/licensure/awarding body, or school) directly.

We do not sell any personal data populated in Surpass service, or our customer’s content. We do not own the content (exam items etc) that our customers populate in the Surpass Platform.

Where Surpass Assessment’s customers store personal data within our Surpass service, the customer is the data controller and determines and is responsible for the length of time during which personal data is retained. Surpass Assessment acts in accordance with the data controller’s instructions.

In using Surpass Assessment’s Scheduler (online test scheduling platform powered by a third party), test taker / candidate personal data processed by Scheduler is used to correctly identify test takers/candidates for test and room/venue booking requests on behalf of our customers (who are the data controllers). Personal data of Surpass Assessment customer administrators and Surpass Assessment supplier administrators who use Scheduler is used to correctly allocate the right level of access rights to Scheduler and in both cases, such personal data is treated the same way as the test taker’s personal data. Deletion of test taker/candidate personal data is upon Surpass Assessment customer request and in accordance with our customer’s data retention dates.

For the purposes of Scheduler, personal data that is processed includes:

• Candidates: First name, Surname, Email address, date of birth and gender (optional). This personal data is collected by our customer for the purposes of the Surpass Platform and is used also for the purposes of providing the online test scheduling service on behalf of our customer (who are data controllers). For the purposes of test taker queries regarding Scheduler bookings: name, email address, exam name, candidate reference number, where test taker taking the test, description of the issue experienced (personal data relating to booking queries is deleted on a rolling 90 day cycle).
• Surpass Assessment customer administrators (who are typically employees, contractors or consultants of Surpass Assessment customers): First name, Surname and email address.
• Surpass Assessment test centre supplier administrators (who are typically employees of Surpass Assessment test centre suppliers): First name, Surname and email address.

In using Surpass Assessment’s Test Delivery Services Portal (TDS Portal), Customer staff, Test Centre staff and test taker / candidate personal data is processed by Surpass Assessment for the purposes of facilitating a ‘one stop’ source of information for i) Customers to locate the test centres chosen for their exam delivery and the relevant test centre profile information and guidelines, and ii) Test centre staff to locate information for the specific customer exams they support and submit relevant forms relating to the invigilation sessions, and exams/tests, and iii) Surpass Assessment staff for general administration and exam management, on behalf of our customers (who invariably are the data controllers). Personal data of Surpass Assessment customer administrators and Surpass Assessment supplier administrators (invigilators) who use TDS Portal is used to correctly allocate the right level of access rights to the TDS Portal and in both cases, such personal data is treated the same way as the test taker’s personal data. Deletion of test taker/candidate personal data is upon Surpass Assessment customer request and in accordance with our customer’s data retention dates (unless otherwise specified below).

For the purposes of TDS Portal (hosted in the UK), personal data that is processed includes:

• Candidates: candidate reference number, candidate initials, exam name, exam date, invigilator names and email addresses (invigilators will have access to the portal under their centre membership), attendance registers that include candidates’ names and date of birth. This personal data is collected by the centre invigilator for the purposes of providing the venue and invigilation services on behalf of our customer (who are data controllers). Personal data is stored for one (1) year after which it will be deleted.
• Surpass Assessment customer administrators (who are typically employees, contractors or consultants of Surpass Assessment customers): First name, Surname and work email address.
• Surpass Assessment test centre supplier administrators (who are typically employees of Surpass Assessment test centre suppliers): First name, Surname and work email address.

Your personal data processed is not shared with third parties except where Surpass Assessment (or Surpass Assessment licensors) use third-party services in order to provide the online test scheduling service – our third-party service providers are contractually prohibited from using any personal data for any purpose other than to provide the part of the online test scheduling service for which Surpass Assessment has specifically contracted them to deliver service.

In terms of security of operations and data processing, Surpass Assessment has ISO27001 certification. Our Surpass service is General Data Protection Regulation compliant and we welcome customer audits.

The Surpass Service has security measures in place to help protect against the loss, misuse or alteration of personal data under our control. When our Surpass service is accessed using the stated versions of web browsers which meet our minimum system requirements, Secure Socket Layer (SSL) technology protects information using both server authentication and data encryption to help ensure that personal data is safe, secure and available only to the named Surpass Platform customer. Surpass Assessment also provides unique user names and passwords that must be entered each time a Surpass Platform customer logs on. These safeguards help to prevent unauthorised access, maintain data accuracy and ensure the appropriate access to and use of personal data.

We do not share any data about you in the Surpass Platform with third parties except in the limited circumstances detailed below:

• We use third-party services in order to operate Surpass service, including Surpass Assessment group companies and other third-party providers who provide services to us – for example the hosting services of Microsoft Ireland Operations Limited and Rackspace UK Limited, in certain circumstances. In terms of security of operations and data processing, Microsoft and Rackspace have ISO27001 certification. Our third-party service providers are contractually prohibited from using any personal data for any purpose other than to provide the part of the Surpass Service that Surpass Assessment has specifically contracted them to deliver. A list of the third-party services that obtain personally identifiable information we currently use can be found here.
• In response to a court order, sub poena or legal process, to the extent permitted and required by law;
• Surpass Assessment may disclose student/candidate personal data in the Surpass Platform to our customer (ie the certification / licensure body for which the candidate is sitting an examination/test), upon request from the customer;
• To child’s school or school district upon request, as required by the local laws e.g. FERPA.

The Surpass Platform is constantly improving and we use aggregate data about how the Surpass Platform is used to inform those decisions. To help us analyse this data, we use a small number of third-party services (such as Google Analytics and Google Tag Manager). In no circumstances are any data you have shared with the Surpass Platform shared with these services. In addition, these services are contractually obligated only to use data about your usage of Surpass to provide analytics services to us and are prohibited from sharing it or using it for other purposes.

If our customer asks Surpass Assessment to provide additional services, like online proctoring or record and review proctoring, then at the choice of and as instructed by our customer, further information will be recorded. Please see privacy policies for Surpass Assessment’s other services on the surpass.com website.

Where an individual who works for one of our customers signs up to receive newsletters about Surpass Assessment products and related events, please refer to the Marketing Privacy Policy for a description of how we use contact information collected for this purpose.

Personal data / personally identifiable information relation to children, and parental consent

In limited circumstances, our customer may contract with us to provide examinations to candidates who are under age when they can grant consent on their own. In such circumstances, we process personal data from children where that child’s school or school district or other applicable body has contracted with us to process the personal data from children for the educational context authorized by the school or school district or other applicable body.

We require that our customers obtain parental consent before using the Surpass Platform with children. Parents or guardians can withdraw consent for the further collection of their child’s information at any time.

Surpass Platform and FERPA

Data collected by the Surpass Platform may include personally identifiable information from education records that are subject to the Family Educational Rights and Privacy Act, “FERPA”, (“FERPA Records”).  To the extent that collected Surpass Platform data includes FERPA Records, our customers designate the Surpass Platform as a “School Official” (as that term is used in FERPA and its implementing regulations) under the direct control of the school with regard to the use and maintenance of the FERPA Records.

Retention of personal data

Where our customers store personal data within our service, our customer is the data controller and determines and is responsible for the length of time during which personal data is retained. Surpass Assessment acts in accordance with the data controller’s (our customer) instructions and may not retain personal data contrary to these instructions.

How to view, correct, edit, port, or update your personal data

Candidates and admin users have, or if you are a child your parent/guardian has, the right to access, correct, edit, or delete any of your personal data populated in the Surpass Platform. For any such requests, please work directly with your awarding organisation/test sponsor (our customer), or you can contact us at privacy@surpass.com.

Surpass Assessment’s EU Representative for GDPR and NIS Directive

Our appointed representative in the EEA is:

Fieldfisher
1079 LK Amsterdam
Netherlands

Telephone: +31 20 2252200

www.fieldfisher.com

Surpass Platform Cookie Policy

Last updated 28 November 2022.

We are Surpass Assessment. Depending on where you are, your Surpass Assessment company contact is Surpass Assessment Inc of 224 Valley Creek Boulevard, Suite 210, Exton, PA, 19341, USA, or BTL Group Limited (trading as Surpass Assessment) of Salts Mill, Victoria Road, Saltaire, West Yorkshire, BD18 3LF, United Kingdom. This cookie policy describes the cookies that are used by and contained in the Surpass Service.

Surpass Assessment reserves the right to change this policy from time to time (including without limit details of the cookies used). Where Surpass Assessment chooses to include more or different cookies in the future, Surpass Assessment will ask Surpass Platform users to click on an updated cookies consent box that refers to updated information in this cookies policy.

Information about our use of cookies

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.

Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer.

Cookies help us to provide you with a good experience when you browse the Surpass Platform and also allow us to improve the features and functions of the Surpass Platform.

By clicking on the cookie consent box in the Surpass Platform, you are agreeing to our use of cookies and this cookie policy.

Types of cookies

We may use the following types of cookies:

• Session cookies. These are cookies that allow the Surpass Platform to link user actions during a browser session. We may use these for a variety of purposes such as remembering usernames and passwords to move between different functional sections of the Surpass Platform. Session cookies expire after a browser session and are not stored long term.
• Persistent cookies. These are cookies that are stored on a user’s device between browser sessions and which remember the preferences or actions of the user across different sections of the Surpass Platform. These may be used to remember usernames and passwords.
• Strictly necessary/essential cookies. These are cookies that are required for the operation of the Surpass Platform. They include, for example, cookies that enable you to log in to secure areas of the Surpass Platform.
• Analytical/performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around the Surpass Platform when they are using it. This helps us to improve the features and functions within the Surpass Platform, for example, by ensuring that users are finding what they are looking for easily or that features and functions are designed to be intuitive. All information that these cookies collect is aggregated and therefore anonymous.
• Functionality cookies. These are used to recognise you when you return to the Surpass Platform. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region) and therefore provide enhanced, more personal features.

First party and third party cookie use

The further information section below identifies first party cookies (cookies used by Surpass Assessment) and third party cookies (that is, other organisation’s cookies) used in connection with the Surpass Service.

Disabling cookies

Generally cookies will make your browsing experience better.

However, you may prefer to disable cookies. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers.

If you block all cookies (including essential cookies) in your browser settings you may not be able to use all of the features and functions of the Surpass Platform, or access certain sections of the Surpass Platform.

Further information

You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

Cookie	Description and Purpose	Session or Persistent	First/Third Party
.ASPXAUTH	ASP.NET cookie to identify if the user is authenticated.	60 minute timeout	First Party
.ASPXAUTH_ItemAuthoring	ASP.NET cookie to identify if the user is authenticated.	60 minute timeout	First Party
__RequestVerificationToken	ASP.NET AntiForgeryToken.	Session	First Party
__RequestVerificationToken_L2F1dGhvcmluZw2	ASP.NET AntiForgeryToken.	Session	First Party
administration_SessionExpires	If this cookie is expired the Surpass Platform shows Login popup.	60 minute timeout	First Party
ASP.NET Auth/RequestVerificationToken	This cookie is a session identifier.	Session	First Party
ASP.NET_ItemAuthoring_SessionId	ASP.NET cookie which is used to identify the users session on the server.	Session	First Party
ASP.NET_SessionId	ASP.NET cookie which is used to identify the users session on the server.	Session	First Party
authoring_SessionExpires	If this cookie is expired the Surpass Platform shows Login popup.	60 minute timeout	First Party
dontShowAgainConfirm_{confirmation_dialog_name}	This cookie allows the user to stop being informed of a new feature.	Persistent for 100 years	First Party
dontShowAgainConfirm_{popup_name}	Don’t show this popup again checkbox.	Persistent for 100 years	First Party
dontShowRefWarning_{warning_name}	Don’t show this warning again checkbox.	Persistent for 100 years	First Party
fileDownload	Fix for download control. The cookie indicates if a file download has occurred.	Very short	First Party
Google Analytics (_utma, _utmb,_utmc, _utmz, _ga,_gat)	These cookies are used to collect information about how visitors use the Surpass Platform. We use the information to compile reports about the use of the Surpass Platform, and to help us improve the service. The cookies collect information in an anonymous form, including the number of visitors to the administrative areas of the Surpass Platform and the interactions that visitors have with the features and functions of the Surpass Platform.	Persistent For Surpass Service this is persistent for up to 2 years	Third Party
ItemAuthoring_IntegrationMode	This cookie is used to denote that the application is running as part of the Surpass Service.	Session	First Party
SurpassUserLanguage	This cookie stores the selected language for the current user (e.g. en-GB).	Persistent for 1 year	First Party
SurpassUserName	Current User Name.	Persistent for 1 year	First Party
uvts and another cookies from UserVoice	This cookie stores the UserVoice session.	Session and persistent for up to 2 years	Third Party
osc_auth	Handle authentication across all Optime products.	Cleared when the user logs out of the application.	Third Party
.AspNetCore.Antiforgery	Security to prevent against common web app attacks.	Cleared when the user logs out of the application.	Third Party
homeTools	Remember if the scheduling tools panel is opened or closed when reloading the timetables page.	Cleared when the user logs out of the application.	Third Party
pinnedSidePanel	Remember which navigation side panel is pinned on page reloads.	Cleared when the user logs out of the application.	Third Party
download_timetable_config	Remember configuration preferences for downloading timetables.	Cleared when the user logs out of the application.	Third Party
schedulerConfig	Remember auto-scheduler configuration preferences.	Cleared when the user logs out of the application.	Third Party
hideScheduleAlert	Remember if the auto-scheduler alert has been hidden (opt never to show again).	Cleared when the user logs out of the application.	Third Party
*.bs.table.*	Remember sort and filter options for data management tables.	Cleared when the user logs out of the application.	Third Party